diff --git a/browsers/edge/breadcrumb/toc.yml b/browsers/edge/breadcrumb/toc.yml
index f417737985..83065b36a9 100644
--- a/browsers/edge/breadcrumb/toc.yml
+++ b/browsers/edge/breadcrumb/toc.yml
@@ -1,7 +1,3 @@
-- name: Docs
- tocHref: /
- topicHref: /
- items:
- - name: Microsoft Edge deployment
- tocHref: /microsoft-edge/deploy
- topicHref: /microsoft-edge/deploy/index
\ No newline at end of file
+- name: Microsoft Edge
+ tocHref: /microsoft-edge/
+ topicHref: /microsoft-edge/index
diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index d786e0bbfb..d36533a87e 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -28,7 +28,7 @@
],
"globalMetadata": {
"recommendations": true,
- "breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json",
+ "breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",
"audience": "ITPro",
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
index 1a51b8977a..912ce707bd 100644
--- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
+++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
@@ -1,7 +1,7 @@
---
author: aczechowski
ms.author: aaroncz
-ms.date: 10/27/2022
+ms.date: 12/16/2022
ms.reviewer: cathask
manager: aaroncz
ms.prod: ie11
@@ -9,6 +9,8 @@ ms.topic: include
---
> [!WARNING]
-> The retired, out-of-support Internet Explorer 11 (IE11) desktop application will be permanently disabled on certain versions of Windows 10 as part of the February 2023 Windows security update ("B") release scheduled for February 14, 2023. We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization doesn't experience business disruption.
+> **Update:** The retired, out-of-support Internet Explorer 11 desktop application is scheduled to be permanently disabled through a Microsoft Edge update on certain versions of Windows 10 on February 14, 2023.
>
-> For more information, see [aka.ms/iemodefaq](https://aka.ms/iemodefaq).
+> We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization does not experience business disruption.
+>
+> For more information, see [Internet Explorer 11 desktop app retirement FAQ](https://aka.ms/iemodefaq).
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index c0a273e836..ca2950ff0a 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,51 +2,9 @@
-## Week of September 19, 2022
+## Week of December 12, 2022
| Published On |Topic title | Change |
|------|------------|--------|
-| 9/20/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
-
-
-## Week of September 12, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 9/13/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
-| 9/14/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
-| 9/14/2022 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
-
-
-## Week of September 05, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 9/8/2022 | [Education scenarios Microsoft Store for Education](/education/windows/education-scenarios-store-for-business) | modified |
-| 9/8/2022 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
-| 9/8/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
-| 9/9/2022 | [Take tests in Windows](/education/windows/take-tests-in-windows-10) | modified |
-
-
-## Week of August 29, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 8/31/2022 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added |
-| 8/31/2022 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added |
-| 8/31/2022 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added |
-| 8/31/2022 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added |
-| 8/31/2022 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added |
-| 8/31/2022 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added |
-| 8/31/2022 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added |
-| 8/31/2022 | [Introduction](/education/windows/tutorial-school-deployment/index) | added |
-| 8/31/2022 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added |
-| 8/31/2022 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added |
-| 8/31/2022 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added |
-| 8/31/2022 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
-| 8/31/2022 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
-| 8/31/2022 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
+| 12/13/2022 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index ab2424149b..023393a04f 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -42,7 +42,7 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
> [!TIP]
-> Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags.
+> Use the following Graph call to automatically create the custom policy in your tenant without assignments nor scope tags. [1](#footnote1)
```msgraph-interactive
POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
@@ -51,6 +51,8 @@ Content-Type: application/json
{"id":"00-0000-0000-0000-000000000000","displayName":"_MSLearn_Stickers","roleScopeTagIds":["0"],"@odata.type":"#microsoft.graph.windows10CustomConfiguration","omaSettings":[{"omaUri":"./Vendor/MSFT/Policy/Config/Stickers/EnableStickers","displayName":"EnableStickers","@odata.type":"#microsoft.graph.omaSettingInteger","value":1}]}
```
+1 When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure devices using a provisioning package, [create a provisioning package][WIN-1] using Windows Configuration Designer (WCD) with the following settings:
@@ -78,8 +80,6 @@ Multiple stickers can be added from the picker by selecting them. The stickers c
Select the *X button* at the top of the screen to save your progress and close the sticker editor.
------------
-
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 654b8d7eca..efb6644b18 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -82,6 +82,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-----------------------------------------|-------------------|----------|------------------------------|
| 3d builder | 15.2.10821.1070 | Win32 | Microsoft |
+|Absolute Software Endpoint Agent | 7.20.0.1 | Win32 | Absolute Software Corporation|
| AirSecure | 8.0.0 | Win32 | AIR |
| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies |
| Brave Browser | 106.0.5249.65 | Win32 | Brave |
@@ -96,7 +97,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation |
| Duo from Cisco | 2.25.0 | Win32 | Cisco |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking |
-|Epson iProjection | 3.31 | Win32 | Epson |
+| Epson iProjection | 3.31 | Win32 | Epson |
| eTests | 4.0.25 | Win32 | CASAS |
| FortiClient | 7.2.0.4034+ | Win32 | Fortinet |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
@@ -106,9 +107,9 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |
| Immunet | 7.5.0.20795 | Win32 | Immunet |
| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software |
-| Inspiration 10 | 10.11 | Win32 | Inspiration Software, Inc. |
+| Inspiration 10 | 10.11 | Win32 | TechEdology Ltd |
| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific |
-| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps |
+| Kite Student Portal | 9.0.0.0 | Win32 | Dynamic Learning Maps |
| Kortext | 2.3.433.0 | Store | Kortext |
| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems |
| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. |
@@ -134,6 +135,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus |
| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser |
| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud |
+| Smoothwall Monitor | 2.8.0 | Win32 | Smoothwall Ltd
| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access |
| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access |
| VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc |
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index ef26f2ef61..63c5843f83 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -8,7 +8,7 @@ ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
-ms.date:
+ms.date: 4/5/2022
---
# Device HealthAttestation CSP
diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
index 19f6591fde..5d80bf89fd 100644
--- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
+++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
@@ -2,15 +2,14 @@
title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI
manager: aaroncz
description: Elixir images read me file
-keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: nidos
-ms.localizationpriority: medium
ms.author: nidos
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Read Me
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
index cba66fa1b9..11915236a8 100644
--- a/windows/deployment/do/mcc-enterprise-appendix.md
+++ b/windows/deployment/do/mcc-enterprise-appendix.md
@@ -5,9 +5,9 @@ description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Educ
ms.prod: windows-client
author: amymzhou
ms.author: amyzhou
-ms.localizationpriority: medium
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Appendix
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index 38883390d1..c39e4b5a84 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -4,10 +4,10 @@ manager: dougeby
description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node
ms.prod: windows-client
author: amymzhou
-ms.localizationpriority: medium
ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Deploying your cache node
diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md
index 6689c75109..fac81254f0 100644
--- a/windows/deployment/do/mcc-enterprise-prerequisites.md
+++ b/windows/deployment/do/mcc-enterprise-prerequisites.md
@@ -4,10 +4,10 @@ manager: dougeby
description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
-ms.localizationpriority: medium
ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md
index 0027211ca3..83882c952c 100644
--- a/windows/deployment/do/mcc-enterprise-update-uninstall.md
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@@ -4,10 +4,10 @@ manager: dougeby
description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education.
ms.prod: windows-client
author: amymzhou
-ms.localizationpriority: medium
ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Update or uninstall Microsoft Connected Cache for Enterprise and Education
diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md
index b1100441f0..8d8bc76577 100644
--- a/windows/deployment/do/mcc-isp-cache-node-configuration.md
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@@ -2,15 +2,12 @@
title: Cache node configuration
manager: aaroncz
description: Configuring a cache node on Azure portal
-keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
-ms.mktglfcycl: deploy
-audience: itpro
author: amyzhou
-ms.localizationpriority: medium
ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Cache node configuration
diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md
index ca7cd23cf6..aa7180c750 100644
--- a/windows/deployment/do/mcc-isp-create-provision-deploy.md
+++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md
@@ -2,15 +2,12 @@
title: Create, provision, and deploy the cache node in Azure portal
manager: aaroncz
description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal
-keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
-ms.mktglfcycl: deploy
-audience: itpro
author: nidos
-ms.localizationpriority: medium
ms.author: nidos
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Create, Configure, provision, and deploy the cache node in Azure portal
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
index a50448410d..9c4a778d6c 100644
--- a/windows/deployment/do/mcc-isp-faq.yml
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -2,23 +2,19 @@
metadata:
title: Microsoft Connected Cache Frequently Asked Questions
description: The following article is a list of frequently asked questions for Microsoft Connected Cache.
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: amymzhou
ms.author: amymzhou
manager: aaroncz
ms.collection:
- - M365-security-compliance
- highpri
ms.topic: faq
ms.date: 09/30/2022
ms.prod: windows-client
+ ms.technology: itpro-updates
title: Microsoft Connected Cache Frequently Asked Questions
summary: |
**Applies to**
- - Windows 10
- - Windows 11
+ - Windows 10 and later
sections:
- name: Ignored
diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md
index e1e0134c06..e53324e321 100644
--- a/windows/deployment/do/mcc-isp-signup.md
+++ b/windows/deployment/do/mcc-isp-signup.md
@@ -2,15 +2,14 @@
title: Operator sign up and service onboarding
manager: aaroncz
description: Service onboarding for Microsoft Connected Cache for ISP
-keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: nidos
-ms.localizationpriority: medium
ms.author: nidos
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Operator sign up and service onboarding for Microsoft Connected Cache
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
index 31e3d1ae9b..a10e0f5a63 100644
--- a/windows/deployment/do/mcc-isp-support.md
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -2,14 +2,13 @@
title: Support and troubleshooting
manager: aaroncz
description: Troubleshooting issues for Microsoft Connected Cache for ISP
-keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
audience: itpro
author: nidos
-ms.localizationpriority: medium
ms.author: nidos
ms.topic: reference
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Support and troubleshooting
diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md
index 87ce60fb38..2e74cc5a44 100644
--- a/windows/deployment/do/mcc-isp-update.md
+++ b/windows/deployment/do/mcc-isp-update.md
@@ -2,15 +2,14 @@
title: Update or uninstall your cache node
manager: aaroncz
description: How to update or uninstall your cache node
-keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
ms.mktglfcycl: deploy
audience: itpro
author: amyzhou
-ms.localizationpriority: medium
ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Update or uninstall your cache node
diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md
index 42bd92657e..da0003c24f 100644
--- a/windows/deployment/do/mcc-isp-verify-cache-node.md
+++ b/windows/deployment/do/mcc-isp-verify-cache-node.md
@@ -4,13 +4,12 @@ manager: aaroncz
description: How to verify the functionality of a cache node
keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
-ms.mktglfcycl: deploy
audience: itpro
author: amyzhou
-ms.localizationpriority: medium
ms.author: amyzhou
ms.topic: article
ms.date: 12/31/2017
+ms.technology: itpro-updates
---
# Verify cache node functionality and monitor health and performance
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
index 0152161e0c..9316c9a5af 100644
--- a/windows/deployment/do/mcc-isp-vm-performance.md
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -2,14 +2,11 @@
title: Enhancing VM performance
manager: aaroncz
description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
-keywords: updates, downloads, network, bandwidth
ms.prod: windows-client
-ms.mktglfcycl: deploy
-audience: itpro
author: amyzhou
-ms.localizationpriority: medium
ms.author: amyzhou
ms.topic: reference
+ms.technology: itpro-updates
ms.date: 12/31/2017
---
diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml
index 89d2d5567f..0827ee5979 100644
--- a/windows/deployment/do/waas-delivery-optimization-faq.yml
+++ b/windows/deployment/do/waas-delivery-optimization-faq.yml
@@ -2,28 +2,20 @@
metadata:
title: Delivery Optimization Frequently Asked Questions
description: The following is a list of frequently asked questions for Delivery Optimization.
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer: aaroncz
ms.prod: windows-client
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: carmenf
ms.author: carmenf
manager: dougeby
- audience: ITPro
+ ms.technology: itpro-updates
ms.collection:
- - M365-security-compliance
- highpri
ms.topic: faq
ms.date: 08/04/2022
- ms.custom: seo-marvel-apr2020
title: Delivery Optimization Frequently Asked Questions
summary: |
**Applies to**
- - Windows 10
- - Windows 11
+ - Windows 10 and later
sections:
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 44d780e141..44ace484d1 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -1,16 +1,15 @@
---
title: Set up Delivery Optimization
-ms.reviewer:
-manager: dougeby
description: In this article, learn how to set up Delivery Optimization.
-ms.prod: windows-client
author: carmenf
-ms.localizationpriority: medium
ms.author: carmenf
-ms.topic: article
-ms.custom: seo-marvel-apr2020
+ms.reviewer: mstewart
+manager: aaroncz
+ms.prod: windows-client
ms.technology: itpro-updates
-ms.date: 12/31/2017
+ms.localizationpriority: medium
+ms.topic: how-to
+ms.date: 12/19/2022
---
# Set up Delivery Optimization for Windows
@@ -28,7 +27,7 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op
You will find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**.
-Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/intune/delivery-optimization-windows).
+Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows).
**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
@@ -68,7 +67,7 @@ For this scenario, grouping devices by domain allows devices to be included in p
To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
-To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DODownloadMode to 1 or 2.
+To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to 1 or 2.
### Hub and spoke topology with boundary groups
@@ -76,10 +75,10 @@ The default download mode setting is **1**; this means all devices breaking out
To do this in Group Policy go to ****Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
-To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**.
+To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**.
> [!NOTE]
-> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
+> For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization).
### Large number of mobile devices
@@ -87,7 +86,7 @@ If you have a mobile workforce with a great many mobile devices, set Delivery Op
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60.
-To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinBatteryPercentageAllowedToUpload** to 60.
+To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominbatterypercentageallowedtoupload) to 60.
### Plentiful free space and large numbers of devices
@@ -97,7 +96,7 @@ Many devices now come with large internal drives. You can set Delivery Optimizat
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
-To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DOMinFileSizeToCache** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
+To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
### Lab scenario
@@ -105,7 +104,7 @@ In a lab situation, you typically have a large number of devices that are plugge
To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days).
-To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days).
+To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days).
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 3fc8a55190..6263da1c9b 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -51,4 +51,4 @@ The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-too
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
-- [Microsoft Defender for Endpoint](/microsoft-365/windows/microsoft-defender-atp)
+- [Microsoft Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 4611f04b9f..b48ff94e98 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -39,6 +39,9 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
+> [!NOTE]
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another might want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f, from their device compliance policy.
+
## Subscription activation for Enterprise
Windows Enterprise E3 and E5 are available as online services via subscription. You can deploy Windows Enterprise in your organization without keys and reboots.
diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml
index fe94531f9b..1f245af013 100644
--- a/windows/deployment/windows-autopatch/index.yml
+++ b/windows/deployment/windows-autopatch/index.yml
@@ -13,6 +13,7 @@ metadata:
ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
ms.custom: intro-hub-or-landing
ms.prod: windows-client
+ ms.technology: itpro-updates
ms.collection:
- highpri
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
index fbf827b7a7..6f8dfbcded 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
@@ -63,10 +63,10 @@ When releasing a feature update, there are two policies that are configured by t
| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period |
| ----- | ----- | ----- | ----- | ----- |
-| Test | 21H2 | 0 | 5 | 0 |
-| First | 21H2 | 0 | 5 | 2 |
-| Fast | 21H2 | 0 | 5 | 2 |
-| Broad | 21H2 | 0 | 5 | 2 |
+| Test | 20H2 | 0 | 5 | 0 |
+| First | 20H2 | 0 | 5 | 2 |
+| Fast | 20H2 | 0 | 5 | 2 |
+| Broad | 20H2 | 0 | 5 | 2 |
> [!NOTE]
> Customers are not able to select a target version for their tenant.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index dd16d441df..718e1126b8 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality updates
description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 08/08/2022
+ms.date: 12/15/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -58,33 +58,33 @@ Threat and vulnerability information about a new revision of Windows becomes ava
When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update as quickly.
-### Turn off service-driven expedited quality update releases
-
-Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
-
-**To turn off service-driven expedited quality updates:**
-
-1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Tenant administration**.
-2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting.
-
| Release type | Group | Deferral | Deadline | Grace period |
| ----- | ----- | ----- | ----- | ----- |
| Standard release | Test
First
Fast
Broad | 0
1
6
9 | 0
2
2
5 | 0
2
2
2 |
| Expedited release | All devices | 0 | 1 | 1 |
+### Turn off service-driven expedited quality update releases
+
+Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
+
+**To turn off service-driven expedited quality updates:**
+
+1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
+2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting.
+
> [!NOTE]
> Windows Autopatch doesn't allow customers to request expedited releases.
## Out of Band releases
-Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. You can view the deployed OOB quality updates in the **Release Management** blade in the **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)**.
+Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. You can view the deployed OOB quality updates in the **Release Management** blade in the **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)**.
-**To view deployed OOB quality updates:**
+**To view deployed Out of Band quality updates:**
-1. Go to [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Tenant administration** > **Windows Autopatch** > **Release management**.
-2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
+1. Go to [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
+2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
-> [!Note]
+> [!NOTE]
> Announcements will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
## Pausing and resuming a release
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index b9f94b3dc8..da940b07a4 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -11,6 +11,7 @@ metadata:
author: tiaraquan
ms.author: tiaraquan
ms.reviwer: hathind
+ ms.technology: itpro-updates
title: Frequently Asked Questions about Windows Autopatch
summary: This article answers frequently asked questions about Windows Autopatch.
sections:
@@ -45,7 +46,9 @@ sections:
- [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
- Additional pre-requisites for devices managed by Configuration Manager:
+
+ Additional prerequisites for devices managed by Configuration Manager:
+
- [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements)
- [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions)
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index deea4c3766..0f1ca8d5c4 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.date: 11/22/2022
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
ms.technology: itpro-security
---
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index eebf25ce06..5a35d2853f 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -7,7 +7,7 @@ ms.collection:
ms.topic: article
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
ms.technology: itpro-security
---
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 88e440512c..c8ed1adc92 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -5,7 +5,7 @@ ms.date: 08/17/2017
ms.topic: article
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Additional mitigations
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index ba0779a58a..236d6dd432 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -5,7 +5,7 @@ ms.date: 08/31/2017
ms.topic: article
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Considerations when using Windows Defender Credential Guard
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 3286ad1879..c9ed9e42c7 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -5,7 +5,7 @@ ms.date: 08/17/2017
ms.topic: conceptual
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# How Windows Defender Credential Guard works
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 5711e1d525..07d9647887 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -5,7 +5,7 @@ ms.topic: article
ms.date: 11/28/2022
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Windows Defender Credential Guard: Known issues
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index d148156622..e4eb399ed3 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -7,7 +7,7 @@ ms.collection:
ms.topic: article
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Manage Windows Defender Credential Guard
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index d5c0af8d7c..86b9533f7a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -5,7 +5,7 @@ ms.topic: article
ms.date: 08/17/2017
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Windows Defender Credential Guard protection limits and mitigations
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 79de8e7f00..42fbe2a663 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -5,7 +5,7 @@ ms.date: 08/17/2017
ms.topic: article
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Windows Defender Credential Guard protection limits
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 6112d90366..164f0f776e 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -5,7 +5,7 @@ ms.date: 12/27/2021
ms.topic: article
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Windows Defender Credential Guard requirements
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index 867ad14148..5051ce94cd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -5,7 +5,7 @@ ms.date: 11/22/2022
ms.topic: reference
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Windows Defender Credential Guard: scripts for certificate authority issuance policies
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index cc86aff4a8..6548d02f17 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -7,7 +7,7 @@ ms.collection:
- highpri
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Protect derived domain credentials with Windows Defender Credential Guard
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index b4e156aa00..d834db9710 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -5,7 +5,7 @@ ms.date: 11/22/2022
ms.topic: reference
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 721ddca258..004083bb85 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,12 +1,12 @@
---
-title: Azure Active Directory join cloud only deployment
-description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
+title: Windows Hello for Business cloud-only deployment
+description: Learn how to configure Windows Hello for Business in a cloud-only deployment scenario.
ms.date: 06/23/2021
appliesto:
- ✅ Windows 10 and later
ms.topic: article
---
-# Azure Active Directory join cloud only deployment
+# Cloud-only deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)]
@@ -17,7 +17,7 @@ When you Azure Active Directory (Azure AD) join a Windows device, the system pro
You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
> [!NOTE]
-> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don’t have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
+> During the out-of-box experience (OOBE) flow of an Azure AD join, you will see a provisioning PIN when you don't have Intune. You can always cancel the PIN screen and set this cancellation with registry keys to prevent future prompts.
## Prerequisites
@@ -25,7 +25,7 @@ Cloud only deployments will use Azure AD multi-factor authentication (MFA) durin
The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
-Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
+Also note that it's possible for federated domains to enable the *Supports MFA* flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge.
Check and view this setting with the following MSOnline PowerShell command:
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 485f602211..32dc3ba63e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -4,7 +4,7 @@ description: Guide for planning to have an adequate number of Windows Server 201
ms.date: 08/20/2018
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
ms.topic: article
---
# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 3486c444df..d258d207f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,566 +1,318 @@
---
-title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
-description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
-ms.date: 01/14/2021
+title: Prepare and deploy Active Directory Federation Services in an on-premises certificate trust
+description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business certificate trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Prepare and Deploy Active Directory Federation Services (AD FS)
-
-Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS). The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
-
-The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
-
-If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
-
-If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
-
-Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade.
-
-A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
-
-Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
-
-> [!NOTE]
-> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
->
-> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
-> 2. Right click "Scope Descriptions" and select "Add Scope Description".
-> 3. Under name type "ugs" and Click Apply > OK.
-> 4. Launch PowerShell as an administrator.
-> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b":
-> ```PowerShell
-> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
-> ```
-> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`.
-> 7. Restart the AD FS service.
-> 8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business.
-
-## Update Windows Server 2016
-
-Sign-in the federation server with _local admin_ equivalent credentials.
-1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
-2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
-
->[!IMPORTANT]
->The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.
-
-## Enroll for a TLS Server Authentication Certificate
-
-Windows Hello for Business on-premises deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
-
-The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
-
-- Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
-- Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
-- Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com*
-
-You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
-
-You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
-
-It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
-
-Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
-
-### Internal Web Server Authentication Certificate Enrollment
-
-Sign-in the federation server with domain administrator equivalent credentials.
-
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.
-9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished.
-10. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-## Deploy the Active Directory Federation Service Role
-
-The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments:
-
-- Device registration
-- Key registration
-- Certificate registration authority (certificate trust deployments)
-
->[!IMPORTANT]
-> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
-
-Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration.
-
-Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
-
-1. Start **Server Manager**. Click **Local Server** in the navigation pane.
-2. Click **Manage** and then click **Add Roles and Features**.
-3. Click **Next** on the **Before you begin** page.
-4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
-6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**.
-7. Click **Next** on the **Select features** page.
-8. Click **Next** on the **Active Directory Federation Service** page.
-9. Click **Install** to start the role installation.
-
-## Review & validate
+# Prepare and deploy Active Directory Federation Services - on-premises certificate trust
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*.
+
+The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\
+WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\
+To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+
+A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
+
+Prepare the AD FS deployment by installing and **updating** two Windows Servers.
+
+## Enroll for a TLS server authentication certificate
+
+Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
+
+The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm:
+ - **Subject Name**: the internal FQDN of the federation server
+ - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*)
+
+The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*.
+
+You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
+
+When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
+
+Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
+### AD FS authentication certificate enrollment
+
+Sign-in the federation server with *domain administrator* equivalent credentials.
+
+1. Start the Local Computer **Certificate Manager** (certlm.msc)
+1. Expand the **Personal** node in the navigation pane
+1. Right-click **Personal**. Select **All Tasks > Request New Certificate**
+1. Select **Next** on the **Before You Begin** page
+1. Select **Next** on the **Select Certificate Enrollment Policy** page
+1. On the **Request Certificates** page, select the **Internal Web Server** check box
+1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
+ :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
+1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
+1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
+1. Select **Enroll**
+
+A server authentication certificate should appear in the computer's personal certificate store.
+
+## Deploy the AD FS role
+
+AD FS provides the following services to support Windows Hello for Business on-premises deployments in a certificate trust model:
+
+- Device registration
+- Key registration
+- Certificate registration authority (CRA)
+
+>[!IMPORTANT]
+> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
+
+Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
+
+1. Start **Server Manager**. Select **Local Server** in the navigation pane
+1. Select **Manage > Add Roles and Features**
+1. Select **Next** on the **Before you begin** page
+1. On the **Select installation type** page, select **Role-based or feature-based installation > Next**
+1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next**
+1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next**
+1. Select **Next** on the **Select features** page
+1. Select **Next** on the **Active Directory Federation Service** page
+1. Select **Install** to start the role installation
+
+## Review to validate the AD FS deployment
+
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-- Confirm the AD FS farm uses the correct database configuration.
-- Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
-- Confirm **all** AD FS servers in the farm have the latest updates.
-- Confirm all AD FS servers have a valid server authentication certificate.
- - The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
- - The alternate name of the certificate contains a wildcard or the FQDN of the federation service.
+> [!div class="checklist"]
+> * Confirm the AD FS farm uses the correct database configuration
+> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
+> * Confirm **all** AD FS servers in the farm have the latest updates installed
+> * Confirm all AD FS servers have a valid server authentication certificate
-## Device Registration Service Account Prerequisite
+## Device registration service account prerequisites
-The service account used for the device registration server depends on the domain controllers in the environment.
+The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security.
->[!NOTE]
-> Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
-### Windows Server 2012 or later Domain Controllers
+### Create KDS Root Key
-Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security.
+Sign-in a domain controller with *Enterprise Administrator* equivalent credentials.
-GMSA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GMSA. Before you can create a GMSA, you must first create a root key for the service. You can skip this if your environment already uses GMSA.
-
->[!NOTE]
-> If the [default object creation quota for security principles](/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices.
-
-#### Create KDS Root Key
-
-Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
-
-1. Start an elevated Windows PowerShell console.
-2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`.
-
-### Windows Server 2008 or 2008 R2 Domain Controllers
-
-Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis.
-
-#### Create an AD FS Service Account
-
-Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
-
-1. Open **Active Directory Users and Computers**.
-2. Right-click the **Users** container, Click **New**. Click **User**.
-3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
-4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box.
-5. Click **Next** and then click **Finish**.
+Start an elevated PowerShell console and execute the following command:
+```PowerShell
+Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
+```
## Configure the Active Directory Federation Service Role
->[!IMPORTANT]
-> Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+Use the following procedures to configure AD FS.
-### Windows Server 2012 or later Domain Controllers
+Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
-
-Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-
-1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
-
-3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
-4. Click **Next** on the **Connect to Active Directory Domain Services** page.
-5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
-6. Select the federation service name from the **Federation Service Name** list.
-7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
-8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**.
-9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
-10. On the **Review Options** page, click **Next**.
-11. On the **Pre-requisite Checks** page, click **Configure**.
-12. When the process completes, click **Close**.
-
-### Windows Server 2008 or 2008 R2 Domain Controllers
-
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
-
-Sign-in the federation server with _domain administrator_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-
-1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
-
-3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
-4. Click **Next** on the **Connect to Active Directory Domain Services** page.
-5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
-6. Select the federation service name from the **Federation Service Name** list.
-7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
-8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
-9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
-10. On the **Review Options** page, click **Next**.
-11. On the **Pre-requisite Checks** page, click **Configure**.
-12. When the process completes, click **Close**.
-13. Do not restart the AD FS server. You will do this later.
-
-### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group
+1. Start **Server Manager**
+1. Select the notification flag in the upper right corner and select **Configure the federation services on this server**
+1. On the **Welcome** page, select **Create the first federation server farm > Next**
+1. On the **Connect to Active Directory Domain Services** page, select **Next**
+1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com*
+1. Select the federation service name from the **Federation Service Name** list
+1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next**
+1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc*
+1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next**
+1. On the **Review Options** page, select **Next**
+1. On the **Pre-requisite Checks** page, select **Configure**
+1. When the process completes, select **Close**
> [!NOTE]
-> If you have a Windows Server 2016 domain controller in your domain, you can use the **Key Admins** group instead of **KeyCredential Administrators** and skip the **Configure Permissions for Key Registration** step.
+> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
+>
+> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions**
+> 2. Right-click **Scope Descriptions** and select **Add Scope Description**
+> 3. Under name type *ugs* and select **Apply > OK**
+> 4. Launch PowerShell as an administrator and execute the following commands:
+> ```PowerShell
+> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
+> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
+> ```
+> 7. Restart the AD FS service
+> 8. Restart the client. User should be prompted to provision Windows Hello for Business
-The **KeyCredential Administrators** global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
+### Add the AD FS service account to the *Key Admins* group
-Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
+During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group.
-1. Open **Active Directory Users and Computers**.
-2. Click the **Users** container in the navigation pane.
-3. Right-click **KeyCredential Admins** in the details pane and click **Properties**.
-4. Click the **Members** tab and click **Add…**
-5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
-6. Click **OK** to return to **Active Directory Users and Computers**.
-7. Right-click **Windows Hello for Business Users** group
-8. Click the **Members** tab and click **Add…**
-9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
-10. Click **OK** to return to **Active Directory Users and Computers**.
-11. Change to server hosting the AD FS role and restart it.
+Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials.
-### Configure Permissions for Key Registration
+1. Open **Active Directory Users and Computers**
+1. Select the **Users** container in the navigation pane
+1. Right-click **Key Admins** in the details pane and select **Properties**
+1. Select the **Members > Add…**
+1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK**
+1. Select **OK** to return to **Active Directory Users and Computers**
+1. Change to server hosting the AD FS role and restart it
-Key Registration stores the Windows Hello for Business public key in Active Directory. With on-premises deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory.
+Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
+1. Open the **AD FS management** console
+1. In the navigation pane, expand **Service**. Select **Device Registration**
+1. In the details pane, select **Configure device registration**
+1. In the **Configure Device Registration** dialog, Select **OK**
-Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
-1. Open **Active Directory Users and Computers**.
-2. Right-click your domain name from the navigation pane and click **Properties**.
-3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu).
-4. Click **Advanced**. Click **Add**. Click **Select a principal**.
-5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**.
-6. In the **Applies to** list box, select **Descendant User objects**.
-7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
-8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**.
-9. Click **OK** three times to complete the task.
+Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
-## Configure the Device Registration Service
+:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
-Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-
-1. Open the **AD FS management** console.
-2. In the navigation pane, expand **Service**. Click **Device Registration**.
-3. In the details pane, click **Configure Device Registration**.
-4. In the **Configure Device Registration** dialog, click **OK**.
-
-## Review to validate
+## Review to validate the AD FS and Active Directory configuration
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you followed the correct procedures based on the domain controllers used in your deployment.
- * Windows Server 2012 or Windows Server 2012 R2
- * Windows Server 2008 or Windows Server 2008 R2
-* Confirm you have the correct service account based on your domain controller version.
-* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs.
-* Confirm you used a certificate with the correct names as the server authentication certificate.
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute.
-* Confirm you enabled the Device Registration service.
-## Prepare and Deploy AD FS Registration Authority
+> [!div class="checklist"]
+> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
+> * Confirm you added the AD FS service account to the KeyAdmins group
+> * Confirm you enabled the Device Registration service
-A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority.
+## Configure the certificate registration authority
-### Configure Registration Authority template
+The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the certificate registration authority (CRA). The registration authority is responsible for issuing certificates to users and devices. The registration authority is also responsible for revoking certificates when users or devices are removed from the environment.
-The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request.
+Sign-in the AD FS server with *domain administrator* equivalent credentials.
-The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication.
+Open a **Windows PowerShell** prompt and type the following command:
->[!IMPORTANT]
->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
-
-#### Windows 2012 or later domain controllers
-
-Sign-in a certificate authority or management workstations with _domain administrator_ equivalent credentials.
-
-1. Open the **Certificate Authority Management** console.
-2. Right-click **Certificate Templates** and click **Manage**.
-3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
-6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
-
- > [!NOTE]
- > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
-
-7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
-8. On the **Security** tab, click **Add**.
-9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**.
-10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
-12. Close the console.
-
-#### Windows 2008 or 2008R2 domain controllers
-
-Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
-
-1. Open the **Certificate Authority** management console.
-2. Right-click **Certificate Templates** and click **Manage**.
-3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
-6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
-7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
-8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**.
-9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
-10. Close the console.
-
-### Configure the Windows Hello for Business Authentication Certificate template
-
-During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring.
-
-Sign-in a certificate authority or management workstations with _domain administrator equivalent_ credentials.
-
-1. Open the **Certificate Authority** management console.
-2. Right-click **Certificate Templates** and click **Manage**.
-3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
- > [!NOTE]
- > If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment.
-6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
-7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
-8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box.
- Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
-9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
-10. On the **Request Handling** tab, select the **Renew with same key** check box.
-11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
-12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
-13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template.
-14. Click on the **Apply** to save changes and close the console.
-
-#### Mark the template as the Windows Hello Sign-in template
-
-Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials.
-
-1. Open an elevated command prompt.
-2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`.
-
->[!NOTE]
->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
-
-### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority
-
-Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
-
-1. Open the **Certificate Authority** management console.
-2. Expand the parent node from the navigation pane.
-3. Click **Certificate Templates** in the navigation pane.
-4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**.
-5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
-6. Publish the **WHFB Authentication** certificate template using step 5.
-7. Close the console.
-
-### Configure the Registration Authority
-
-Sign-in the AD FS server with domain administrator equivalent credentials.
-
-1. Open a **Windows PowerShell** prompt.
-2. Type the following command
-
```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
```
>[!NOTE]
- > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
+ > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates.
-### Enrollment Agent Certificate Enrollment
+### Enrollment agent certificate enrollment
-Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
+AD FS performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
-Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
+Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
-### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service
+## Additional federation servers
-> [!NOTE]
-> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)).
+Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
-Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script:
+### Server authentication certificate
-> [!TIP]
-> Make sure to change the $enrollmentService and $configNC variables before running the script.
+Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
-```powershell
-# Replace this with your Device Registration Service endpoint
-$enrollmentService = "enterpriseregistration.contoso.com"
-# Replace this with your Active Directory configuration naming context
-$configNC = "CN=Configuration,DC=corp,DC=contoso,DC=org"
-
-$de = New-Object System.DirectoryServices.DirectoryEntry
-$de.Path = "LDAP://CN=Device Registration Configuration,CN=Services," + $configNC
-
-$deSCP = $de.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint")
-$deSCP.Properties["keywords"].Add("enterpriseDrsName:" + $enrollmentService)
-$deSCP.CommitChanges()
-```
-
->[!NOTE]
-> You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1.
->
-
-## Additional Federation Servers
-
-Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
-
-### Server Authentication Certificate
-
-Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
-
-### Install Additional Servers
+### Install additional servers
Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
-## Load Balance AD FS Federation Servers
+## Load balance AD FS
-Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
+Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
### Install Network Load Balancing Feature on AD FS Servers
-Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
+Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-1. Start **Server Manager**. Click **Local Server** in the navigation pane.
-2. Click **Manage** and then click **Add Roles and Features**.
-3. Click **Next** On the **Before you begin** page.
-4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
-6. On the **Select server roles** page, click **Next**.
-7. Select **Network Load Balancing** on the **Select features** page.
-8. Click **Install** to start the feature installation.
- 
+1. Start **Server Manager**. Select **Local Server** in the navigation pane
+1. Select **Manage** and then select **Add Roles and Features**
+1. Select **Next** On the **Before you begin** page
+1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next**
+1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next**
+1. On the **Select server roles** page, select **Next**
+1. Select **Network Load Balancing** on the **Select features** page
+1. Select **Install** to start the feature installation
### Configure Network Load Balancing for AD FS
-Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
+Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
-Sign-in a node of the federation farm with _Admin_ equivalent credentials.
+Sign-in a node of the federation farm with *Administrator* equivalent credentials.
-1. Open **Network Load Balancing Manager** from **Administrative Tools**.
- 
-2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
-3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
- 
-4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
-5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
-6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
- 
-7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
- 
-8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
-9. In Port Rules, click Edit to modify the default port rules to use port 443.
- 
+1. Open **Network Load Balancing Manager** from **Administrative Tools**
+1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster**
+1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect**
+1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance)
+1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next**
+1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next**
+1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster
+1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next**
+1. In Port Rules, select Edit to modify the default port rules to use port 443
### Additional AD FS Servers
-1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
-2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
- 
+1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster**
+1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same
## Configure DNS for Device Registration
-Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\
+You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
-1. Open the **DNS Management** console.
-2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
-3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
-4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
-5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**.
-6. Close the DNS Management console.
+1. Open the **DNS Management** console
+1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**
+1. In the navigation pane, select the node that has the name of your internal Active Directory domain name
+1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)**
+1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host**
+1. Right-click the `` node and select **New Alias (CNAME)**
+1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box
+1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE]
+> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix.
## Configure the Intranet Zone to include the federation service
-The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication.
+The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication.
### Create an Intranet Zone Group Policy
-Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials:
-
-1. Start the **Group Policy Management Console** (gpmc.msc).
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Right-click **Group Policy object** and select **New**.
-4. Type **Intranet Zone Settings** in the name box and click **OK**.
-5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **Computer Configuration**.
-7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**.
-8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**.
-9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor.
+Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials
+1. Start the **Group Policy Management Console** (gpmc.msc)
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Right-click **Group Policy object** and select **New**
+1. Type **Intranet Zone Settings** in the name box and select **OK**
+1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit**
+1. In the navigation pane, expand **Policies** under **Computer Configuration**
+1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List**
+1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor
### Deploy the Intranet Zone Group Policy object
-1. Start the **Group Policy Management Console** (gpmc.msc).
-2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
-3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…**
+1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
-## Review
+## Review to validate the configuration
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account.
-* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template.
-* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance.
-* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include:
- * Issuance requirements of an authorized signature from a certificate request agent.
- * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe.
- * The Windows Hello for Business Users group, or equivalent has the allow enroll permissions.
-* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
-* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
-* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
-* Confirm you restarted the AD FS service.
-* Confirm you properly configured load-balancing (hardware or software).
-* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
-* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
-## Validating your work
-
-You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account.
-
-> [!IMPORTANT]
-> After following the previous steps, if you are unable to validate that the devices are, in fact, being registered automatically, there is a Group Policy at:
-> **Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration >** "Register Domain Joined Computers As Devices". Set the policy to **Enabled**
-> and the registration will happen automatically.
+> [!div class="checklist"]
+> * Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template
+> * Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance
+> * Confirm you properly configured the Windows Hello for Business authentication certificate template
+> * Confirm all certificate templates were properly published to the appropriate issuing certificate authorities
+> * Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template
+> * Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet
+> Confirm you restarted the AD FS service
+> * Confirm you properly configured load-balancing (hardware or software)
+> * Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
+> * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
### Event Logs
-Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show:
+Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the *CertificateLifecycle-User* event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show:
-* The account name under which the certificate was enrolled.
-* The action, which should read enroll.
-* The thumbprint of the certificate
-* The certificate template used to issue the certificate.
+- The account name under which the certificate was enrolled
+- The action, which should read enroll
+-_ The thumbprint of the certificate
+- The certificate template used to issue the certificate
-### Normal Service Account
+You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate shown in the event log.
-When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify.
+Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates`.
-### Group Managed Service Account
+Each file in this folder represents a certificate in the service account's Personal store (You may need to use `dir.exe /A` to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate.
-You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate now shown in the event log.
+For detailed information about the certificate, use `Certutil -q -v `.
-Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates` .
-
-Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate.
-
-For detailed information about the certificate, use `Certutil -q -v ` .
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-
-1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
+> [!div class="nextstepaction"]
+> [Next: validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 6c48751b0b..870fc37596 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,148 +1,128 @@
---
-title: Configure Windows Hello for Business Policy settings - certificate trust
-description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
+title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
+description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
ms.collection:
- highpri
-ms.date: 08/20/2018
+ms.date: 12/12/2022
appliesto:
-- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.topic: article
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Configure Windows Hello for Business Policy settings - Certificate Trust
+# Configure Windows Hello for Business group policy settings - on-premises certificate Trust
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
-To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later.
+On-premises certificate-based deployments of Windows Hello for Business need three Group Policy settings:
+- Enable Windows Hello for Business
+- Use certificate for on-premises authentication
+- Enable automatic enrollment of certificates
-On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
-* Enable Windows Hello for Business
-* Use certificate for on-premises authentication
-* Enable automatic enrollment of certificates
+## Enable Windows Hello for Business group policy setting
-## Enable Windows Hello for Business Group Policy
+The group policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
-The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
+If you configure the group policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the group policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
-If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business .
+## Use certificate for on-premises authentication group policy setting
-## Use certificate for on-premises authentication
+The group policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this group policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication.
-The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests.
+You can configure this setting for computer or users. Deploying this setting to computers results in *all* users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence.
-You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence.
+## Enable automatic enrollment of certificates group policy setting
-## Enable automatic enrollment of certificates
+Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
-Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates.
+## Create the GPO
-The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
+Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials.
-## Create the Windows Hello for Business Group Policy object
-
-The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
1. Start the **Group Policy Management Console** (gpmc.msc)
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Right-click **Group Policy object** and select **New**.
-4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
-5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
-7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
-8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
-9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**.
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Right-click **Group Policy object** and select **New**
+1. Type *Enable Windows Hello for Business* in the name box and select **OK**
+1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and select **Edit**
+1. In the navigation pane, select **User Configuration > Policies > Administrative Templates > Windows Component > Windows Hello for Business**
+1. In the content pane, double-click **Use Windows Hello for Business**. Select **Enable** and **OK**
+1. Select **Use certificate for on-premises authentication > Enable > OK**
+1. In the navigation pane, expand **Policies > User Configuration**
+1. Expand **Windows Settings > Security Settings > Public Key Policies**
+1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**
+1. Select **Enabled** from the **Configuration Model** list
+1. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box
+1. Select the **Update certificates that use certificate templates** check box
+1. Select **OK** and close the **Group Policy Management Editor**.
-## Configure Automatic Certificate Enrollment
-
-1. Start the **Group Policy Management Console** (gpmc.msc).
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-4. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**).
-5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**.
-6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
-7. Select **Enabled** from the **Configuration Model** list.
-8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
-9. Select the **Update certificates that use certificate templates** check box.
-10. Click **OK**. Close the **Group Policy Management Editor**.
-
-## Configure Security in the Windows Hello for Business Group Policy object
+## Configure security in the Windows Hello for Business GPO
The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases.
+
+Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials.
+
1. Start the **Group Policy Management Console** (gpmc.msc)
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Double-click the **Enable Windows Hello for Business** Group Policy object.
-4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**.
-5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
-6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Double-click the **Enable Windows Hello for Business** Group Policy object
+1. In the **Security Filtering** section of the content pane, select **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and select **OK**
+1. Select the **Delegation** tab. Select **Authenticated Users** and **Advanced**
+1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
## Deploy the Windows Hello for Business Group Policy object
-The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
-3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
+The application of the Windows Hello for Business Group Policy object uses security group filtering. This solution enables you to link the Group Policy object at the domain level, ensuring the GPO is within scope to all users. However, the security group filtering ensures that only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
-Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…**
+1. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
## Other Related Group Policy settings
-### Windows Hello for Business
-
There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings.
### Use a hardware security device
-The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential.
+The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential.
-You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
+You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
### Use biometrics
Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.
-The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint.
+The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disables all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition.
### PIN Complexity
-PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
+PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
-Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
-* Require digits
-* Require lowercase letters
-* Maximum PIN length
-* Minimum PIN length
-* Expiration
-* History
-* Require special characters
-* Require uppercase letters
+Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically. The policy settings included are:
-In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Computer Configuration\Administrative Templates\System\PIN Complexity in the Group Policy editor.
+- Require digits
+- Require lowercase letters
+- Maximum PIN length
+- Minimum PIN length
+- Expiration
+- History
+- Require special characters
+- Require uppercase letters
-## Review
+The settings can be found in *Administrative Templates\System\PIN Complexity*, under both the Computer and User Configuration nodes of the Group Policy editor.
+
+## Review to validate the configuration
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions)
-* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
-* Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting.
-* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)
-* Confirm you configured the proper security settings for the Group Policy object
- * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
- * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy
-
-* Linked the Group Policy object to the correct locations within Active Directory
-* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users
+> [!div class="checklist"]
+> - Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
+> - Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting
+> - Confirm you configured the proper security settings for the Group Policy object
+> - Confirm you removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
+> - Confirm you added the Windows Hello for Business Users group to the Group Policy object, and gave the group the allow permission to Apply Group Policy
+> - Linked the Group Policy object to the correct locations within Active Directory
+> - Deployed any additional Windows Hello for Business Group Policy settings
## Add users to the Windows Hello for Business Users group
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. Configure Windows Hello for Business Policy settings (*You are here*)
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index af56ffb943..bac1a4e528 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,78 +1,30 @@
---
-title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
-description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
-ms.date: 08/19/2018
+title: Validate Active Directory prerequisites in an on-premises certificate trust
+description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a certificate trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Validate Active Directory prerequisites for cert-trust deployment
+# Validate Active Directory prerequisites - on-premises certificate trust
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
-The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
+The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
-> [!NOTE]
-> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.
+## Create the Windows Hello for Business Users security group
-Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
+The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
-## Discovering schema role
+Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
-To locate the schema master role holder, open and command prompt and type:
+1. Open **Active Directory Users and Computers**
+1. Select **View > Advanced Features**
+1. Expand the domain node from the navigation pane
+1. Right-click the **Users** container. Select **New > Group**
+1. Type *Windows Hello for Business Users* in the **Group Name**
+1. Select **OK**
-```cmd
-netdom.exe query fsmo | findstr.exe -i "schema"
-```
-
-
-
-The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
-
-## Updating the Schema
-
-Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory.
-
-Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
-
-1. Mount the ISO file (or insert the DVD) containing the Windows Server 2016 or later installation media.
-2. Open an elevated command prompt.
-3. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
-4. To update the schema, type ```adprep /forestprep```.
-5. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema.
-6. Close the Command Prompt and sign-out.
-
-## Create the KeyCredential Admins Security Global Group
-
-The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow.
-
-Sign-in a domain controller or management workstation with domain administrator equivalent credentials.
-
-1. Open **Active Directory Users and Computers**.
-2. Click **View** and click **Advance Features**.
-3. Expand the domain node from the navigation pane.
-4. Right-click the **Users** container. Click **New**. Click **Group**.
-5. Type **KeyCredential Admins** in the **Group Name** text box.
-6. Click **OK**.
-
-## Create the Windows Hello for Business Users Security Global Group
-
-The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
-
-Sign into a domain controller or management workstation with domain administrator equivalent credentials.
-
-1. Open **Active Directory Users and Computers**.
-2. Click **View** and click **Advanced Features**.
-3. Expand the domain node from the navigation pane.
-4. Right-click the **Users** container. Click **New**. Click **Group**.
-5. Type **Windows Hello for Business Users** in the **Group Name** text box.
-6. Click **OK**.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. Validate Active Directory prerequisites (*You are here*)
-2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+> [!div class="nextstepaction"]
+> [Next: validate and configure PKI >](hello-cert-trust-validate-pki.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 28d010fbd8..e5c4b9a2a4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,25 +1,28 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
-description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
-ms.date: 08/19/2018
+description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises certificate trust model.
+ms.date: 12/13/2022
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Validate and Deploy Multi-Factor Authentication feature
+
+# Validate and deploy multi-factor authentication - on-premises certificate trust
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
-Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
+Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
-For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
+- third-party authentication providers for AD FS
+- custom authentication provider for AD FS
-Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies, see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+> [!IMPORTANT]
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-4. Validate and Deploy Multi-factor Authentication Services (MFA) (*You're here*)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
+For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
+
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+
+> [!div class="nextstepaction"]
+> [Next: configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 4b692280e1..f543372332 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,190 +1,348 @@
---
-title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
-description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
-ms.date: 08/19/2018
+title: Configure and validate the Public Key Infrastructure in an on-premises certificate trust model
+description: Configure and validate the Public Key Infrastructure the Public Key Infrastructure when deploying Windows Hello for Business in a certificate trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Validate and Configure Public Key Infrastructure - Certificate Trust Model
+# Configure and validate the Public Key Infrastructure - on-premises certificate trust
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
-Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
-## Deploy an enterprise certificate authority
+## Deploy an enterprise certification authority
-This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running Active Directory Certificate Services.
+This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.
-### Lab-based public key infrastructure
+### Lab-based PKI
-The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
+The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
-Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
+Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
>[!NOTE]
->Never install a certificate authority on a domain controller in a production environment.
+>Never install a certification authority on a domain controller in a production environment.
1. Open an elevated Windows PowerShell prompt
-2. Use the following command to install the Active Directory Certificate Services role
+1. Use the following command to install the Active Directory Certificate Services role.
```PowerShell
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
```
-
-3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration
+3. Use the following command to configure the CA using a basic certification authority configuration
```PowerShell
Install-AdcsCertificationAuthority
- ```
-
-## Configure a Production Public Key Infrastructure
+ ```
-If you do have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session.
+## Configure a PKI
-### Configure Domain Controller Certificates
+If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session.
-Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority.
+Expand the following sections to configure the PKI for Windows Hello for Business.
-Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
+
+
+Configure domain controller certificates
-By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
+Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*.
-Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
-2. Right-click **Certificate Templates** and click **Manage**.
-3. In the **Certificate Templates Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.
- **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
-6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
-7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
-8. Close the console.
+Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template.
-### Superseding the existing Domain Controller certificate
+By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template.
-Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
-The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates > Manage**
+1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template**
+1. On the **Compatibility** tab:
+ - Clear the **Show resulting changes** check box
+ - Select **Windows Server 2016** from the **Certification Authority** list
+ - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
+1. On the **General** tab
+ - Type *Domain Controller Authentication (Kerberos)* in Template display name
+ - Adjust the validity and renewal period to meet your enterprise's needs
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+1. On the **Subject Name** tab:
+ - Select the **Build from this Active Directory information** button if it isn't already selected
+ - Select **None** from the **Subject name format** list
+ - Select **DNS name** from the **Include this information in alternate subject** list
+ - Clear all other items
+1. On the **Cryptography** tab:
+ - select **Key Storage Provider** from the **Provider Category** list
+ - Select **RSA** from the **Algorithm name** list
+ - Type *2048* in the **Minimum key size** text box
+ - Select **SHA256** from the **Request hash** list
+1. Select **OK**
+1. Close the console
-Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
-2. Right-click **Certificate Templates** and click **Manage**.
-3. In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
-4. Click the **Superseded Templates** tab. Click **Add**.
-5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
-6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. Click **Add**.
-7. From the **Add Superseded Template** dialog, select the **Kerberos Authentication** certificate template and click **OK**. Click **Add**.
-8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
-9. Click **OK** and close the **Certificate Templates** console.
+
-The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+
+
+Supersede existing domain controller certificates
-### Configure an Internal Web Server Certificate template
+The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension.
-Windows 10 or Windows 11 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
+The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\
+The *autoenrollment* feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template.
-Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
-2. Right-click **Certificate Templates** and click **Manage**.
-3. In the **Certificate Templates Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
- **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
-6. On the **Request Handling** tab, select **Allow private key to be exported**.
-7. On the **Subject Name** tab, select the **Supply in the request** button if it is not already selected.
-8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
-9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
-10. Close the console.
+Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials.
-### Unpublish Superseded Certificate Templates
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates > Manage**
+1. In the **Certificate Template Console**, right-click the *Domain Controller Authentication (Kerberos)* (or the name of the certificate template you created in the previous section) template in the details pane and select **Properties**
+1. Select the **Superseded Templates** tab. Select **Add**
+1. From the **Add Superseded Template** dialog, select the *Domain Controller* certificate template and select **OK > Add**
+1. From the **Add Superseded Template** dialog, select the *Domain Controller Authentication* certificate template and select **OK**
+1. From the **Add Superseded Template** dialog, select the *Kerberos Authentication* certificate template and select **OK**
+1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab
+1. Select **OK** and close the **Certificate Templates** console
-The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities.
-The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
+
-Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
-2. Expand the parent node from the navigation pane.
-3. Click **Certificate Templates** in the navigation pane.
-4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
-5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
+
+
+Configure an internal web server certificate template
-### Publish Certificate Templates to the Certificate Authority
+Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate.
-The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
-Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials.
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template**
+1. On the **Compatibility** tab:
+ - Clear the **Show resulting changes** check box
+ - Select **Windows Server 2016** from the **Certification Authority** list
+ - Select **Windows 10 / Windows Server 2016** from the **Certificate recipient** list
+1. On the **General** tab:
+ - Type *Internal Web Server* in **Template display name**
+ - Adjust the validity and renewal period to meet your enterprise's needs
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+1. On the **Request Handling** tab, select **Allow private key to be exported**
+1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected
+1. On the **Security** tab:
+ - Select **Add**
+ - Type **Domain Computers** in the **Enter the object names to select** box
+ - Select **OK**
+ - Select the **Allow** check box next to the **Enroll** permission
+1. On the **Cryptography** tab:
+ - Select **Key Storage Provider** from the **Provider Category** list
+ - Select **RSA** from the **Algorithm name** list
+ - Type *2048* in the **Minimum key size** text box
+ - Select **SHA256** from the **Request hash** list
+ - Select **OK**
+1. Close the console
-1. Open the **Certificate Authority** management console.
-2. Expand the parent node from the navigation pane.
-3. Click **Certificate Templates** in the navigation pane.
-4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
-6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
- * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
-7. Close the console.
+
-### Configure Domain Controllers for Automatic Certificate Enrollment
+
+
+Configure a certificate registration authority template
-Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
+A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the CRA.
+
+The CRA enrolls for an *enrollment agent* certificate. Once the CRA verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the CA. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The CA only issues a certificate for that template if the registration authority signs the certificate request.
+
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. In the **Certificate Template Console**, right-click on the **Exchange Enrollment Agent (Offline request)** template details pane and select **Duplicate Template**
+1. On the **Compatibility** tab:
+ - Clear the **Show resulting changes** check box
+ - Select **Windows Server 2016** from the **Certification Authority** list.
+ - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
+1. On the **General** tab:
+ - Type *WHFB Enrollment Agent* in **Template display name**
+ - Adjust the validity and renewal period to meet your enterprise's needs
+1. On the **Subject** tab, select the **Supply in the request** button if it is not already selected
+
+ > [!NOTE]
+ > Group Managed Service Accounts (GMSA) do not support the *Build from this Active Directory information* option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with *Supply in the request* to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+
+1. On the **Cryptography** tab:
+ - Select **Key Storage Provider** from the **Provider Category** list
+ - Select **RSA** from the **Algorithm name** list
+ - Type *2048* in the **Minimum key size** text box
+ - Select **SHA256** from the **Request hash** list
+1. On the **Security** tab, select **Add**
+1. Select **Object Types** and select the **Service Accounts** check box. Select **OK**
+1. Type *adfssvc* in the **Enter the object names to select** text box and select **OK**
+1. Select the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section:
+ - In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission
+ - Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared
+ - Select **OK**
+1. Close the console
+
+
+
+
+
+Configure a Windows Hello for Business authentication certificate template
+
+During Windows Hello for Business provisioning, Windows clients request an authentication certificate from AD FS, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template.
+
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. Right-click the **Smartcard Logon** template and choose **Duplicate Template**
+1. On the **Compatibility** tab:
+ - Clear the **Show resulting changes** check box
+ - Select **Windows Server 2016** from the **Certification Authority** list
+ - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
+1. On the **General** tab:
+ - Type *WHFB Authentication* in **Template display name**
+ - Adjust the validity and renewal period to meet your enterprise's needs
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+1. On the **Cryptography** tab
+ - Select **Key Storage Provider** from the **Provider Category** list
+ - Select **RSA** from the **Algorithm name** list
+ - Type *2048* in the **Minimum key size** text box
+ - Select **SHA256** from the **Request hash** list
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
+1. On the **Issuance Requirements** tab,
+ - Select the **This number of authorized signatures** check box. Type *1* in the text box
+ - Select **Application policy** from the **Policy type required in signature**
+ - Select **Certificate Request Agent** from in the **Application policy** list
+ - Select the **Valid existing certificate** option
+1. On the **Subject** tab,
+ - Select the **Build from this Active Directory information** button
+ - Select **Fully distinguished name** from the **Subject name format** list
+ - Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
+1. On the **Request Handling** tab, select the **Renew with same key** check box
+1. On the **Security** tab, select **Add**. Type *Window Hello for Business Users* in the **Enter the object names to select** text box and select **OK**
+1. Select the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section:
+ - Select the **Allow** check box for the **Enroll** permission
+ - Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared
+ - Select **OK**
+1. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template
+1. Select on the **Apply** to save changes and close the console
+
+#### Mark the template as the Windows Hello Sign-in template
+
+Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials
+
+Open an elevated command prompt end execute the following command
+
+```cmd
+certutil.exe -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
+```
+
+>[!NOTE]
+>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace *WHFBAuthentication* in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on your certification authority.
+
+
+
+
+
+
+Unpublish Superseded Certificate Templates
+
+The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+
+The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
+
+Sign in to the CA or management workstation with *Enterprise Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane > **Certificate Templates**
+1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window
+1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates
+
+
+
+
+
+Publish certificate templates to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
+1. Close the console
+
+
+
+### Configure automatic certificate enrollment for the domain controllers
+
+Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU).
+
+1. Open the **Group Policy Management Console** (gpmc.msc)
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Right-click **Group Policy object** and select **New**
+1. Type *Domain Controller Auto Certificate Enrollment* in the name box and select **OK**
+1. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and select **Edit**
+1. In the navigation pane, expand **Policies** under **Computer Configuration**
+1. Expand **Windows Settings > Security Settings > Public Key Policies**
+1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**
+1. Select **Enabled** from the **Configuration Model** list
+1. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box
+1. Select the **Update certificates that use certificate templates** check box
+1. Select **OK**
+1. Close the **Group Policy Management Editor**
+
+### Deploy the domain controller auto certificate enrollment GPO
+
+Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Right-click **Group Policy object** and select **New**
-4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**.
-5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **Computer Configuration**.
-7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
-8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
-9. Select **Enabled** from the **Configuration Model** list.
-10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box.
-11. Select the **Update certificates that use certificate templates** check box.
-12. Click **OK**. Close the **Group Policy Management Editor**.
+1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…**
+1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created
+1. Select **OK**
-### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
+## Validate the configuration
-Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**
-3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
+Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
-### Validating your work
+You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred.
-Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
+### Use the event logs
-You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred.
+Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
-#### Use the Event Logs
+1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log
+1. Look for an event indicating a new certificate enrollment (autoenrollment):
+ - The details of the event include the certificate template on which the certificate was issued
+ - The name of the certificate template used to issue the certificate should match the certificate template name included in the event
+ - The certificate thumbprint and EKUs for the certificate are also included in the event
+ - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template
-Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the **CertificateServicesClient-Lifecycle-System** event log under **Application and Services/Microsoft/Windows**.
+Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
-Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template.
+### Certificate Manager
-Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServicesClient-Lifecycle-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
+You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager.
+### Certutil.exe
-#### Certificate Manager
+You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates.
-You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager.
+To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates.
-#### Certutil.exe
+### Troubleshooting
-You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates.
+Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate.exe /force`.
-To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates.
+Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt.
-#### Troubleshooting
+Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.
-Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`.
-
-Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt.
-
-Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-2. Validate and Configure Public Key Infrastructure (*You are here*)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
+> [!div class="nextstepaction"]
+> [Next: prepare and deploy AD FS >](hello-cert-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 115a1041e1..d19452cbd8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,22 +1,20 @@
---
-title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
-description: A guide to on premises, certificate trust Windows Hello for Business deployment.
-ms.date: 08/19/2018
+title: Windows Hello for Business deployment guide for the on-premises certificate trust model
+description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# On Premises Certificate Trust Deployment
+# Deployment guide overview - on-premises certificate trust
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
-Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment.
-
-Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
+Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment:
1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-4. [Validate and Deploy Multi-factor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
+2. [Validate and configure a PKI](hello-cert-trust-validate-pki.md)
+3. [Prepare and deploy AD FS](hello-cert-trust-adfs.md)
+4. [Validate and deploy multi-factor authentication (MFA)](hello-cert-trust-validate-deploy-mfa.md)
+5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 6dfcd9f952..34d860c531 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -1,21 +1,20 @@
---
-title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
-description: A guide to on premises, key trust Windows Hello for Business deployment.
-ms.date: 08/20/2018
+title: Windows Hello for Business deployment guide for the on-premises key trust model
+description: Learn how to deploy Windows Hello for Business in an on-premises, key trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# On Premises Key Trust Deployment
+# Deployment guide overview - on-premises key trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
-
-Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
+Windows Hello for Business replaces username and password authentication to Windows with an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in an on-premises environment::
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-3. [Prepare and Deploy Active Directory Federation Services](hello-key-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+1. [Validate and configure a PKI](hello-key-trust-validate-pki.md)
+1. [Prepare and deploy AD FS](hello-key-trust-adfs.md)
+1. [Validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md)
+1. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index af71e186d2..5fe62506a6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -4,22 +4,17 @@ description: Learn how to deploy certificates to cloud Kerberos trust and key tr
ms.collection:
- ContentEngagementFY23
ms.topic: article
-localizationpriority: medium
ms.date: 11/15/2022
appliesto:
- ✅ Windows 10 and later
-ms.technology: itpro-security
---
# Deploy certificates for remote desktop (RDP) sign-in
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\
-✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
-
-
-
+This document describes Windows Hello for Business functionalities or scenarios that apply to:
+- **Deployment type:** [!INCLUDE [hybrid](../../includes/hello-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [cloud-kerberos](../../includes/hello-trust-cloud-kerberos.md)], [!INCLUDE [key](../../includes/hello-trust-key.md)]
+- **Join type:** [!INCLUDE [hello-join-aadj](../../includes/hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](../../includes/hello-join-hybrid.md)]
---
Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 69c0a68538..db362bdbaf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -13,7 +13,6 @@ metadata:
manager: aaroncz
ms.reviewer: prsriva
ms.collection:
- - M365-identity-device-management
- highpri
ms.topic: faq
localizationpriority: medium
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 561975c7a9..e1aa2e7acb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -5,7 +5,7 @@ ms.collection:
- highpri
ms.date: 07/29/2022
appliesto:
-- ✅ Windows 10 and later
+- ✅ Windows 10 and later
ms.topic: article
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index ad5eec8634..7bec9c2543 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -70,6 +70,7 @@ The certificate trust model uses a securely issued certificate based on the user
- [Deployment type](#deployment-type)
- [Hybrid Azure AD join](#hybrid-azure-ad-join)
- [Hybrid deployment](#hybrid-deployment)
+- [Cloud Kerberos trust](#cloud-kerberos-trust)
- [Key trust](#key-trust)
- [On-premises deployment](#on-premises-deployment)
- [Trust type](#trust-type)
@@ -102,6 +103,26 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md)
+## Cloud Kerberos trust
+
+The cloud Kerberos trust model offers a simplified deployment experience, when compared to the other trust types.\
+With cloud Kerberos trust, there's no need to deploy certificates to the users or to the domain controllers, which is ideal for environments without an existing PKI.
+
+Giving the simplicity offered by this model, cloud Kerberos trust is the recommended model when compared to the key trust model. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
+
+### Related to cloud Kerberos trust
+
+- [Deployment type](#deployment-type)
+- [Hybrid Azure AD join](#hybrid-azure-ad-join)
+- [Hybrid deployment](#hybrid-deployment)
+- [Key trust](#key-trust)
+- [On-premises deployment](#on-premises-deployment)
+- [Trust type](#trust-type)
+
+### More information about cloud Kerberos trust
+
+[Cloud Kerberos trust deployment](hello-hybrid-cloud-kerberos-trust.md)
+
## Deployment type
Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
@@ -223,6 +244,7 @@ The key trust model uses the user's Windows Hello for Business identity to authe
### Related to key trust
+- [Cloud Kerberos trust](#cloud-kerberos-trust)
- [Certificate trust](#certificate-trust)
- [Deployment type](#deployment-type)
- [Hybrid Azure AD join](#hybrid-azure-ad-join)
@@ -314,6 +336,7 @@ The trust type determines how a user authenticates to the Active Directory to ac
### Related to trust type
+- [Cloud Kerberos trust](#cloud-kerberos-trust)
- [Certificate trust](#certificate-trust)
- [Hybrid deployment](#hybrid-deployment)
- [Key trust](#key-trust)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 1b222da4f8..e8e87a1d23 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -297,7 +297,7 @@ Sign in a certificate authority or management workstations with _Domain Admin eq
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 98725d74b3..2b43ffad0a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -37,7 +37,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certificate Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
@@ -103,7 +103,7 @@ Sign-in to a certificate authority or management workstation with _Domain Admin_
3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
@@ -134,7 +134,7 @@ Sign-in to a certificate authority or management workstation with *Domain Admin*
3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
@@ -160,7 +160,7 @@ Sign-in to a certificate authority or management workstation with _Domain Admin
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
5. On the **General** tab, type **WHFB Authentication** or your choice of template name in **Template display name**. Note the short template name for later use with CertUtil. Adjust the validity and renewal period to meet your enterprise's needs.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index d8063e6127..ebcff732f3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -1,16 +1,16 @@
---
-title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business)
-description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
+title: Windows Hello for Business Cloud Kerberos trust deployment
+description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario.
ms.date: 11/1/2022
appliesto:
- ✅ Windows 10, version 21H2 and later
ms.topic: article
---
-# Hybrid cloud Kerberos trust deployment
+# Cloud Kerberos trust deployment
[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)]
-Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
+Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a cloud Kerberos trust scenario.
## Introduction to cloud Kerberos trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index a824e822fe..9e36481b2a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -33,7 +33,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certificate Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index fabe42eb18..e1ed3396b6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -2,10 +2,11 @@
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.collection:
- - highpri
-ms.date: 2/15/2022
-appliesto:
-- ✅ Windows 10 and later
+- highpri
+ms.date: 12/13/2022
+appliesto:
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
ms.topic: article
---
@@ -15,11 +16,10 @@ This article lists the infrastructure requirements for the different deployment
## Azure AD Cloud Only Deployment
-* Microsoft Azure Account
-* Azure Active Directory
-* Azure AD Multifactor Authentication
-* Modern Management (Intune or supported third-party MDM), *optional*
-* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
+- Azure Active Directory
+- Azure AD Multifactor Authentication
+- Device management solution (Intune or supported third-party MDM), *optional*
+- Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
## Hybrid Deployments
@@ -27,44 +27,26 @@ The table shows the minimum requirements for each deployment. For key trust in a
| Requirement | cloud Kerberos trust Group Policy or Modern managed | Key trust Group Policy or Modern managed | Certificate Trust Mixed managed | Certificate Trust Modern managed |
| --- | --- | --- | --- | --- |
-| **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:** *Minimum:* Windows 10, version 1703 *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment). **Azure AD Joined:** Windows 10, version 1511 or later| Windows 10, version 1511 or later |
-| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
+| **Windows Version** | Any supported Windows client versions| Any supported Windows client versions | Any supported Windows client versions |
+| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later schema | Windows Server 2016 or later schema | Windows Server 2016 or later schema |
| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
-| **Domain Controller Version** | Windows Server 2016 or later | Windows Server 2016 or later | Windows Server 2008 R2 or later | Windows Server 2008 R2 or later |
-| **Certificate Authority**| N/A | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients managed by Group Policy), and Windows Server 2012 or later Network Device Enrollment Service (hybrid Azure AD joined & Azure AD joined managed by MDM) | Windows Server 2012 or later Network Device Enrollment Service |
-| **MFA Requirement** | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
+| **Domain Controller Version** | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
+| **Certificate Authority**| N/A |Any supported Windows Server versions | Any supported Windows Server versions | Any supported Windows Server versions |
+| **AD FS Version** | N/A | N/A | Any supported Windows Server versions | Any supported Windows Server versions |
+| **MFA Requirement** | Azure MFA, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or AD FS w/Azure MFA adapter, or AD FS w/Azure MFA Server adapter, or AD FS w/3rd Party MFA Adapter |
| **Azure AD Connect** | N/A | Required | Required | Required |
| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
-> [!Important]
-> - Hybrid deployments support non-destructive PIN reset that works with Certificate Trust, Key Trust and cloud Kerberos trust models.
->
-> **Requirements:**
-> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
->
-> - On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
->
-> **Requirements:**
-> - Reset from settings - Windows 10, version 1703, Professional
-> - Reset above lock screen - Windows 10, version 1709, Professional
-> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-
## On-premises Deployments
The table shows the minimum requirements for each deployment.
| Key trust Group Policy managed | Certificate trust Group Policy managed|
| --- | --- |
-| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
+|Any supported Windows client versions|Any supported Windows client versions|
| Windows Server 2016 Schema | Windows Server 2016 Schema|
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
-| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
-| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) |
-| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
-| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
-
-> [!IMPORTANT]
-> For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](./hello-adequate-domain-controllers.md).
+| Any supported Windows Server versions | Any supported Windows Server versions |
+| Any supported Windows Server versions | Any supported Windows Server versions |
+| Any supported Windows Server versions | Any supported Windows Server versions |
+| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter |
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 4a8dc18965..b08abdb82d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,337 +1,261 @@
---
-title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
-description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
-ms.date: 08/19/2018
+title: Prepare and deploy Active Directory Federation Services in an on-premises key trust
+description: Learn how to configure Active Directory Federation Services to support the Windows Hello for Business key trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
+# Prepare and deploy Active Directory Federation Services - on-premises key trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
+Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*.
-The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
+The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\
+WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\
+To deploy AD FS using SQL as its configuration database, review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
-If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+A new AD FS farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
-If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
+Prepare the AD FS deployment by installing and **updating** two Windows Servers.
-Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade.
+## Enroll for a TLS server authentication certificate
-A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
+Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
-Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
+The AD FS role needs a *server authentication* certificate for the federation services, and you can use a certificate issued by your enterprise (internal) CA. The server authentication certificate should have the following names included in the certificate, if you are requesting an individual certificate for each node in the federation farm:
+ - **Subject Name**: the internal FQDN of the federation server
+ - **Subject Alternate Name**: the federation service name (e.g. *sts.corp.contoso.com*) or an appropriate wildcard entry (e.g. *\*.corp.contoso.com*)
-## Update Windows Server 2016
+The federation service name is set when the AD FS role is configured. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server *adfs* and the federation service *sts*. In this example, the FQDN of the host is *adfs.corp.contoso.com* and the FQDN of the federation service is *sts.corp.contoso.com*.
-Sign-in the federation server with _local admin_ equivalent credentials.
-1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed.
-2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
+You can also issue one certificate for all hosts in the farm. If you chose this option, leave the subject name *blank*, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
+
+When creating a wildcard certificate, mark the private key as exportable, so that the same certificate can be deployed across each federation server and web application proxy within the AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
+
+Be sure to enroll or import the certificate into the AD FS server's computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
+
+### AD FS authentication certificate enrollment
+
+Sign-in the federation server with *domain administrator* equivalent credentials.
+
+1. Start the Local Computer **Certificate Manager** (certlm.msc)
+1. Expand the **Personal** node in the navigation pane
+1. Right-click **Personal**. Select **All Tasks > Request New Certificate**
+1. Select **Next** on the **Before You Begin** page
+1. Select **Next** on the **Select Certificate Enrollment Policy** page
+1. On the **Request Certificates** page, select the **Internal Web Server** check box
+1. Select the **⚠️ More information is required to enroll for this certificate. Click here to configure settings** link
+ :::image type="content" source="images/hello-internal-web-server-cert.png" lightbox="images/hello-internal-web-server-cert.png" alt-text="Example of Certificate Properties Subject Tab - This is what shows when you select the above link.":::
+1. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the AD FS role and then select **Add**
+1. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name that you will use for your federation services (*sts.corp.contoso.com*). The name you use here MUST match the name you use when configuring the AD FS server role. Select **Add** and **OK** when finished
+1. Select **Enroll**
+
+A server authentication certificate should appear in the computer's personal certificate store.
+
+## Deploy the AD FS role
+
+AD FS provides *device registration* and *key registration* services to support the Windows Hello for Business on-premises deployments.
>[!IMPORTANT]
->The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers.
+> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
-## Enroll for a TLS Server Authentication Certificate
+Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
-Key trust Windows Hello for Business on-premises deployments need a federation server for device registration and key registration. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
+1. Start **Server Manager**. Select **Local Server** in the navigation pane
+1. Select **Manage > Add Roles and Features**
+1. Select **Next** on the **Before you begin** page
+1. On the **Select installation type** page, select **Role-based or feature-based installation > Next**
+1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list and **Next**
+1. On the **Select server roles** page, select **Active Directory Federation Services** and **Next**
+1. Select **Next** on the **Select features** page
+1. Select **Next** on the **Active Directory Federation Service** page
+1. Select **Install** to start the role installation
-The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
-* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
-* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
-
-You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
-
-You can, however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name.
-
-When creating a wildcard certificate, it is recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm.
-
-Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
-
-### Internal Server Authentication Certificate Enrollment
-
-Sign-in the federation server with domain administrator equivalent credentials.
-1. Start the Local Computer **Certificate Manager** (certlm.msc).
-2. Expand the **Personal** node in the navigation pane.
-3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
-4. Click **Next** on the **Before You Begin** page.
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
-6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
-8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished.
-9. Click **Enroll**.
-
-A server authentication certificate should appear in the computer’s Personal certificate store.
-
-## Deploy the Active Directory Federation Service Role
-
-The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments.
-* Device registration
-* Key registration
-
->[!IMPORTANT]
-> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
-
-Windows Hello for Business depends on proper device registration. For on-premises key trust deployments, Windows Server 2016 AD FS handles device and key registration.
-
-Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
-1. Start **Server Manager**. Click **Local Server** in the navigation pane.
-2. Click **Manage** and then click **Add Roles and Features**.
-3. Click **Next** on the **Before you begin** page.
-4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
-6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**.
-7. Click **Next** on the **Select features** page.
-8. Click **Next** on the **Active Directory Federation Service** page.
-9. Click **Install** to start the role installation.
-
-## Review to validate
+## Review to validate the AD FS deployment
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm the AD FS farm uses the correct database configuration.
-* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
-* Confirm **all** AD FS servers in the farm have the latest updates.
-* Confirm all AD FS servers have a valid server authentication certificate
- * The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
- * The alternate name of the certificate contains a wildcard or the FQDN of the federation service
-## Device Registration Service Account Prerequisite
+> [!div class="checklist"]
+> * Confirm the AD FS farm uses the correct database configuration
+> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
+> * Confirm **all** AD FS servers in the farm have the latest updates installed
+> * Confirm all AD FS servers have a valid server authentication certificate
-The service account used for the device registration server depends on the domain controllers in the environment.
+## Device registration service account prerequisites
->[!NOTE]
->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+The use of Group Managed Service Accounts (GMSA) is the preferred way to deploy service accounts for services that support them. GMSAs have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. AD FS supports GMSAs, and it should be configured using them for additional security.
-### Windows Server 2012 or later Domain Controllers
+GSMA uses the *Microsoft Key Distribution Service* that is located on the domain controllers. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
-Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA, have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security.
+### Create KDS Root Key
-GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
+Sign-in a domain controller with *Enterprise Administrator* equivalent credentials.
-#### Create KDS Root Key
-
-Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
-1. Start an elevated Windows PowerShell console.
-2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`
-
-### Windows Server 2008 or 2008 R2 Domain Controllers
-
-Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use or create a normal user account as a service account where you are responsible for changing the password on a regular basis.
-
-#### Create an AD FS Service Account
-
-Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
-1. Open **Active Directory Users and Computers**.
-2. Right-click the **Users** container, Click **New**. Click **User**.
-3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
-4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box.
-5. Click **Next** and then click **Finish**.
+Start an elevated PowerShell console and execute the following command:
+```PowerShell
+Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
+```
## Configure the Active Directory Federation Service Role
->[!IMPORTANT]
->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+Use the following procedures to configure AD FS.
-### Windows Server 2016, 2012 R2 or later Domain Controllers
+Sign-in to the federation server with *Domain Administrator* equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
+1. Start **Server Manager**
+1. Select the notification flag in the upper right corner and select **Configure the federation services on this server**
+1. On the **Welcome** page, select **Create the first federation server farm > Next**
+1. On the **Connect to Active Directory Domain Services** page, select **Next**
+1. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *sts.corp.contoso.com*
+1. Select the federation service name from the **Federation Service Name** list
+1. Type the *Federation Service Display Name* in the text box. This is the name users see when signing in. Select **Next**
+1. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type *adfssvc*
+1. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and select **Next**
+1. On the **Review Options** page, select **Next**
+1. On the **Pre-requisite Checks** page, select **Configure**
+1. When the process completes, select **Close**
-Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
- 
+### Add the AD FS service account to the *Key Admins* group
-3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
-4. Click **Next** on the **Connect to Active Directory Domain Services** page.
-5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
-6. Select the federation service name from the **Federation Service Name** list.
-7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
-8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**.
-9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
-10. On the **Review Options** page, click **Next**.
-11. On the **Pre-requisite Checks** page, click **Configure**.
-12. When the process completes, click **Close**.
+During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group.
-### Windows Server 2008 or 2008 R2 Domain Controllers
+Sign-in to a domain controller or management workstation with *Domain Administrator* equivalent credentials.
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
+1. Open **Active Directory Users and Computers**
+1. Select the **Users** container in the navigation pane
+1. Right-click **Key Admins** in the details pane and select **Properties**
+1. Select the **Members > Add…**
+1. In the **Enter the object names to select** text box, type *adfssvc*. Select **OK**
+1. Select **OK** to return to **Active Directory Users and Computers**
+1. Change to server hosting the AD FS role and restart it
-Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
- 
+## Configure the device registration service
-3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
-4. Click **Next** on the **Connect to Active Directory Domain Services** page.
-5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
-6. Select the federation service name from the **Federation Service Name** list.
-7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
-8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.
- * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
-9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
-10. On the **Review Options** page, click **Next**.
-11. On the **Pre-requisite Checks** page, click **Configure**.
-12. When the process completes, click **Close**.
-13. Do not restart the AD FS server. You will do this later.
+Sign-in to the federation server with *Enterprise Administrator* equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
+1. Open the **AD FS management** console
+1. In the navigation pane, expand **Service**. Select **Device Registration**
+1. In the details pane, select **Configure device registration**
+1. In the **Configure Device Registration** dialog, Select **OK**
-### Add the AD FS Service account to the KeyAdmins group
+:::image type="content" source="images/adfs-device-registration.png" lightbox="images/adfs-device-registration.png" alt-text="AD FS device registration: configuration of the service connection point.":::
-The KeyAdmins global group provides the AD FS service with the permissions needed to perform key registration.
+Triggering device registration from AD FS, creates the service connection point (SCP) in the Active Directory configuration partition. The SCP is used to store the device registration information that Windows clients will automatically discover.
-Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
-1. Open **Active Directory Users and Computers**.
-2. Click the **Users** container in the navigation pane.
-3. Right-click **KeyAdmins** in the details pane and click **Properties**.
-4. Click the **Members** tab and click **Add…**
-5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
-6. Click **OK** to return to **Active Directory Users and Computers**.
-7. Change to server hosting the AD FS role and restart it.
+:::image type="content" source="images/adfs-scp.png" lightbox="images/adfs-scp.png" alt-text="AD FS device registration: service connection point object created by AD FS.":::
-
-## Configure the Device Registration Service
-
-Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-1. Open the **AD FS management** console.
-2. In the navigation pane, expand **Service**. Click **Device Registration**.
-3. In the details pane, click **Configure Device Registration**.
-4. In the **Configure Device Registration** dialog, click **OK**.
-
-## Review and validate
+## Review to validate the AD FS and Active Directory configuration
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you followed the correct procedures based on the domain controllers used in your deployment
- * Windows Server 2016, 2012 R2 or Windows Server 2012 R2
- * Windows Server 2008 or Windows Server 2008 R2
-* Confirm you have the correct service account based on your domain controller version.
-* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs.
-* Confirm you used a certificate with the correct names as the server authentication certificate
- * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
- * Certificate serial number
- * Certificate thumbprint
- * Common name of the certificate
- * Subject alternate name of the certificate
- * Name of the physical host server
- * The issued date
- * The expiration date
- * Issuing CA Vendor (if a third-party certificate)
-* Confirm you added the AD FS service account to the KeyAdmins group.
-* Confirm you enabled the Device Registration service.
+> [!div class="checklist"]
+> * Record the information about the AD FS certificate, and set a renewal reminder at least six weeks before it expires. Relevant information includes: certificate serial number, thumbprint, common name, subject alternate name, name of the physical host server, the issued date, the expiration date, and issuing CA vendor (if a third-party certificate)
+> * Confirm you added the AD FS service account to the KeyAdmins group
+> * Confirm you enabled the Device Registration service
-## Additional Federation Servers
+## Additional federation servers
-Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
+Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.
-### Server Authentication Certificate
+### Server authentication certificate
Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
-### Install Additional Servers
+### Install additional servers
-Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
+Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm.
-## Load Balance AD FS Federation Servers
+## Load balance AD FS
Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
### Install Network Load Balancing Feature on AD FS Servers
-Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
-1. Start **Server Manager**. Click **Local Server** in the navigation pane.
-2. Click **Manage** and then click **Add Roles and Features**.
-3. Click **Next** On the **Before you begin** page.
-4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
-6. On the **Select server roles** page, click **Next**.
-7. Select **Network Load Balancing** on the **Select features** page.
-8. Click **Install** to start the feature installation
- 
+Sign-in the federation server with *Enterprise Administrator* equivalent credentials.
+
+1. Start **Server Manager**. Select **Local Server** in the navigation pane
+1. Select **Manage** and then select **Add Roles and Features**
+1. Select **Next** On the **Before you begin** page
+1. On the **Select installation type** page, select **Role-based or feature-based installation** and select **Next**
+1. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Select **Next**
+1. On the **Select server roles** page, select **Next**
+1. Select **Network Load Balancing** on the **Select features** page
+1. Select **Install** to start the feature installation
### Configure Network Load Balancing for AD FS
Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
-Sign-in a node of the federation farm with _Admin_ equivalent credentials.
-1. Open **Network Load Balancing Manager** from **Administrative Tools**.
- 
-2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
-3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
- 
-4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
-5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
-6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
- 
-7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
- 
-8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
-9. In Port Rules, click Edit to modify the default port rules to use port 443.
- 
+Sign-in a node of the federation farm with *Administrator* equivalent credentials.
+
+1. Open **Network Load Balancing Manager** from **Administrative Tools**
+1. Right-click **Network Load Balancing Clusters**, and then select **New Cluster**
+1. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then select **Connect**
+1. Select the interface that you want to use with the cluster, and then select **Next** (the interface hosts the virtual IP address and receives the client traffic to load balance)
+1. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Select **Next**
+1. In **Cluster IP Addresses**, select **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Select **Next**
+1. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster
+1. In **Cluster operation mode**, select **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Select **Next**
+1. In Port Rules, select Edit to modify the default port rules to use port 443
### Additional AD FS Servers
-1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
-2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
- 
+1. To add more hosts to the cluster, right-click the new cluster, and then select **Add Host to Cluster**
+1. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same
## Configure DNS for Device Registration
-Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
-1. Open the **DNS Management** console.
-2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
-3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
-4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
-5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**.
-6. Right-click the `domain_name` node and select **New Alias (CNAME)**.
-7. In the **New Resource Record** dialog box, type "enterpriseregistration" in the **Alias** name box.
-8. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name.domain_name.com`, and click OK.
-9. Close the DNS Management console.
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.\
+You'll need the *federation service* name to complete this task. You can view the federation service name by selecting **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+
+1. Open the **DNS Management** console
+1. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**
+1. In the navigation pane, select the node that has the name of your internal Active Directory domain name
+1. In the navigation pane, right-click the domain name node and select **New Host (A or AAAA)**
+1. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Select **Add Host**
+1. Right-click the `` node and select **New Alias (CNAME)**
+1. In the **New Resource Record** dialog box, type `enterpriseregistration` in the **Alias** name box
+1. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name. [!NOTE]
-> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.upnsuffix.com` is present for each suffix.
+> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.` is present for each suffix.
## Configure the Intranet Zone to include the federation service
-The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication.
+The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication.
### Create an Intranet Zone Group Policy
Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials
1. Start the **Group Policy Management Console** (gpmc.msc)
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Right-click **Group Policy object** and select **New**
-4. Type **Intranet Zone Settings** in the name box and click **OK**.
-5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **Computer Configuration**.
-7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**.
-8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**.
-9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor.
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Right-click **Group Policy object** and select **New**
+1. Type **Intranet Zone Settings** in the name box and select **OK**
+1. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and select **Edit**
+1. In the navigation pane, expand **Policies** under **Computer Configuration**
+1. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel >Security Page**. Open **Site to Zone Assignment List**
+1. Select **Enable > Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Select OK twice, then close the Group Policy Management Editor
### Deploy the Intranet Zone Group Policy object
1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
-3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
+1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…**
+1. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
-## Review
+## Review to validate the configuration
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm all AD FS servers have a valid server authentication certificate
- * The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
- * The alternate name of the certificate contains a wildcard or the FQDN of the federation service
-* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
-* Confirm **all** AD FS servers in the farm have the latest updates.
-* Confirm you restarted the AD FS service.
-* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
-* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
+> [!div class="checklist"]
+> * Confirm all AD FS servers have a valid server authentication certificate. The subject of the certificate is the common name (FQDN) of the host or a wildcard name. The alternate name of the certificate contains a wildcard or the FQDN of the federation service
+> * Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load
+> * Confirm you restarted the AD FS service
+> * Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
+> * Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-
-1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+> [!div class="nextstepaction"]
+> [Next: validate and deploy multi-factor authentication (MFA)](hello-key-trust-validate-deploy-mfa.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index c618365d4e..03e7dbfe38 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,71 +1,70 @@
---
-title: Configure Windows Hello for Business Policy settings - key trust
-description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
-ms.date: 08/19/2018
+title: Configure Windows Hello for Business Policy settings in an on-premises key trust
+description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Configure Windows Hello for Business Policy settings - Key Trust
+# Configure Windows Hello for Business group policy settings - on-premises key trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+On-premises key trust deployments of Windows Hello for Business need one Group Policy setting: *Enable Windows Hello for Business*.
+The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
-Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
-On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business
+## Enable Windows Hello for Business group policy setting
-## Enable Windows Hello for Business Group Policy
+The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
-The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business .
-If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows.
+## Create the GPO
+Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials.
-## Create the Windows Hello for Business Group Policy object
-
-The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
1. Start the **Group Policy Management Console** (gpmc.msc)
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Right-click **Group Policy object** and select **New**.
-4. Type *Enable Windows Hello for Business* in the name box and click **OK**.
-5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-6. In the navigation pane, expand **Policies** under **User Configuration**.
-7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
-8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
-9. Close the **Group Policy Management Editor**.
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Right-click **Group Policy object** and select **New**
+1. Type *Enable Windows Hello for Business* in the name box and select **OK**
+1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and select **Edit**
+1. In the navigation pane, select **User Configuration > Policies > **Administrative Templates > Windows Component > Windows Hello for Business**
+1. In the content pane, double-click **Use Windows Hello for Business**. Select **Enable** and **OK**
+1. Close the **Group Policy Management Editor**
-## Configure Security in the Windows Hello for Business Group Policy object
+## Configure security in the Windows Hello for Business GPO
The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases.
+
+Sign in to a domain controller or management workstations with *Domain Administrator* equivalent credentials.
+
1. Start the **Group Policy Management Console** (gpmc.msc)
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-3. Double-click the **Enable Windows Hello for Business** Group Policy object.
-4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**.
-5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
-6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Double-click the **Enable Windows Hello for Business** Group Policy object
+1. In the **Security Filtering** section of the content pane, select **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and select **OK**
+1. Select the **Delegation** tab. Select **Authenticated Users** and **Advanced**
+1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
## Deploy the Windows Hello for Business Group Policy object
-The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
-1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
-3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
+The application of the Windows Hello for Business Group Policy object uses security group filtering. This solution enables you to link the Group Policy object at the domain level, ensuring the GPO is within scope to all users. However, the security group filtering ensures that only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business.
-Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object.
+1. Start the **Group Policy Management Console** (gpmc.msc)
+1. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO…**
+1. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and select **OK**
## Other Related Group Policy settings
-### Windows Hello for Business
-
There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings.
### Use a hardware security device
-The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential.
+The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential.
-You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
+You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
@@ -73,47 +72,37 @@ Another policy setting becomes available when you enable the **Use a hardware se
Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.
-The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition.
+The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disables all biometrics. Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition.
### PIN Complexity
-PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
+PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
-Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
-* Require digits
-* Require lowercase letters
-* Maximum PIN length
-* Minimum PIN length
-* Expiration
-* History
-* Require special characters
-* Require uppercase letters
+Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically. The policy settings included are:
-In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor.
+- Require digits
+- Require lowercase letters
+- Maximum PIN length
+- Minimum PIN length
+- Expiration
+- History
+- Require special characters
+- Require uppercase letters
-## Review
+The settings can be found in *Administrative Templates\System\PIN Complexity*, under both the Computer and User Configuration nodes of the Group Policy editor.
+
+## Review to validate the configuration
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions)
-* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
-* Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting.
-* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)
-* Confirm you configured the proper security settings for the Group Policy object
- * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
- * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy
-
-* Linked the Group Policy object to the correct locations within Active Directory
-* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users
+> [!div class="checklist"]
+> * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
+> * Confirm you configured the proper security settings for the Group Policy object
+> * Confirm you removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
+> * Confirm you added the Windows Hello for Business Users group to the Group Policy object, and gave the group the allow permission to Apply Group Policy
+> * Linked the Group Policy object to the correct locations within Active Directory
+> * Deployed any additional Windows Hello for Business Group Policy settings
## Add users to the Windows Hello for Business Users group
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-5. Configure Windows Hello for Business Policy settings (*You are here*)
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the *Windows Hello for Business Users* group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 57080612a2..e53e1d194f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,39 +1,32 @@
---
-title: Key registration for on-premises deployment of Windows Hello for Business
-description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
-ms.date: 08/19/2018
+title: Validate Active Directory prerequisites in an on-premises key trust
+description: Validate Active Directory prerequisites when deploying Windows Hello for Business in a key trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Validate Active Directory prerequisites - Key Trust
+# Validate Active Directory prerequisites - on-premises key trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
+Key trust deployments need an adequate number of domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md) and the [Planning an adequate number of Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
-> [!NOTE]
->There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
+The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
-The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
+## Create the Windows Hello for Business Users security group
-## Create the Windows Hello for Business Users Security Global Group
+The *Windows Hello for Business Users* group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
-The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by simply adding the users to the group. This provides users with the proper permissions to provision Windows Hello for Business.
+Sign-in to a domain controller or to a management workstation with a *Domain Administrator* equivalent credentials.
-Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
+1. Open **Active Directory Users and Computers**
+1. Select **View > Advanced Features**
+1. Expand the domain node from the navigation pane
+1. Right-click the **Users** container. Select **New > Group**
+1. Type *Windows Hello for Business Users* in the **Group Name**
+1. Select **OK**
-1. Open **Active Directory Users and Computers**.
-2. Click **View** and click **Advanced Features**.
-3. Expand the domain node from the navigation pane.
-4. Right-click the **Users** container. Click **New**. Click **Group**.
-5. Type **Windows Hello for Business Users** in the **Group Name** text box.
-6. Click **OK**.
-
-
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-1. Validate Active Directory prerequisites (*You are here*)
-2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+> [!div class="nextstepaction"]
+> [Next: validate and configure PKI >](hello-key-trust-validate-pki.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 046acb3df3..6088986d1e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,28 +1,29 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with key trust
-description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
-ms.date: 08/19/2018
+description: Validate and deploy multi-factor authentication (MFA) for Windows Hello for Business in an on-premises key trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Validate and Deploy Multifactor Authentication (MFA)
+
+# Validate and deploy multi-factor authentication - on-premises key trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+Windows Hello for Business requires users perform multi-factor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
-Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
+- certificates
+- third-party authentication providers for AD FS
+- custom authentication provider for AD FS
+
+> [!IMPORTANT]
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
-## Follow the Windows Hello for Business on premises certificate trust deployment guide
-
-1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
+> [!div class="nextstepaction"]
+> [Next: configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index c3a9226714..dac396577a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,245 +1,248 @@
---
-title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
-description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
-ms.date: 08/19/2018
+title: Configure and validate the Public Key Infrastructure in an on-premises key trust model
+description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model.
+ms.date: 12/12/2022
appliesto:
- ✅ Windows 10 and later
-ms.topic: article
+- ✅ Windows Server 2016 and later
+ms.topic: tutorial
---
-# Validate and Configure Public Key Infrastructure - Key Trust
+# Configure and validate the Public Key Infrastructure - on-premises key trust
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
+Windows Hello for Business must have a Public Key Infrastructure (PKI) when using the *key trust* or *certificate trust* models. The domain controllers must have a certificate, which serves as a root of trust for clients. The certificate ensures that clients don't communicate with rogue domain controllers.
-## Deploy an enterprise certificate authority
+## Deploy an enterprise certification authority
-This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
+This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on an enterprise PKI running the Windows Server *Active Directory Certificate Services* role.
-### Lab-based public key infrastructure
+### Lab-based PKI
-The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
+The following instructions may be used to deploy simple public key infrastructure that is suitable **for a lab environment**.
-Sign in using **Enterprise Admin** equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
+Sign in using *Enterprise Administrator* equivalent credentials on a Windows Server where you want the certification authority (CA) installed.
>[!NOTE]
->Never install a certificate authority on a domain controller in a production environment.
+>Never install a certification authority on a domain controller in a production environment.
-1. Open an elevated Windows PowerShell prompt.
-2. Use the following command to install the Active Directory Certificate Services role.
+1. Open an elevated Windows PowerShell prompt
+1. Use the following command to install the Active Directory Certificate Services role.
```PowerShell
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
```
-
-3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.
+3. Use the following command to configure the CA using a basic certification authority configuration
```PowerShell
Install-AdcsCertificationAuthority
- ```
-
-## Configure a Production Public Key Infrastructure
-
-If you do have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session.
-
-### Configure Domain Controller Certificates
-
-Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority.
-
-Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
-
-By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
-
-Sign in to a certificate authority or management workstations with **Domain Admin** equivalent credentials.
-
-1. Open the **Certificate Authority** management console.
-
-2. Right-click **Certificate Templates** and click **Manage**.
-
-3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
-
-5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.
-
- > [!NOTE]
- > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
-
-6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
-
-7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
-
-8. Close the console.
-
-### Superseding the existing Domain Controller certificate
-
-Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension.
-
-The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
-
-Sign in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
-
-1. Open the **Certificate Authority** management console.
-
-2. Right-click **Certificate Templates** and click **Manage**.
-
-3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
-
-4. Click the **Superseded Templates** tab. Click **Add**.
-
-5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**.
-
-6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
-
-7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
-
-8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
-
-9. Click **OK** and close the **Certificate Templates** console.
-
-The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
-
-### Configure an Internal Web Server Certificate template
-
-Windows clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
-
-Sign in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
-
-1. Open the **Certificate Authority** management console.
-
-2. Right-click **Certificate Templates** and click **Manage**.
-
-3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
-
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-
-5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
-
- > [!NOTE]
- > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
-
-6. On the **Request Handling** tab, select **Allow private key to be exported**.
-
-7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
-
-8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
-
-9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
-
-10. Close the console.
-
-### Unpublish Superseded Certificate Templates
-
-The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
-
-The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
-
-Sign in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
-
-1. Open the **Certificate Authority** management console.
-
-2. Expand the parent node from the navigation pane.
-
-3. Click **Certificate Templates** in the navigation pane.
-
-4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window.
-
-5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
-
-### Publish Certificate Templates to the Certificate Authority
-
-The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
-
-Sign in to the certificate authority or management workstations with **Enterprise Admin** equivalent credentials.
-
-1. Open the **Certificate Authority** management console.
-
-2. Expand the parent node from the navigation pane.
-
-3. Click **Certificate Templates** in the navigation pane.
-
-4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
-
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
-
-6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
-
- \* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
-
-7. Close the console.
-
-### Configure Domain Controllers for Automatic Certificate Enrollment
-
-Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
+ ```
+
+## Configure a PKI
+
+If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session.
+
+Expand the following sections to configure the PKI for Windows Hello for Business.
+
+
+
+Configure domain controller certificates
+
+Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*.
+
+Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise CA is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates don't include the *KDC Authentication* object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the *Kerberos Authentication* certificate template.
+
+By default, the Active Directory CA provides and publishes the *Kerberos Authentication* certificate template. The cryptography configuration included in the template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the *Kerberos Authentication* certificate template as a *baseline* to create an updated domain controller certificate template.
+
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates > Manage**
+1. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and select **Duplicate Template**
+1. On the **Compatibility** tab:
+ - Clear the **Show resulting changes** check box
+ - Select **Windows Server 2016** from the **Certification Authority** list
+ - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
+1. On the **General** tab
+ - Type *Domain Controller Authentication (Kerberos)* in Template display name
+ - Adjust the validity and renewal period to meet your enterprise's needs
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+1. On the **Subject Name** tab:
+ - Select the **Build from this Active Directory information** button if it isn't already selected
+ - Select **None** from the **Subject name format** list
+ - Select **DNS name** from the **Include this information in alternate subject** list
+ - Clear all other items
+1. On the **Cryptography** tab:
+ - select **Key Storage Provider** from the **Provider Category** list
+ - Select **RSA** from the **Algorithm name** list
+ - Type *2048* in the **Minimum key size** text box
+ - Select **SHA256** from the **Request hash** list
+1. Select **OK**
+1. Close the console
+
+
+
+
+
+
+Supersede existing domain controller certificates
+
+The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension.
+
+The *Kerberos Authentication* certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers.\
+The *autoenrollment* feature allows you to replace the domain controller certificates. Use the following configuration to replace older domain controller certificates with new ones, using the *Kerberos Authentication* certificate template.
+
+Sign in to a CA or management workstations with *Enterprise Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates > Manage**
+1. In the **Certificate Template Console**, right-click the *Domain Controller Authentication (Kerberos)* (or the name of the certificate template you created in the previous section) template in the details pane and select **Properties**
+1. Select the **Superseded Templates** tab. Select **Add**
+1. From the **Add Superseded Template** dialog, select the *Domain Controller* certificate template and select **OK > Add**
+1. From the **Add Superseded Template** dialog, select the *Domain Controller Authentication* certificate template and select **OK**
+1. From the **Add Superseded Template** dialog, select the *Kerberos Authentication* certificate template and select **OK**
+1. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab
+1. Select **OK** and close the **Certificate Templates** console
+
+The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities.
+
+
+
+
+
+Configure an internal web server certificate template
+
+Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate.
+
+Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Right-click **Certificate Templates** and select **Manage**
+1. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and select **Duplicate Template**
+1. On the **Compatibility** tab:
+ - Clear the **Show resulting changes** check box
+ - Select **Windows Server 2016** from the **Certification Authority** list
+ - Select **Windows 10 / Windows Server 2016** from the **Certificate Recipient** list
+1. On the **General** tab:
+ - Type *Internal Web Server* in **Template display name**
+ - Adjust the validity and renewal period to meet your enterprise's needs
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+1. On the **Request Handling** tab, select **Allow private key to be exported**
+1. On the **Subject** tab, select the **Supply in the request** button if it isn't already selected
+1. On the **Security** tab:
+ - Select **Add**
+ - Type **Domain Computers** in the **Enter the object names to select** box
+ - Select **OK**
+ - Select the **Allow** check box next to the **Enroll** permission
+1. On the **Cryptography** tab:
+ - Select **Key Storage Provider** from the **Provider Category** list
+ - Select **RSA** from the **Algorithm name** list
+ - Type *2048* in the **Minimum key size** text box
+ - Select **SHA256** from the **Request hash** list
+ - Select **OK**
+1. Close the console
+
+
+
+
+
+Unpublish Superseded Certificate Templates
+
+The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+
+The newly created *domain controller authentication* certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
+
+Sign in to the CA or management workstation with *Enterprise Administrator* equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane > **Certificate Templates**
+1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window
+1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates
+
+
+
+
+
+Publish certificate templates to the CA
+
+A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
+
+Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
+
+1. Open the **Certification Authority** management console
+1. Expand the parent node from the navigation pane
+1. Select **Certificate Templates** in the navigation pane
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
+1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
+ - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
+1. Close the console
+
+
+
+### Configure automatic certificate enrollment for the domain controllers
+
+Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU).
+
+1. Open the **Group Policy Management Console** (gpmc.msc)
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane
+1. Right-click **Group Policy object** and select **New**
+1. Type *Domain Controller Auto Certificate Enrollment* in the name box and select **OK**
+1. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and select **Edit**
+1. In the navigation pane, expand **Policies** under **Computer Configuration**
+1. Expand **Windows Settings > Security Settings > Public Key Policies**
+1. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**
+1. Select **Enabled** from the **Configuration Model** list
+1. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box
+1. Select the **Update certificates that use certificate templates** check box
+1. Select **OK**
+1. Close the **Group Policy Management Editor**
+
+### Deploy the domain controller auto certificate enrollment GPO
+
+Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
+1. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the **Domain Controllers** organizational unit and select **Link an existing GPO…**
+1. In the **Select GPO** dialog box, select *Domain Controller Auto Certificate Enrollment* or the name of the domain controller certificate enrollment Group Policy object you previously created
+1. Select **OK**
-2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+## Validate the configuration
-3. Right-click **Group Policy object** and select **New**
+Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
-4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**.
+You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred.
-5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
+### Use the event logs
-6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.
-7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
+1. Using the Event Viewer, navigate to the **Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System** event log
+1. Look for an event indicating a new certificate enrollment (autoenrollment):
+ - The details of the event include the certificate template on which the certificate was issued
+ - The name of the certificate template used to issue the certificate should match the certificate template name included in the event
+ - The certificate thumbprint and EKUs for the certificate are also included in the event
+ - The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template
-8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**.
+Certificates superseded by your new domain controller certificate generate an archive event in the event log. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
-9. Select **Enabled** from the **Configuration Model** list.
+### Certificate Manager
-10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box.
+You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates don't appear in Certificate Manager.
-11. Select the **Update certificates that use certificate templates** check box.
+### Certutil.exe
-12. Click **OK**. Close the **Group Policy Management Editor**.
+You can use `certutil.exe` command to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil.exe -q -store my` to view locally enrolled certificates.
-### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
+To view detailed information about each certificate in the store, use `certutil.exe -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates.
-Sign in to domain controller or management workstations with _Domain Admin_ equivalent credentials.
+### Troubleshooting
-1. Start the **Group Policy Management Console** (gpmc.msc).
+Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate.exe /force`.
-2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**.
+Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq.exe -autoenroll -q` from an elevated command prompt.
-3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
+Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certification authority and the allow auto enrollment permissions.
-### Validating your work
-
-Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase.
-
-You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred.
-
-#### Use the Event Logs
-
-Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows.
-
-Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template.
-
-Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
-
-#### Certificate Manager
-
-You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager.
-
-#### Certutil.exe
-
-You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates.
-
-To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates.
-
-#### Troubleshooting
-
-Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`.
-
-Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt.
-
-Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions.
-
-## Follow the Windows Hello for Business on premises key trust deployment guide
-
-1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-2. Validate and Configure Public Key Infrastructure (*You are here*)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+> [!div class="nextstepaction"]
+> [Next: prepare and deploy AD FS >](hello-key-trust-adfs.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index b32ad3664c..a548960eab 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -5,7 +5,7 @@ ms.collection:
- highpri
ms.date: 2/15/2022
appliesto:
-- ✅ Windows 10 and later
+- ✅ Windows 10 and later
ms.topic: article
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 010273238e..50d6d7f166 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -5,7 +5,7 @@ ms.collection:
- highpri
ms.topic: conceptual
appliesto:
-- ✅ Windows 10 and later
+ - ✅ Windows 10 and later
ms.date: 12/31/2017
---
# Windows Hello for Business Overview
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index ca25fdee58..89fe8f84ce 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -5,7 +5,7 @@ ms.collection:
- highpri
ms.date: 10/23/2017
appliesto:
-- ✅ Windows 10 and later
+- ✅ Windows 10 and later
ms.topic: article
---
# Why a PIN is better than an online password
diff --git a/windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png b/windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png
new file mode 100644
index 0000000000..cf0b7aeff4
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/adfs-device-registration.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/adfs-scp.png b/windows/security/identity-protection/hello-for-business/images/adfs-scp.png
new file mode 100644
index 0000000000..5a806fadf0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/adfs-scp.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-adfs-configure-2012r2.png b/windows/security/identity-protection/hello-for-business/images/hello-adfs-configure-2012r2.png
deleted file mode 100644
index 374d8f1297..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-adfs-configure-2012r2.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png b/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png
index cc78ba41cf..5db53fa03c 100644
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png and b/windows/security/identity-protection/hello-for-business/images/hello-internal-web-server-cert.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-add-ip.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-add-ip.png
deleted file mode 100644
index 49b06a8cc2..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-add-ip.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png
deleted file mode 100644
index e74cc5f586..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-ip-config.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png
deleted file mode 100644
index c8d406f45f..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster-port-rule.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster.png
deleted file mode 100644
index 3c4e29b213..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-cluster.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-connect.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-connect.png
deleted file mode 100644
index c5aac0791e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-connect.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-feature-install.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-feature-install.png
deleted file mode 100644
index 3ab085a804..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-feature-install.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-nlb-manager.png b/windows/security/identity-protection/hello-for-business/images/hello-nlb-manager.png
deleted file mode 100644
index 61af244a4c..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-nlb-manager.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 0f14b0a619..0c6b760604 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -15,7 +15,6 @@ metadata:
ms.reviewer: prsriva
ms.date: 01/22/2021
ms.collection:
- - M365-identity-device-management
- highpri
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 5aa1fcad6a..1987c05d33 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -3,8 +3,7 @@ title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.date: 10/16/2017
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
+- ✅ Windows 10 and later
ms.topic: article
---
# How Windows Hello for Business works in Windows devices
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 502a196109..fb4c92826f 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -99,7 +99,7 @@
href: hello-deployment-key-trust.md
- name: Validate Active Directory prerequisites
href: hello-key-trust-validate-ad-prereq.md
- - name: Validate and configure Public Key Infrastructure (PKI)
+ - name: Configure and validate Public Key Infrastructure (PKI)
href: hello-key-trust-validate-pki.md
- name: Prepare and deploy Active Directory Federation Services (AD FS)
href: hello-key-trust-adfs.md
@@ -113,7 +113,7 @@
href: hello-deployment-cert-trust.md
- name: Validate Active Directory prerequisites
href: hello-cert-trust-validate-ad-prereq.md
- - name: Validate and configure Public Key Infrastructure (PKI)
+ - name: Configure and validate Public Key Infrastructure (PKI)
href: hello-cert-trust-validate-pki.md
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
href: hello-cert-trust-adfs.md
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 7f59ec2edf..a968914652 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.date: 09/23/2021
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# How User Account Control works
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 9ad0ff0106..f3c8c14d4e 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.date: 04/19/2017
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# User Account Control Group Policy and registry key settings
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 1c975c2974..35851d61af 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.date: 09/24/2011
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# User Account Control
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index c6cf53662d..28f209a22e 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -5,7 +5,7 @@ ms.topic: article
ms.date: 09/24/2021
appliesto:
- ✅ Windows 10 and later
-- ✅ Windows Server 2016 and later
+- ✅ Windows Server 2016 and later
---
# User Account Control security policy settings
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 5ca81d5c91..188fe97442 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: how-to
---
# How to configure Diffie Hellman protocol over IKEv2 VPN connections
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index 4b167fab27..371193641b 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -11,6 +11,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: how-to
---
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index fa541c4f87..a44aa1b079 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# VPN authentication options
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index e7e1f831ab..61044232d2 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# VPN auto-triggered profile options
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 5d7a695376..5da2a635a4 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# VPN and conditional access
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index c3b4995351..e9eecdbbb9 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# VPN connection types
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 40331b878d..f8cf27d242 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# Windows VPN technical guide
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index 61fccf4518..34f201d00a 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# VPN name resolution
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index ebd414e637..d5725508e4 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# VPN profile options
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index 195202fe24..be5bc1caf0 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# VPN routing decisions
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index d21e11182a..f8fb6861a0 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -12,6 +12,7 @@ appliesto:
- ✅ Windows 10
- ✅ Windows 11
ms.technology: itpro-security
+ms.topic: conceptual
---
# VPN security features
diff --git a/windows/security/images/icons/information.svg b/windows/security/images/icons/information.svg
new file mode 100644
index 0000000000..bc692eabb9
--- /dev/null
+++ b/windows/security/images/icons/information.svg
@@ -0,0 +1,3 @@
+
\ No newline at end of file
diff --git a/windows/security/includes/hello-cloud.md b/windows/security/includes/hello-cloud.md
index c40ed1027c..1c41485f11 100644
--- a/windows/security/includes/hello-cloud.md
+++ b/windows/security/includes/hello-cloud.md
@@ -1,7 +1,11 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [cloud](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment)\
-✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-cloud](hello-deployment-cloud.md)]
+- **Join type:** [!INCLUDE [hello-join-aad](hello-join-aad.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-deployment-cloud.md b/windows/security/includes/hello-deployment-cloud.md
new file mode 100644
index 0000000000..8152da9722
--- /dev/null
+++ b/windows/security/includes/hello-deployment-cloud.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[cloud :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment "For organizations using Azure AD-only identities. Device management is usually done via Intune/MDM")
\ No newline at end of file
diff --git a/windows/security/includes/hello-deployment-hybrid.md b/windows/security/includes/hello-deployment-hybrid.md
new file mode 100644
index 0000000000..b35d4b548e
--- /dev/null
+++ b/windows/security/includes/hello-deployment-hybrid.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[hybrid :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment "For organizations using Active Directory identities synchronized to Azure AD. Device management is usually done via Group Policy or Intune/MDM")
\ No newline at end of file
diff --git a/windows/security/includes/hello-deployment-onpremises.md b/windows/security/includes/hello-deployment-onpremises.md
new file mode 100644
index 0000000000..8746a5e9c7
--- /dev/null
+++ b/windows/security/includes/hello-deployment-onpremises.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[on-premises :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment "For organizations using Active Directory identities, not synchronized to Azure AD. Device management is usually done via Group Policy")
\ No newline at end of file
diff --git a/windows/security/includes/hello-hybrid-cert-trust-aad.md b/windows/security/includes/hello-hybrid-cert-trust-aad.md
index e80912d8b9..57c03e95a3 100644
--- a/windows/security/includes/hello-hybrid-cert-trust-aad.md
+++ b/windows/security/includes/hello-hybrid-cert-trust-aad.md
@@ -1,8 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
-✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)]
+- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-hybrid-cert-trust-ad.md b/windows/security/includes/hello-hybrid-cert-trust-ad.md
index 4ef97bd233..4691d86bc0 100644
--- a/windows/security/includes/hello-hybrid-cert-trust-ad.md
+++ b/windows/security/includes/hello-hybrid-cert-trust-ad.md
@@ -1,8 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
-✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)]
+- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-hybrid-cert-trust.md b/windows/security/includes/hello-hybrid-cert-trust.md
index 77a897f264..d6ca6e8f5d 100644
--- a/windows/security/includes/hello-hybrid-cert-trust.md
+++ b/windows/security/includes/hello-hybrid-cert-trust.md
@@ -1,8 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
-✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)]
+- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/includes/hello-hybrid-cloudkerb-trust.md
index 4f68be791b..61346cd80e 100644
--- a/windows/security/includes/hello-hybrid-cloudkerb-trust.md
+++ b/windows/security/includes/hello-hybrid-cloudkerb-trust.md
@@ -1,8 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [cloud Kerberos trust](../identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md)\
-✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)]
+- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-hybrid-key-trust-ad.md b/windows/security/includes/hello-hybrid-key-trust-ad.md
index 68521a5a14..a5074f5bd4 100644
--- a/windows/security/includes/hello-hybrid-key-trust-ad.md
+++ b/windows/security/includes/hello-hybrid-key-trust-ad.md
@@ -1,8 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
-✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
+- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-hybrid-key-trust.md b/windows/security/includes/hello-hybrid-key-trust.md
index fdb7466014..d9feebc213 100644
--- a/windows/security/includes/hello-hybrid-key-trust.md
+++ b/windows/security/includes/hello-hybrid-key-trust.md
@@ -1,8 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
-✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
+- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)], [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/includes/hello-hybrid-keycert-trust-aad.md
index a8d82200d3..4c073f0897 100644
--- a/windows/security/includes/hello-hybrid-keycert-trust-aad.md
+++ b/windows/security/includes/hello-hybrid-keycert-trust-aad.md
@@ -1,7 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust), [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
-✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)], [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)]
+- **Join type:** [!INCLUDE [hello-join-aadj](hello-join-aad.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-intro.md b/windows/security/includes/hello-intro.md
new file mode 100644
index 0000000000..46d97c93e6
--- /dev/null
+++ b/windows/security/includes/hello-intro.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+This document describes Windows Hello for Business functionalities or scenarios that apply to:
\ No newline at end of file
diff --git a/windows/security/includes/hello-join-aad.md b/windows/security/includes/hello-join-aad.md
new file mode 100644
index 0000000000..5709970576
--- /dev/null
+++ b/windows/security/includes/hello-join-aad.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[Azure AD join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join "Devices that are Azure AD joined do not have any dependencies on Active Directory. Only local users accounts and Azure AD users can sign in to these devices")
\ No newline at end of file
diff --git a/windows/security/includes/hello-join-domain.md b/windows/security/includes/hello-join-domain.md
new file mode 100644
index 0000000000..0385e2089a
--- /dev/null
+++ b/windows/security/includes/hello-join-domain.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[domain join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md "Devices that are domain joined do not have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices")
\ No newline at end of file
diff --git a/windows/security/includes/hello-join-hybrid.md b/windows/security/includes/hello-join-hybrid.md
new file mode 100644
index 0000000000..3d3e75c6b6
--- /dev/null
+++ b/windows/security/includes/hello-join-hybrid.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[hybrid Azure AD join :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join "Devices that are hybrid Azure AD joined don't have any dependencies on Azure AD. Only local users accounts and Active Directory users can sign in to these devices. Active Directory users that are synchronized to Azure AD will have single-sign on to both Active Directory and Azure AD-protected resources")
\ No newline at end of file
diff --git a/windows/security/includes/hello-on-premises-cert-trust.md b/windows/security/includes/hello-on-premises-cert-trust.md
index 2cc01ac3ac..b106b5b8c8 100644
--- a/windows/security/includes/hello-on-premises-cert-trust.md
+++ b/windows/security/includes/hello-on-premises-cert-trust.md
@@ -1,8 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\
-✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
-✅ **Device registration type:** Active Directory domain join
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](hello-deployment-onpremises.md)]
+- **Trust type:** [!INCLUDE [hello-trust-certificate](hello-trust-certificate.md)]
+- **Join type:** [!INCLUDE [hello-join-domain](hello-join-domain.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-on-premises-key-trust.md b/windows/security/includes/hello-on-premises-key-trust.md
index cd6241fa72..f290b0d975 100644
--- a/windows/security/includes/hello-on-premises-key-trust.md
+++ b/windows/security/includes/hello-on-premises-key-trust.md
@@ -1,8 +1,12 @@
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\
-✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
-✅ **Device registration type:** Active Directory domain join
-
-
-
---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[!INCLUDE [hello-intro](hello-intro.md)]
+- **Deployment type:** [!INCLUDE [hello-deployment-onpremises](hello-deployment-onpremises.md)]
+- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
+- **Join type:** [!INCLUDE [hello-join-domain](hello-join-domain.md)]
+---
\ No newline at end of file
diff --git a/windows/security/includes/hello-trust-certificate.md b/windows/security/includes/hello-trust-certificate.md
new file mode 100644
index 0000000000..ffc705fde0
--- /dev/null
+++ b/windows/security/includes/hello-trust-certificate.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[certificate trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust "This trust type uses a certificate to authenticate the users to Active Directory. It's required to issue certificates to the users and to the domain controllers")
\ No newline at end of file
diff --git a/windows/security/includes/hello-trust-cloud-kerberos.md b/windows/security/includes/hello-trust-cloud-kerberos.md
new file mode 100644
index 0000000000..5ddac53ba9
--- /dev/null
+++ b/windows/security/includes/hello-trust-cloud-kerberos.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[cloud Kerberos trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-kerberos-trust "This trust type uses security keys to authenticate the users to Active Directory. It's not required to issue any certificates, making it the recommended choice for environments that do not need certificate authentication")
\ No newline at end of file
diff --git a/windows/security/includes/hello-trust-key.md b/windows/security/includes/hello-trust-key.md
new file mode 100644
index 0000000000..133f7f5204
--- /dev/null
+++ b/windows/security/includes/hello-trust-key.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 12/08/2022
+ms.topic: include
+---
+
+[key trust :::image type="icon" source="../images/icons/information.svg" border="false":::](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust "This trust type uses a raw key to authenticate the users to Active Directory. It's not required to issue certificates to users, but it's required to deploy certificates to domain controllers")
\ No newline at end of file
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
index 24aaa25d9f..f928705138 100644
--- a/windows/security/includes/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@@ -1,14 +1,8 @@
---
-title: Improve request performance
-description: Improve request performance
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.localizationpriority: medium
-ms.collection: M365-security-compliance
-ms.topic: article
author: paolomatarazzo
ms.author: paoloma
-manager: aaroncz
+ms.date: 12/08/2022
+ms.topic: include
---
>[!TIP]
diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md
index 31e3d1ac98..d4b4560d8f 100644
--- a/windows/security/includes/machineactionsnote.md
+++ b/windows/security/includes/machineactionsnote.md
@@ -1,12 +1,8 @@
---
-title: Perform a Machine Action via the Microsoft Defender for Endpoint API
-description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API.
-ms.date: 08/28/2017
-ms.reviewer:
author: paolomatarazzo
ms.author: paoloma
-manager: aaroncz
-ms.prod: m365-security
+ms.date: 12/08/2022
+ms.topic: include
---
>[!Note]
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
index 74cfd90cbb..0b0b2be701 100644
--- a/windows/security/includes/microsoft-defender-api-usgov.md
+++ b/windows/security/includes/microsoft-defender-api-usgov.md
@@ -1,14 +1,8 @@
---
-title: Microsoft Defender for Endpoint API URIs for US Government
-description: Microsoft Defender for Endpoint API URIs for US Government
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
author: paolomatarazzo
ms.author: paoloma
-manager: aaroncz
-ms.localizationpriority: medium
-ms.collection: M365-security-compliance
-ms.topic: article
+ms.date: 12/08/2022
+ms.topic: include
---
>[!NOTE]
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
index 0aade34b01..bd9a8d2c0d 100644
--- a/windows/security/includes/microsoft-defender.md
+++ b/windows/security/includes/microsoft-defender.md
@@ -1,13 +1,7 @@
---
-title: Microsoft 365 Defender important guidance
-description: A note in regard to important Microsoft 365 Defender guidance.
-ms.date:
-ms.reviewer:
-manager: aaroncz
author: paolomatarazzo
ms.author: paoloma
-manager: aaroncz
-ms.prod: m365-security
+ms.date: 12/08/2022
ms.topic: include
---
diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md
index 58b056c484..c0212561bd 100644
--- a/windows/security/includes/prerelease.md
+++ b/windows/security/includes/prerelease.md
@@ -1,12 +1,8 @@
---
-title: Microsoft Defender for Endpoint Pre-release Disclaimer
-description: Disclaimer for pre-release version of Microsoft Defender for Endpoint.
-ms.date: 08/28/2017
-ms.reviewer:
author: paolomatarazzo
ms.author: paoloma
-manager: aaroncz
-ms.prod: m365-security
+ms.date: 12/08/2022
+ms.topic: include
---
> [!IMPORTANT]
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 57d27d3093..c78dd3fa5b 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -10,7 +10,6 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- - m365-security-compliance
- highpri
ms.custom: intro-hub-or-landing
author: paolomatarazzo
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
index df826bda53..b917a468f8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -2,19 +2,13 @@
metadata:
title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.collection:
- - M365-security-compliance
- highpri
ms.topic: faq
ms.date: 11/08/2022
@@ -22,9 +16,8 @@ metadata:
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
**Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
+ - Windows 10 and later
+ - Windows Server 2016 and later
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
index 39701f8123..dbea4c718a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
@@ -2,28 +2,19 @@
metadata:
title: BitLocker deployment and administration FAQ (Windows 10)
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
- audience: ITPro
- ms.collection: M365-security-compliance
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
**Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
+ - Windows 10 and later
+ - Windows Server 2016 and later
sections:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index 46ab64d09d..24016c5ca6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -2,20 +2,13 @@
metadata:
title: BitLocker FAQ (Windows 10)
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.collection:
- - M365-security-compliance
- highpri
ms.topic: faq
ms.date: 11/08/2022
@@ -23,9 +16,8 @@ metadata:
title: BitLocker frequently asked questions (FAQ) resources
summary: |
**Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
+ - Windows 10 and later
+ - Windows Server 2016 and later
This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
index b7aa1ae889..ad23cc6714 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
@@ -2,27 +2,20 @@
metadata:
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
- ms.collection: M365-security-compliance
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker Key Management FAQ
summary: |
**Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
+ - Windows 10 and later
+ - Windows Server 2016 and later
sections:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
index 7129c50889..9683743787 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
@@ -4,15 +4,10 @@ metadata:
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
- ms.collection: M365-security-compliance
ms.topic: faq
ms.date: 11/08/2022
ms.reviewer:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index c8bea939c1..8398ff5cb5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -2,19 +2,13 @@
metadata:
title: BitLocker overview and requirements FAQ (Windows 10)
description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
ms.collection:
- - M365-security-compliance
- highpri
ms.topic: faq
ms.date: 11/08/2022
@@ -22,9 +16,8 @@ metadata:
title: BitLocker Overview and Requirements FAQ
summary: |
**Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
+ - Windows 10 and later
+ - Windows Server 2016 and later
sections:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
index 04035cd1cb..8b53e2e639 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
@@ -1,28 +1,21 @@
### YamlMime:FAQ
metadata:
- title: BitLocker Security FAQ (Windows 10)
+ title: BitLocker Security FAQ
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
audience: ITPro
- ms.collection: M365-security-compliance
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
**Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
+ - Windows 10 and later
+ - Windows Server 2016 and later
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
index 1ab54f3689..c780b6ee5a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
@@ -1,19 +1,13 @@
### YamlMime:FAQ
metadata:
- title: BitLocker To Go FAQ (Windows 10)
+ title: BitLocker To Go FAQ
description: "Learn more about BitLocker To Go"
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: windows-client
ms.technology: itpro-security
ms.author: frankroj
- ms.mktglfcycl: deploy
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
manager: aaroncz
audience: ITPro
- ms.collection: M365-security-compliance
ms.topic: faq
ms.date: 11/08/2022
ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
index 2ab78a0734..13441d1f58 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
@@ -1,18 +1,12 @@
### YamlMime:FAQ
metadata:
- title: BitLocker Upgrading FAQ (Windows 10)
+ title: BitLocker Upgrading FAQ
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
- audience: ITPro
- ms.collection: M365-security-compliance
ms.topic: faq
ms.date: 11/08/2022
ms.reviewer:
@@ -20,9 +14,8 @@ metadata:
title: BitLocker Upgrading FAQ
summary: |
**Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
+ - Windows 10 and later
+ - Windows Server 2016 and later
sections:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
index 64f9160f29..4d0267a25a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
@@ -1,28 +1,19 @@
### YamlMime:FAQ
metadata:
- title: Using BitLocker with other programs FAQ (Windows 10)
+ title: Using BitLocker with other programs FAQ
description: Learn how to integrate BitLocker with other software on a device.
- ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.prod: windows-client
ms.technology: itpro-security
- ms.mktglfcycl: explore
- ms.sitesec: library
- ms.pagetype: security
- ms.localizationpriority: medium
author: frankroj
ms.author: frankroj
manager: aaroncz
- audience: ITPro
- ms.collection: M365-security-compliance
ms.topic: faq
ms.date: 11/08/2022
- ms.custom: bitlocker
title: Using BitLocker with other programs FAQ
summary: |
**Applies to:**
- - Windows 10
- - Windows 11
- - Windows Server 2016 and above
+ - Windows 10 and later
+ - Windows Server 2016 and later
sections:
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 765325f2f0..82af1b7c01 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -8,6 +8,7 @@ ms.prod: windows-client
author: frankroj
ms.date: 11/08/2022
ms.technology: itpro-security
+ms.topic: conceptual
---
# Encrypted Hard Drive
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 8153b55d0a..0aed4ad1d1 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -3,16 +3,17 @@ title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
author: frankroj
ms.author: frankroj
-ms.reviewer: rafals
+ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 09/22/2022
+ms.date: 12/13/2022
---
+
# Configure Personal Data Encryption (PDE) policies in Intune
@@ -20,104 +21,243 @@ ms.date: 09/22/2022
### Enable Personal Data Encryption (PDE)
-1. Sign into the Intune
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
2. Navigate to **Devices** > **Configuration Profiles**
+
3. Select **Create profile**
+
4. Under **Platform**, select **Windows 10 and later**
+
5. Under **Profile type**, select **Templates**
+
6. Under **Template name**, select **Custom**, and then select **Create**
-7. On the ****Basics** tab:
+
+7. In **Basics**:
+
1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
+ 2. Next to **Description**, enter a description
+
8. Select **Next**
-9. On the **Configuration settings** tab, select **Add**
-10. In the **Add Row** window:
+
+9. In **Configuration settings**, select **Add**
+
+10. In **Add Row**:
+
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
4. Next to **Data type**, select **Integer**
5. Next to **Value**, enter in **1**
+
11. Select **Save**, and then select **Next**
-12. On the **Assignments** tab:
+
+12. In **Assignments**:
+
1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
-13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-#### Disable Winlogon automatic restart sign-on (ARSO)
+13. In **Applicability Rules**, configure if necessary and then select **Next**
+
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+### Disable Winlogon automatic restart sign-on (ARSO)
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
+
3. Select **Create profile**
+
4. Under **Platform**, select **Windows 10 and later**
+
5. Under **Profile type**, select **Templates**
+
6. Under **Template name**, select **Administrative templates**, and then select **Create**
-7. On the ****Basics** tab:
+
+7. In **Basics**:
+
1. Next to **Name**, enter **Disable ARSO**
2. Next to **Description**, enter a description
+
8. Select **Next**
-9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
+
+9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
+
10. Select **Sign-in and lock last interactive user automatically after a restart**
+
11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
+
12. Select **Next**
-13. On the **Scope tags** tab, configure if necessary and then select **Next**
-12. On the **Assignments** tab:
+
+13. In **Scope tags**, configure if necessary and then select **Next**
+
+14. In **Assignments**:
+
1. Under **Included groups**, select **Add groups**
2. Select the groups that the ARSO policy should be deployed to
3. Select **Select**
4. Select **Next**
-13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-## Recommended prerequisites
+15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-#### Disable crash dumps
+## Security hardening recommendations
+
+### Disable kernel-mode crash dumps and live dumps
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
+
3. Select **Create profile**
+
4. Under **Platform**, select **Windows 10 and later**
+
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the ****Basics** tab:
- 1. Next to **Name**, enter **Disable Hibernation**
+
+6. In **Basics**:
+
+ 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
2. Next to **Description**, enter a description
+
7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
-9. In the **Settings picker** windows, select **Memory Dump**
-10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
+8. In **Configuration settings**, select **Add settings**
+
+9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump**
+
+10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
+
+12. In **Scope tags**, configure if necessary and then select **Next**
+
+13. In **Assignments**:
+
1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the crash dumps policy should be deployed to
+ 2. Select the groups that the disable crash dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-#### Disable hibernation
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
+
3. Select **Create profile**
+
4. Under **Platform**, select **Windows 10 and later**
+
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the ****Basics** tab:
+
+6. In **Basics**:
+
+ 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
+ 2. Next to **Description**, enter a description
+
+7. Select **Next**
+
+8. In **Configuration settings**, select **Add settings**
+
+9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
+
+10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
+11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
+
+12. In **Scope tags**, configure if necessary and then select **Next**
+
+13. In **Assignments**:
+
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the disable WER dumps policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+### Disable hibernation
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Navigate to **Devices** > **Configuration Profiles**
+
+3. Select **Create profile**
+
+4. Under **Platform**, select **Windows 10 and later**
+
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+
+6. In **Basics**:
+
1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description
+
7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
-9. In the **Settings picker** windows, select **Power**
-10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
+8. In **Configuration settings**, select **Add settings**
+
+9. In the **Settings picker** window, under **Browse by category**, select **Power**
+
+10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
11. Change **Allow Hibernate** to **Block**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
+
+12. In **Scope tags**, configure if necessary and then select **Next**
+
+13. In **Assignments**:
+
1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the hibernation policy should be deployed to
+ 2. Select the groups that the disable hibernation policy should be deployed to
3. Select **Select**
4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+### Disable allowing users to select when a password is required when resuming from connected standby
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Navigate to **Devices** > **Configuration Profiles**
+
+3. Select **Create profile**
+
+4. Under **Platform**, select **Windows 10 and later**
+
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+
+6. In **Basics**:
+
+ 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
+ 2. Next to **Description**, enter a description
+
+7. Select **Next**
+
+8. In **Configuration settings**, select **Add settings**
+
+9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon**
+
+10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
+11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next**
+
+12. In **Scope tags**, configure if necessary and then select **Next**
+
+13. In **Assignments**:
+
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
## See also
+
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index d9a2dbaff7..c56effe008 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -5,13 +5,16 @@ metadata:
description: Answers to common questions regarding Personal Data Encryption (PDE).
author: frankroj
ms.author: frankroj
- ms.reviewer: rafals
+ ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: faq
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
- ms.date: 09/22/2022
+ ms.date: 12/13/2022
+
+# Max 5963468 OS 32516487
+# Max 6946251
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
@@ -22,53 +25,58 @@ sections:
questions:
- question: Can PDE encrypt entire volumes or drives?
answer: |
- No. PDE only encrypts specified files.
+ No. PDE only encrypts specified files and content.
- question: Is PDE a replacement for BitLocker?
answer: |
No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
- - question: Can an IT admin specify which files should be encrypted?
+ - question: How are files and content protected by PDE selected?
answer: |
- Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+ [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
- - question: Do I need to use OneDrive as my backup provider?
+ - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
answer: |
- No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider.
+ No. PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
- question: What is the relation between Windows Hello for Business and PDE?
answer: |
- During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files.
+ During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
- - question: Can a file be encrypted with both PDE and EFS at the same time?
+ - question: Can a file be protected with both PDE and EFS at the same time?
answer: |
No. PDE and EFS are mutually exclusive.
- - question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
+ - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
- No. Accessing PDE encrypted files over RDP isn't currently supported.
+ No. Accessing PDE protected content over RDP isn't currently supported.
- - question: Can PDE encrypted files be access via a network share?
+ - question: Can PDE protected content be accessed via a network share?
answer: |
- No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+ No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- - question: How can it be determined if a file is encrypted with PDE?
+ - question: How can it be determined if a file is protected with PDE?
answer: |
- Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file.
+ - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
+ 1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
+ 2. Select the **Details** button.
+ 3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
+ - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually.
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md).
- - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
+ - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
- No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+ No. The keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- question: What encryption method and strength does PDE use?
answer: |
- PDE uses AES-CBC with a 256-bit key to encrypt files
+ PDE uses AES-CBC with a 256-bit key to encrypt content.
additionalContent: |
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
+
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
index 7ca7334657..2eb0fa2a66 100644
--- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
+++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
@@ -4,24 +4,25 @@ description: Personal Data Encryption (PDE) description include file
author: frankroj
ms.author: frankroj
-ms.reviewer: rafals
+ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 09/22/2022
+ms.date: 12/13/2022
---
+
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
+Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
-> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
+> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index bfb7153548..e0da74cb1c 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -3,75 +3,123 @@ title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
author: frankroj
ms.author: frankroj
-ms.reviewer: rafals
+ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 09/22/2022
+ms.date: 12/13/2022
---
+
# Personal Data Encryption (PDE)
-(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
+**Applies to:**
+
+- Windows 11, version 22H2 and later Enterprise and Education editions
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
## Prerequisites
-### **Required**
- - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
- - Windows 11, version 22H2 and later Enterprise and Education editions
+### Required
-### **Not supported with PDE**
- - [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
- - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- - Remote Desktop connections
+- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
+- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
+- Windows 11, version 22H2 and later Enterprise and Education editions
-### **Highly recommended**
- - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- - Backup solution such as [OneDrive](/onedrive/onedrive)
- - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
- - Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
- - Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- - Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+### Not supported with PDE
+
+- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
+- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
+ - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
+- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
+- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+- Remote Desktop connections
+
+### Security hardening recommendations
+
+- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
+
+ Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps).
+
+- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
+
+ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
+
+- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
+
+ Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+
+- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
+
+ When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different:
+
+ - On-premises Active Directory joined devices:
+
+ - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
+
+ - A password is required immediately after the screen turns off.
+
+ The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
+
+ - Workgroup devices, including native Azure AD joined devices:
+
+ - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
+
+ - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
+
+ Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured.
+
+ For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
+
+### Highly recommended
+
+- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
+
+ Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
+
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
+
+ In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
+
+- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
+
+ Destructive PIN resets will cause keys used by PDE to protect content to be lost. The destructive PIN reset will make any content protected with PDE no longer accessible after a destructive PIN reset. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+
+ Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
## PDE protection levels
-PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
-| Data is accessible when user is signed in | Yes | Yes |
-| Data is accessible when user has locked their device | Yes | No |
-| Data is accessible after user signs out | No | No |
-| Data is accessible when device is shut down | No | No |
-| Decryption keys discarded | After user signs out | After user locks device or signs out |
+| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
+| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
+| PDE protected data is accessible after user signs out of Windows | No | No |
+| PDE protected data is accessible when device is shut down | No | No |
+| PDE protected data is accessible via UNC paths | No | No |
+| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
+| PDE protected data is accessible via Remote Desktop session | No | No |
+| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
-## PDE encrypted files accessibility
+## PDE protected content accessibility
-When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
+When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content.
-Scenarios where a user will be denied access to a PDE encrypted file include:
+Scenarios where a user will be denied access to PDE protected content include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
-- If specified via level 2 protection, when the device is locked.
-- When trying to access files on the device remotely. For example, UNC network paths.
+- If protected via level 2 protection, when the device is locked.
+- When trying to access content on the device remotely. For example, UNC network paths.
- Remote Desktop sessions.
-- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content.
## How to enable PDE
@@ -85,55 +133,83 @@ To enable PDE on devices, push an MDM policy to the devices with the following p
There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
+> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
## Differences between PDE and BitLocker
+PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
+
| Item | PDE | BitLocker |
|--|--|--|
-| Release of key | At user sign-in via Windows Hello for Business | At boot |
-| Keys discarded | At user sign-out | At reboot |
-| Files encrypted | Individual specified files | Entire volume/drive |
-| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
-| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
+| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
+| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
+| Files protected | Individual specified files | Entire volume/drive |
+| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
## Differences between PDE and EFS
-The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.
+The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
-To see if a file is encrypted with PDE or EFS:
+To see if a file is protected with PDE or with EFS:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. In the **Advanced Attributes** windows, select **Details**
-For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
-For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
+For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
-Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command.
+Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
-## Disable PDE and decrypt files
+## Disable PDE and decrypt content
-Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps:
+Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
+
+- Name: **Personal Data Encryption**
+- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+- Data type: **Integer**
+- Value: **0**
+
+Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. Uncheck the option **Encrypt contents to secure data**
4. Select **OK**, and then **OK** again
-> [!Important]
-> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
+PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
+
+- Decrypting a large number of files on a device
+- Decrypting files on a large number of devices.
+
+To decrypt files on a device using `cipher.exe`:
+
+- Decrypt all files under a directory including subdirectories:
+
+ ```cmd
+ cipher.exe /d /s:
+ ```
+
+- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
+
+ ```cmd
+ cipher.exe /d
+ ```
+
+> [!IMPORTANT]
+> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
## Windows out of box applications that support PDE
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
- Mail
- - Supports encrypting both email bodies and attachments
+ - Supports protecting both email bodies and attachments
## See also
+
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
index edae4a8bb0..9b46b2d3a3 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
@@ -1,17 +1,14 @@
### YamlMime:FAQ
metadata:
- title: Advanced security auditing FAQ (Windows 10)
+ title: Advanced security auditing FAQ
description: This article lists common questions and answers about understanding, deploying, and managing security audit policies.
ms.prod: windows-client
- ms.technology: mde
- ms.localizationpriority: none
- author: dansimp
- ms.author: dansimp
+ author: vinaypamnani-msft
+ ms.author: vinpa
manager: aaroncz
- ms.reviewer:
- ms.collection: M365-security-compliance
ms.topic: faq
ms.date: 05/24/2022
+ ms.technology: itpro-security
title: Advanced security auditing FAQ
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index 3838e0f0f4..eb734ebf54 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# Appendix A: Security monitoring recommendations for many audit events
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 9d49394e56..f2cf0cc5ec 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Account Lockout
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index f7ca99507d..36f8f451a0 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Application Generated
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 706551065b..cb91f3fa61 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Application Group Management
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index aaf65be8db..c5cdf8c616 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Audit Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 6754a2796a..318f08b516 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Authentication Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index e8c3a7d588..b7fd89b268 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Authorization Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index 5e92817efe..62ac5c925c 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Central Access Policy Staging
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index bc1ec469f1..889edc295b 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Certification Services
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index 8c42317e94..63ad7eaac9 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Computer Account Management
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index b04f1cb5a9..a5a9dc7158 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Credential Validation
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 72f481f66b..7fffbad3df 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Detailed Directory Service Replication
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 16b1667db6..9ec6b5c148 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Detailed File Share
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index a70119e0d5..e58853650d 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Directory Service Access
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index 5aa0e36978..c9485389e9 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Directory Service Changes
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index f9c45299fe..046dd9a1e7 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Directory Service Replication
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 23341f0d60..8eb5bb988c 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Distribution Group Management
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index bc24e85d75..79dbf17692 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit DPAPI Activity
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index 59c2d6638e..577c138f46 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit File Share
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index c9a66ed82e..037faaf8f4 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit File System
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index 7984928783..5877ab26f1 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Filtering Platform Connection
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index 15c0bc27d2..9003cab47c 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Filtering Platform Packet Drop
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index b8f192cccd..1a4cab1153 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Filtering Platform Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index b3740aca1a..9f32d9d336 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Group Membership
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index c468ff02f3..50470902eb 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Handle Manipulation
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index dc52d2d90e..cfcefafd36 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit IPsec Driver
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 92e2d71f5e..33bfbb485d 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit IPsec Extended Mode
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index 965715efa2..7f1d59e38c 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit IPsec Main Mode
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 7a8be4ff82..869e1f4dcf 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit IPsec Quick Mode
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index 98a1c8f558..4ed0bce866 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Kerberos Authentication Service
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index 135c2882b7..ed3c49dfef 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Kerberos Service Ticket Operations
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index bb5d6d221a..0dd8928c22 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Kernel Object
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index b6108a6488..6a1f7f33ef 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Logoff
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index 74e7fe7f8f..4b78d70722 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Logon
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index a441c97c4c..4081cf31a9 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit MPSSVC Rule-Level Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index 6c9a0fb877..2501fecc08 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Network Policy Server
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index b9920a8900..01b3fb153f 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Non-Sensitive Privilege Use
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index 23ab2587a5..23ee128d63 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Other Account Logon Events
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index 7d8e27c634..8f3d985309 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Other Account Management Events
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index 43e4b822aa..789ab297be 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Other Logon/Logoff Events
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index 901c4b5a7e..5dc0923e42 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Other Object Access Events
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index 776b3fdec9..d088e9f929 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Other Policy Change Events
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index 97a8de3544..c2487a6b33 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Other Privilege Use Events
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 015eb3ddea..63cfb375b0 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Other System Events
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index da07e88f35..224eae5fcb 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit PNP Activity
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 3eb6dcf190..07b283ace9 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 03/16/2022
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Process Creation
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index 60a0a05de7..b156ba658a 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Process Termination
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index e67da43c3e..a4423aeb52 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 01/05/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Registry
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index 4277dd71c8..c9d2586107 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Removable Storage
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index 27dc6938be..bee389855a 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit RPC Events
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 1f295079c7..c92e7d5ba5 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit SAM
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 6fe81c704f..0564c257b6 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Security Group Management
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index 94c6d1f229..25686b4f33 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Security State Change
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index fbda6e4cbb..72a72a15aa 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Security System Extension
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index eb8714f152..c79520f698 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Sensitive Privilege Use
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index 8f865d11bc..e9958ffa2e 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit Special Logon
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index 761abff74a..4a313d8ae0 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit System Integrity
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 7efa2301e3..2faba55a60 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit User Account Management
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 750c5568ca..e22930f47a 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -13,6 +13,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
+ms.topic: reference
---
# Audit User/Device Claims
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index b5e2bfaf89..b0606e87da 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 1100(S): The event logging service has shut down.
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index 3da9fc2a33..c319070f2a 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 1102(S): The audit log was cleared.
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index 71e08f1f79..7768b7a43a 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 1104(S): The security log is now full.
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index 6eea66a2d6..2c10dd205e 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 1105(S): Event log automatic backup
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 3ef547a322..3412104704 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 51e0c51819..bbcb45e073 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4608(S): Windows is starting up.
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index cbb410b55d..2307a50732 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4610(S): An authentication package has been loaded by the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index 0f4b7b7a55..54b57cc223 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index 15ba866bce..111fa80c83 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index 1dbbdeeefe..edb915b91d 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4614(S): A notification package has been loaded by the Security Account Manager.
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index d3cd763690..f74209909e 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4615(S): Invalid use of LPC port.
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index dfd4eb58db..166b695ebb 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4616(S): The system time was changed.
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index dcbe79c3ac..f35815a20c 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4618(S): A monitored security event pattern has occurred.
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index 8d85ca11c8..64e4f81134 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4621(S): Administrator recovered system from CrashOnAuditFail.
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index b4d338e351..5dc147c077 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4622(S): A security package has been loaded by the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index 9a2a4e5b64..d505b5d9ef 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -14,6 +14,7 @@ ms.author: vinpa
ms.technology: itpro-security
ms.collection:
- highpri
+ms.topic: reference
---
# 4624(S): An account was successfully logged on.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 8030b3d479..81657a6361 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -14,6 +14,7 @@ ms.author: vinpa
ms.technology: itpro-security
ms.collection:
- highpri
+ms.topic: reference
---
# 4625(F): An account failed to log on.
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index d855d40847..addb26abce 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4626(S): User/Device claims information.
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index b86dcd5739..0da1f08aee 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4627(S): Group membership information.
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index 467dedd19f..6d8ed22539 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4634(S): An account was logged off.
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 9ff4d6507e..64c7e02466 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4647(S): User initiated logoff.
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index b0cab6c7cd..5ffebb9c04 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4648(S): A logon was attempted using explicit credentials.
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 4447ed9ef5..98a1c9ad18 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4649(S): A replay attack was detected.
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index 4f9aa3d55a..7d974fa3fa 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4656(S, F): A handle to an object was requested.
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index fbe96e603d..cb4ecc3ae1 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4657(S): A registry value was modified.
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index c577dd8cb1..532558cd00 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4658(S): The handle to an object was closed.
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 52e57a1502..b0124437c6 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4660(S): An object was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index bf8b9b0543..383989f443 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4661(S, F): A handle to an object was requested.
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index cdc37e9ac3..cf19827489 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4662(S, F): An operation was performed on an object.
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index e92604294e..cf790af491 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4663(S): An attempt was made to access an object.
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index 5d20d8cbda..0a27e27f7d 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4664(S): An attempt was made to create a hard link.
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 1775901f8b..9509f490e5 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4670(S): Permissions on an object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
index 7a1ee6965a..3215da12d8 100644
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ b/windows/security/threat-protection/auditing/event-4671.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4671(-): An application attempted to access a blocked ordinal through the TBS.
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 25a4365bb7..3b61e352a2 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4672(S): Special privileges assigned to new logon.
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index e4ba4b8a01..e63486e9fa 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4673(S, F): A privileged service was called.
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 09b8e8a50e..11f8c3fb62 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4674(S, F): An operation was attempted on a privileged object.
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 8a6b84b8e9..6daf08eef3 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4675(S): SIDs were filtered.
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 2416040af7..5742fbd554 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4688(S): A new process has been created. (Windows 10)
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index e64fd85f5a..f2014c9a1e 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4689(S): A process has exited.
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
index 25c57686e5..e0b54b2afe 100644
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ b/windows/security/threat-protection/auditing/event-4690.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4690(S): An attempt was made to duplicate a handle to an object.
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index 140889746d..62f92ce75d 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4691(S): Indirect access to an object was requested.
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index ac9b7268ca..fb56e8e4c9 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4692(S, F): Backup of data protection master key was attempted.
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index 219798f08e..bd99d76424 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4693(S, F): Recovery of data protection master key was attempted.
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index dc24a37fc9..f66fb36e4d 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4694(S, F): Protection of auditable protected data was attempted.
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index 78c1b43834..68c0ac644a 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4695(S, F): Unprotection of auditable protected data was attempted.
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index 16c7a8e333..fc3d8432ee 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4696(S): A primary token was assigned to process.
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 348ae3a7a9..5d1072f99b 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4697(S): A service was installed in the system.
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 7eb2d41a68..cfbe0e3f96 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4698(S): A scheduled task was created.
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 258b0a31d3..56935a1da0 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4699(S): A scheduled task was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index aa1ef1cc10..3c45c92cf4 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4700(S): A scheduled task was enabled.
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index 11a6147179..0a9639837b 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4701(S): A scheduled task was disabled.
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index a738b7753e..96c7f0b93b 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4702(S): A scheduled task was updated.
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index b4571317fc..f10d935aa1 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4703(S): A user right was adjusted.
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index 0780690284..4b0b4ef478 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4704(S): A user right was assigned.
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index afd7149169..c66295ce0d 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4705(S): A user right was removed.
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index c6ff0bb373..01ce8db4cd 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4706(S): A new trust was created to a domain.
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index 28b13b2cb0..a47a9ea3ea 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4707(S): A trust to a domain was removed.
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index e92aa50675..218134046e 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4713(S): Kerberos policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index 77709fc5c7..fc40a49c6e 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4714(S): Encrypted data recovery policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index 82b24bae92..f128397767 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4715(S): The audit policy (SACL) on an object was changed.
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index f6d57fece2..64f3140ad0 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4716(S): Trusted domain information was modified.
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index dc449a8758..8a1f14e022 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4717(S): System security access was granted to an account.
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index 7a47fa5d37..e8ec6b8039 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4718(S): System security access was removed from an account.
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index 97711ffdf7..dae615acf4 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4719(S): System audit policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index bb732fd1dd..b53966664d 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4720(S): A user account was created.
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index 1d82961714..4388873aa0 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4722(S): A user account was enabled.
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
index f63004d706..8b8b7975a1 100644
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ b/windows/security/threat-protection/auditing/event-4723.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4723(S, F): An attempt was made to change an account's password.
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
index a36b61acac..00c98b63e4 100644
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ b/windows/security/threat-protection/auditing/event-4724.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4724(S, F): An attempt was made to reset an account's password.
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index 731fa570ad..ad5b546a6d 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4725(S): A user account was disabled.
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index 620ba8bbeb..7df0779c4a 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4726(S): A user account was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
index 39426b84ac..ca1c673af4 100644
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ b/windows/security/threat-protection/auditing/event-4731.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4731(S): A security-enabled local group was created.
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index e68eecbb3d..8afb300906 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4732(S): A member was added to a security-enabled local group.
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index b3dcf94109..3a24b2ef0f 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4733(S): A member was removed from a security-enabled local group.
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index 2f83cfa9a5..ac2c5d7b93 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4734(S): A security-enabled local group was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index f590b87f44..4842263179 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4735(S): A security-enabled local group was changed.
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index ef5a72da75..63352ed67e 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4738(S): A user account was changed.
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index 4ecbfdf064..d43bdb27e2 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4739(S): Domain Policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index 63c75713f7..46c0cdcb9d 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4740(S): A user account was locked out.
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 0152e427a6..5245280f11 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4741(S): A computer account was created.
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index de51f96421..3f5f9c2eb6 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4742(S): A computer account was changed.
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index cfa007a9b7..50411689a9 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4743(S): A computer account was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
index f49d9f6c7c..8293c95b2b 100644
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ b/windows/security/threat-protection/auditing/event-4749.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4749(S): A security-disabled global group was created.
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index aa3be8fba0..d106e10077 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4750(S): A security-disabled global group was changed.
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index fdd8a37fcc..e3bdca780e 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4751(S): A member was added to a security-disabled global group.
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index d49e422f9e..f6b4fc37dd 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4752(S): A member was removed from a security-disabled global group.
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index b5f941a040..6bdf28a86b 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4753(S): A security-disabled global group was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 85824b3df3..f959fc103a 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4764(S): A group’s type was changed.
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index cf78144c6a..5789319e57 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4765(S): SID History was added to an account.
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
index 4178c53a80..4d0ec7ae25 100644
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ b/windows/security/threat-protection/auditing/event-4766.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4766(F): An attempt to add SID History to an account failed.
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index 21beb6c3ec..9dbf921ebf 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4767(S): A user account was unlocked.
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 1eded19698..936074fc72 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index bcf3312248..e82434467c 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4769(S, F): A Kerberos service ticket was requested.
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index b24835b3ba..2027d8504f 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4770(S): A Kerberos service ticket was renewed.
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index 0d4c72e45f..3ca1095e98 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -14,6 +14,7 @@ ms.author: vinpa
ms.technology: itpro-security
ms.collection:
- highpri
+ms.topic: reference
---
# 4771(F): Kerberos pre-authentication failed.
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
index 54fdd53057..3c378ccc0b 100644
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ b/windows/security/threat-protection/auditing/event-4772.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4772(F): A Kerberos authentication ticket request failed.
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
index e3ad7e5b20..30c32b9f8d 100644
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ b/windows/security/threat-protection/auditing/event-4773.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4773(F): A Kerberos service ticket request failed.
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index 4cf831e05b..2f9b37c352 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4774(S, F): An account was mapped for logon
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
index 285efe300f..8281bb27e5 100644
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ b/windows/security/threat-protection/auditing/event-4775.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4775(F): An account could not be mapped for logon.
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index cebb01a7c7..e411b647ce 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -14,6 +14,7 @@ ms.author: vinpa
ms.technology: itpro-security
ms.collection:
- highpri
+ms.topic: reference
---
# 4776(S, F): The computer attempted to validate the credentials for an account.
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
index 21749ac3ac..e534dbee25 100644
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ b/windows/security/threat-protection/auditing/event-4777.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4777(F): The domain controller failed to validate the credentials for an account.
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index f9f3175763..76aac3738e 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4778(S): A session was reconnected to a Window Station.
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index 4edf0f6668..7f6568c1cb 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4779(S): A session was disconnected from a Window Station.
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index 982fa983de..5195929a0e 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4780(S): The ACL was set on accounts which are members of administrators groups.
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index 856cd7cb4b..fc2aaffc53 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4781(S): The name of an account was changed.
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index 3a6d312600..a0615135c6 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4782(S): The password hash of an account was accessed.
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index 7c64bea4eb..cc197ccb60 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4793(S): The Password Policy Checking API was called.
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
index 8519e79e9d..6bcb12e02c 100644
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ b/windows/security/threat-protection/auditing/event-4794.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
index 396f15d0b2..696366f22d 100644
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ b/windows/security/threat-protection/auditing/event-4798.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4798(S): A user's local group membership was enumerated.
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
index ad750b391e..1cf362be1d 100644
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ b/windows/security/threat-protection/auditing/event-4799.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4799(S): A security-enabled local group membership was enumerated.
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index 87f46d5a18..89c94ade64 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4800(S): The workstation was locked.
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index f94c08e08f..906e46fcd3 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4801(S): The workstation was unlocked.
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index 6590d5bd4b..1b423f29ee 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4802(S): The screen saver was invoked.
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index 2c0e8d441b..247e3c704d 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4803(S): The screen saver was dismissed.
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
index 8d61ef6f9a..8636e1abef 100644
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ b/windows/security/threat-protection/auditing/event-4816.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index 2cb3ae3794..ff20520062 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4817(S): Auditing settings on object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index 25c2111bd2..c884c2e7a8 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index 69743c28c7..e8bca4427e 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4819(S): Central Access Policies on the machine have been changed.
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 914961945b..001e6c6026 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4826(S): Boot Configuration Data loaded.
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index e70836a75b..a26b552f4a 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4864(S): A namespace collision was detected.
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
index 76624588fc..aa44c9bb6a 100644
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ b/windows/security/threat-protection/auditing/event-4865.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4865(S): A trusted forest information entry was added.
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
index 1e1b870506..1fcc07f446 100644
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ b/windows/security/threat-protection/auditing/event-4866.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4866(S): A trusted forest information entry was removed.
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
index 24063dad9d..ce30699bfa 100644
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ b/windows/security/threat-protection/auditing/event-4867.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4867(S): A trusted forest information entry was modified.
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
index 5b2a94af52..7185b9f3da 100644
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ b/windows/security/threat-protection/auditing/event-4902.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4902(S): The Per-user audit policy table was created.
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
index fd9ee497a2..90858c5844 100644
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ b/windows/security/threat-protection/auditing/event-4904.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4904(S): An attempt was made to register a security event source.
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
index c8ba9bb9c9..14eb6cfa8b 100644
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ b/windows/security/threat-protection/auditing/event-4905.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4905(S): An attempt was made to unregister a security event source.
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
index 4913d0d431..2058342aa0 100644
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ b/windows/security/threat-protection/auditing/event-4906.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4906(S): The CrashOnAuditFail value has changed.
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index 70de13eecf..c38b66d51b 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4907(S): Auditing settings on object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index b5351ecbd4..3314e94436 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4908(S): Special Groups Logon table modified.
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
index ab35104b88..8a8631489a 100644
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ b/windows/security/threat-protection/auditing/event-4909.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4909(-): The local policy settings for the TBS were changed.
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
index 2e46e4e49e..15276f29ce 100644
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ b/windows/security/threat-protection/auditing/event-4910.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4910(-): The group policy settings for the TBS were changed.
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index b72644a868..abc112dbb4 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4911(S): Resource attributes of the object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index 3ac8a96880..0c0e66f90e 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4912(S): Per User Audit Policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 949b10bd58..e15a691617 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4913(S): Central Access Policy on the object was changed.
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index d39db3ef25..902113bb5c 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4928(S, F): An Active Directory replica source naming context was established.
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index 596b209eb4..3fd978d0e3 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4929(S, F): An Active Directory replica source naming context was removed.
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index e66843285f..1b7bee26bf 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4930(S, F): An Active Directory replica source naming context was modified.
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index 27be6fe7ed..75acecb89f 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4931(S, F): An Active Directory replica destination naming context was modified.
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index 71e22cd118..4cdd6b7bdd 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index 3937b0e178..b1636e8e63 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
index 90e2db1e04..efafcb9b79 100644
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ b/windows/security/threat-protection/auditing/event-4934.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4934(S): Attributes of an Active Directory object were replicated.
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index 79ef8d6e1c..a126742afb 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4935(F): Replication failure begins.
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index 16a640d3bb..e2818ec6ee 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4936(S): Replication failure ends.
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
index 731aceca7a..8296ce75c4 100644
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ b/windows/security/threat-protection/auditing/event-4937.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4937(S): A lingering object was removed from a replica.
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
index 7db0bee853..bb08c3a077 100644
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ b/windows/security/threat-protection/auditing/event-4944.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4944(S): The following policy was active when the Windows Firewall started.
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
index 8d73c9f148..852ed5f03e 100644
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ b/windows/security/threat-protection/auditing/event-4945.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4945(S): A rule was listed when the Windows Firewall started.
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
index d2fafe1dfc..ab355b85c1 100644
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ b/windows/security/threat-protection/auditing/event-4946.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index 674449382b..284d2d4303 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
index 43acd0b7a9..da8f423b29 100644
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ b/windows/security/threat-protection/auditing/event-4948.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
index 81db5c36c6..528ad262bb 100644
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ b/windows/security/threat-protection/auditing/event-4949.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4949(S): Windows Firewall settings were restored to the default values.
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
index b4bd969a10..8a3aa4274a 100644
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ b/windows/security/threat-protection/auditing/event-4950.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4950(S): A Windows Firewall setting has changed.
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
index f585ac4615..7addb69d77 100644
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ b/windows/security/threat-protection/auditing/event-4951.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall.
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index f95423f1c1..1dd166db54 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index dfce2c4545..5a5a97d56a 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4953(F): Windows Firewall ignored a rule because it couldn't be parsed.
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
index 09f0a2ce76..07977d6aff 100644
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ b/windows/security/threat-protection/auditing/event-4954.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
index 2344350879..105b780984 100644
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ b/windows/security/threat-protection/auditing/event-4956.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4956(S): Windows Firewall has changed the active profile.
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
index c408811451..49fae3fef5 100644
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ b/windows/security/threat-protection/auditing/event-4957.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4957(F): Windows Firewall did not apply the following rule.
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
index e05fc62bfa..45964176a6 100644
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ b/windows/security/threat-protection/auditing/event-4958.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index 6c8452f0d6..51893d2572 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4964(S): Special groups have been assigned to a new logon.
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index b5cdedc6a7..8150e62b11 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 4985(S): The state of a transaction has changed.
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
index c6f473df75..9e06608869 100644
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ b/windows/security/threat-protection/auditing/event-5024.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5024(S): The Windows Firewall Service has started successfully.
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
index 4dd4c320c6..9ae2fe14d0 100644
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ b/windows/security/threat-protection/auditing/event-5025.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5025(S): The Windows Firewall Service has been stopped.
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index 652dac8c47..d654b82a01 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
index 6650d79ec5..bf9c62d91a 100644
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ b/windows/security/threat-protection/auditing/event-5028.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
index 7ca1bb4522..4a36c10d4d 100644
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ b/windows/security/threat-protection/auditing/event-5029.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
index 24660d6d45..aa78cb3b62 100644
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ b/windows/security/threat-protection/auditing/event-5030.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5030(F): The Windows Firewall Service failed to start.
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index c328c46107..04c03b1ee6 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -12,6 +12,7 @@ ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/08/2021
ms.technology: itpro-security
+ms.topic: reference
---
# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
index 231acb67b1..af43e8ea73 100644
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ b/windows/security/threat-protection/auditing/event-5032.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
index ce127dad94..467ba04e40 100644
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ b/windows/security/threat-protection/auditing/event-5033.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5033(S): The Windows Firewall Driver has started successfully.
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
index 52c8c2522d..dc2d097c4a 100644
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ b/windows/security/threat-protection/auditing/event-5034.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5034(S): The Windows Firewall Driver was stopped.
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
index 3cf63d5224..88a49892a6 100644
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ b/windows/security/threat-protection/auditing/event-5035.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5035(F): The Windows Firewall Driver failed to start.
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
index bf6d42a9ef..f25a054fe7 100644
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ b/windows/security/threat-protection/auditing/event-5037.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating.
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index 3b4aa0d998..e824e93afe 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index e1f249411a..7bf2bf5471 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5039(-): A registry key was virtualized.
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index 79d4e4b789..38a07353b3 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5051(-): A file was virtualized.
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index bac056b217..3711acef2d 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5056(S): A cryptographic self-test was performed.
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
index 2013fda273..4fc7113c1b 100644
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ b/windows/security/threat-protection/auditing/event-5057.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5057(F): A cryptographic primitive operation failed.
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index 2dae2d1e2f..b95c545e7c 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5058(S, F): Key file operation.
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index 26cd95b0d4..cdbae47721 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5059(S, F): Key migration operation.
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 1a65f76633..60ec2cbd3e 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5060(F): Verification operation failed.
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index d47254485f..802ee6cc60 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5061(S, F): Cryptographic operation.
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
index 08b0f7bce0..a76dabb95e 100644
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ b/windows/security/threat-protection/auditing/event-5062.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5062(S): A kernel-mode cryptographic self-test was performed.
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index 784019bc18..41ac047786 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5063(S, F): A cryptographic provider operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 807d3ee45d..3467a2816a 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5064(S, F): A cryptographic context operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 3e978d64a3..66bfddb1d1 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5065(S, F): A cryptographic context modification was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index e834a9e584..62a0920fb7 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5066(S, F): A cryptographic function operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index 5aa395a688..78cd9d24aa 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5067(S, F): A cryptographic function modification was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index 814ea02d50..791301bc3b 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5068(S, F): A cryptographic function provider operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index b8d6466c09..9894285dad 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5069(S, F): A cryptographic function property operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index 1232c68bd4..ba4785e01b 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5070(S, F): A cryptographic function property modification was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index 97f862f3a6..97c0977a60 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5136(S): A directory service object was modified.
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index 072f6dede2..bed5eae208 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5137(S): A directory service object was created.
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index 5fcb9a3381..12d981909a 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5138(S): A directory service object was undeleted.
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index e89fd1eb91..6799a4e50d 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5139(S): A directory service object was moved.
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index 5d72bf2c8c..522cf1b652 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5140(S, F): A network share object was accessed.
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index d7ba9c67d4..046ca20f9d 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5141(S): A directory service object was deleted.
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index 6930a066d4..3a69208c29 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5142(S): A network share object was added.
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index ccfe6641b0..e92068c93a 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5143(S): A network share object was modified.
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 69aa754e48..da401f212d 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5144(S): A network share object was deleted.
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 8f47f2b4d1..02c531c5fd 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5145(S, F): A network share object was checked to see whether client can be granted desired access.
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index bb9ab2267c..5442a8a705 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
index 0e4b73fcde..7e0dc6dd45 100644
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ b/windows/security/threat-protection/auditing/event-5149.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5149(F): The DoS attack has subsided and normal processing is being resumed.
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index f1310cde61..80c82d807e 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5150(-): The Windows Filtering Platform blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index bf55e6a6eb..6b7d1453bf 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index 27438881cb..e5a76da383 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5152(F): The Windows Filtering Platform blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index f7a61cc8fe..a321b76f20 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index 2002fbb907..9b2425ff9c 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index 94377b1098..e6efebdae1 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index fbe87f79bc..3d56301b24 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5156(S): The Windows Filtering Platform has permitted a connection.
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 6967921a48..4f62c99d51 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5157(F): The Windows Filtering Platform has blocked a connection.
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index af16821b1f..cbc0d2d4ee 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index 5ecd816d89..ffe34518c5 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index 3b59d54629..f0ae1f47a8 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5168(F): SPN check for SMB/SMB2 failed.
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index 3145af538e..ee08c45c93 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5376(S): Credential Manager credentials were backed up.
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index a60bd13f29..a6f12f74f5 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5377(S): Credential Manager credentials were restored from a backup.
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index 64f48471be..b6391769da 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5378(F): The requested credentials delegation was disallowed by policy.
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index 732d1ae81e..96b013cf8c 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5447(S): A Windows Filtering Platform filter has been changed.
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index b5af7f21a3..676a79172e 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5632(S, F): A request was made to authenticate to a wireless network.
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index 1583b0b945..e661c80301 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5633(S, F): A request was made to authenticate to a wired network.
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index d0dc85fe45..32d5ba732a 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5712(S): A Remote Procedure Call (RPC) was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 5c45a9698a..72e18b5e28 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5888(S): An object in the COM+ Catalog was modified.
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index 3b60e803d9..178ec29a4f 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5889(S): An object was deleted from the COM+ Catalog.
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index 09c79bee05..4f473d2a4e 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 5890(S): An object was added to the COM+ Catalog.
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index dfad64c1da..3eb1181321 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6144(S): Security policy in the group policy objects has been applied successfully.
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index 60ed2e8ad8..b062b5e023 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index 76f546a222..38f432d51a 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6281(F): Code Integrity determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index d8bcc6f1c7..a588c35204 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 3e60d3515a..82502eb7ff 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 3148f9b03e..d5d3febf63 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index ad426fdacc..2f9d945388 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index e2fed0d583..f37bea1b9e 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index 48746ad277..1feed0f6a6 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index 42541a3842..fdd75af38b 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index 68aba98482..c2f279466e 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6407(-): 1%.
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index 28c11c16f5..36f25a9b69 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index c1c419c09d..3f406625b5 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6409(-): BranchCache: A service connection point object could not be parsed.
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index b921dbea1c..958db95565 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
index 7d254bf9ef..64cdb17ee1 100644
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ b/windows/security/threat-protection/auditing/event-6416.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6416(S): A new external device was recognized by the System.
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
index 108315501c..7368059899 100644
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ b/windows/security/threat-protection/auditing/event-6419.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6419(S): A request was made to disable a device.
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 2efdfa78aa..2c7166a78d 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6420(S): A device was disabled.
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
index 3780d8b15e..ae72b11254 100644
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ b/windows/security/threat-protection/auditing/event-6421.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6421(S): A request was made to enable a device.
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index 02752c9163..bf594b6937 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6422(S): A device was enabled.
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
index 5e62ebe6c7..4f7fcb614c 100644
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ b/windows/security/threat-protection/auditing/event-6423.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6423(S): The installation of this device is forbidden by system policy.
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
index 699e5ad030..10d33c2820 100644
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ b/windows/security/threat-protection/auditing/event-6424.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index 4ee793c896..d2af1d3d31 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: how-to
---
# How to get a list of XML data name elements in EventData
diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
index 6854674959..800961629e 100644
--- a/windows/security/threat-protection/auditing/other-events.md
+++ b/windows/security/threat-protection/auditing/other-events.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# Other Events
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index b13c6f8d8c..fdc4c5d757 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -9,6 +9,7 @@ ms.author: dansimp
ms.date: 08/14/2017
ms.localizationpriority: medium
ms.technology: itpro-security
+ms.topic: reference
---
# Block untrusted fonts in an enterprise
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index c71d2b029e..5ab3f50909 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -13,6 +13,7 @@ ms.reviewer:
manager: aaroncz
ms.custom: sasr
ms.technology: itpro-security
+ms.topic: how-to
---
# Configure Microsoft Defender Application Guard policy settings
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index b4fb01a3c6..765a61fcb9 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -15,6 +15,7 @@ ms.custom: asr
ms.technology: itpro-security
ms.collection:
- highpri
+ms.topic: how-to
---
# Prepare to install Microsoft Defender Application Guard
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index 631bbc75fd..0f2bca60b2 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -10,6 +10,7 @@ ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
+ms.topic: conceptual
---
# Microsoft Defender Application Guard Extension
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 1ba47ee970..6b284c9344 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -15,6 +15,7 @@ ms.custom: asr
ms.technology: itpro-security
ms.collection:
- highpri
+ms.topic: conceptual
---
# Microsoft Defender Application Guard overview
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index d8461e69f2..4357712bc7 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -10,6 +10,7 @@ ms.reviewer: sazankha
manager: aaroncz
ms.date: 09/23/2022
ms.custom: asr
+ms.topic: conceptual
---
# Application Guard testing scenarios
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 5d2279fcc0..8723d513d2 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: reference
---
# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
index 4d099ef9e6..0ee92c6736 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: how-to
---
# Set up and use Microsoft Defender SmartScreen on individual devices
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
index db57203dd5..8597ee9893 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@@ -12,6 +12,7 @@ ms.date: 10/07/2022
adobe-target: true
appliesto:
- ✅ Windows 11, version 22H2
+ms.topic: conceptual
---
# Enhanced Phishing Protection in Microsoft Defender SmartScreen
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index ae2b7dcea6..fa79c1116f 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -9,6 +9,7 @@ author: dulcemontemayor
ms.date: 10/13/2017
ms.localizationpriority: medium
ms.technology: itpro-security
+ms.topic: conceptual
---
# Control the health of Windows 10-based devices
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index bde8daf5f1..9a86d20cd0 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -13,6 +13,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 06/28/2018
ms.technology: itpro-security
+ms.topic: conceptual
---
# Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index f6ce6b41e1..76babb8a47 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -13,6 +13,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 11/13/2018
ms.technology: itpro-security
+ms.topic: conceptual
---
# Minimum password age
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 48d6693d11..67f28accd4 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -11,6 +11,7 @@ ms.reviewer:
manager: aaroncz
ms.collection:
- highpri
+ms.topic: conceptual
---
# Network access: Restrict clients allowed to make remote calls to SAM
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 2617bbe979..6a88de5b89 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -13,6 +13,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 06/28/2018
ms.technology: itpro-security
+ms.topic: conceptual
---
# Security Options
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index d48d5da38b..83eddad140 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -9,6 +9,7 @@ author: dulcemontemayor
ms.date: 02/28/2019
ms.localizationpriority: medium
ms.technology: itpro-security
+ms.topic: how-to
---
# Use Windows Event Forwarding to help with intrusion detection
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
index e5b9ec21cc..e746c84f0f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -14,6 +14,7 @@ ms.localizationpriority: medium
msauthor: v-anbic
ms.date: 08/27/2018
ms.technology: itpro-security
+ms.topic: conceptual
---
# Working with AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 126e20866c..b85fb0dfe8 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -1,18 +1,10 @@
---
title: Account protection in the Windows Security app
description: Use the Account protection section to manage security for your account and sign in to Microsoft.
-keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide, Windows Defender SmartScreen, SmartScreen Filter, Windows SmartScreen
-search.product: eADQiWindows 10XVcnh
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
-ms.date:
-ms.reviewer:
-manager: aaroncz
+ms.date: 12/31/2018
ms.technology: itpro-security
ms.topic: article
---
@@ -22,8 +14,7 @@ ms.topic: article
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10 and later
The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list:
@@ -33,7 +24,6 @@ The **Account protection** section contains information and settings for account
You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features.
-
## Hide the Account protection section
You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 9677bca821..817ff1949e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -1,18 +1,10 @@
---
title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
-keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
-search.product: eADQiWindows 10XVcnh
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
author: vinaypamnani-msft
ms.author: vinpa
-ms.date:
-ms.reviewer:
+ms.date: 12/31/2018
manager: aaroncz
ms.technology: itpro-security
ms.topic: article
@@ -22,8 +14,7 @@ ms.topic: article
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10 and later
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 8ea1d79235..e7d38fb7de 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -1,18 +1,10 @@
---
title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
-keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site
-search.product: eADQiWindows 10XVcnh
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
-ms.date:
-ms.reviewer:
-manager: aaroncz
+ms.date: 12/31/2018
ms.technology: itpro-security
ms.topic: article
---
@@ -21,8 +13,7 @@ ms.topic: article
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10 and later
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index a8bcd3c5fb..bfc66838f7 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -1,18 +1,10 @@
---
title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
-keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status
-search.product: eADQiWindows 10XVcnh
+ms.date: 12/31/2018
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
-ms.date:
-ms.reviewer:
-manager: aaroncz
ms.technology: itpro-security
ms.topic: article
---
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index 1a9e63b9b3..d56e6ecd4f 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -1,17 +1,10 @@
---
title: Device security in the Windows Security app
description: Use the Device security section to manage security built into your device, including virtualization-based security.
-keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
-search.product: eADQiWindows 10XVcnh
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
-ms.date:
-ms.reviewer:
+ms.date: 12/31/2018
manager: aaroncz
ms.technology: itpro-security
ms.topic: article
@@ -21,8 +14,7 @@ ms.topic: article
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10 and later
The **Device security** section contains information and settings for built-in device security.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index a6f50dbd95..f4a6bb11c6 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -1,18 +1,10 @@
---
title: Family options in the Windows Security app
description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time
-search.product: eADQiWindows 10XVcnh
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
-ms.date:
-ms.reviewer:
-manager: aaroncz
+ms.date: 12/31/2018
ms.technology: itpro-security
ms.topic: article
---
@@ -22,8 +14,7 @@ ms.topic: article
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10 and later
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index fb61f9b4e1..1d0d162d10 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -1,17 +1,9 @@
---
title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
-ms.date:
-ms.reviewer:
-manager: aaroncz
+ms.date: 12/31/2018
ms.technology: itpro-security
ms.topic: article
---
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 12d830380e..8ca7f8d1c1 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -1,18 +1,10 @@
---
title: Hide notifications from the Windows Security app
description: Prevent Windows Security app notifications from appearing on user endpoints
-keywords: defender, security center, app, notifications, av, alerts
-search.product: eADQiWindows 10XVcnh
ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
-ms.date:
-ms.reviewer:
-manager: aaroncz
+ms.date: 12/31/2018
ms.technology: itpro-security
ms.topic: article
---
@@ -21,8 +13,7 @@ ms.topic: article
**Applies to**
-- Windows 10
-- Windows 11
+- Windows 10 and later
The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 4777c6863d..a3773ffe67 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -14,6 +14,7 @@ ms.date: 04/30/2018
ms.reviewer:
manager: aaroncz
ms.technology: itpro-security
+ms.topic: how-to
---
# Manage Windows Security in Windows 10 in S mode
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index a5a4b985e6..1404209dea 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -14,6 +14,7 @@ ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 03/01/2019
ms.technology: itpro-security
+ms.topic: conceptual
---
# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index e4715791d7..929c7d815b 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -13,6 +13,7 @@ ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
+ms.topic: conceptual
---
# System Guard Secure Launch and SMM protection
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index df6d6a8219..3e77330596 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -19,6 +19,7 @@ appliesto:
- ✅ Windows Server 2016
- ✅ Windows Server 2019
- ✅ Windows Server 2022
+ms.topic: conceptual
---
# Configure the Workstation Authentication Certificate Template
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
index 82a8b404e8..0dfbc42f89 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -5,17 +5,14 @@ ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.collection:
ms.topic: article
-ms.localizationpriority:
-ms.date:
-ms.reviewer:
+ms.date: 6/30/2022
ms.technology: itpro-security
---
# Windows Sandbox architecture
-Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs.
+Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs.
## Dynamically generated image
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 58fb302ed7..2b518a0153 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -8,9 +8,7 @@ manager: aaroncz
ms.collection:
- highpri
ms.topic: article
-ms.localizationpriority: medium
-ms.date:
-ms.reviewer:
+ms.date: 6/30/2022
ms.technology: itpro-security
---
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 60ccff4e09..cbbc3389e5 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -8,13 +8,11 @@ manager: aaroncz
ms.collection:
- highpri
ms.topic: article
-ms.localizationpriority:
-ms.date:
-ms.reviewer:
+ms.date: 6/30/2022
ms.technology: itpro-security
---
-# Windows Sandbox
+# Windows Sandbox
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.