deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-29 09:13:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into wsfb-7616926

Browse Source
This commit is contained in:
Trudy Hakala
2016-05-20 10:06:59 -07:00
parent eb9290389d 4507a7a8d4
commit 4494e83ca1
28 changed files with 942 additions and 1843 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
devices/surface/TOC.md
View File

@ -6,6 +6,7 @@
## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
## [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)
## [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)
## [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
## [Surface Data Eraser](microsoft-surface-data-eraser.md)
## [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)

BIN
devices/surface/images/manage-surface-uefi-fig2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
devices/surface/images/manage-surface-uefi-fig3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
devices/surface/images/manage-surface-uefi-fig4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
devices/surface/images/manage-surface-uefi-fig5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
devices/surface/images/manage-surface-uefi-fig6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
devices/surface/images/manage-surface-uefi-fig7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
devices/surface/images/manage-surface-uefi-fig8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
devices/surface/images/manage-surface-uefi-figure-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

10
devices/surface/index.md
View File

@ -62,18 +62,22 @@ For more information on planning for, deploying, and managing Surface devices in
<td><p>Explore the available options to manage firmware and driver updates for Surface devices.</p></td>
</tr>
<tr class="even">
<td><p>[Manage Surface UEFI settings](manage-surface-uefi-settings.md)<p></td>
<td><p>Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.</p></td>
</tr>
<tr class="odd">
<td><p>[Surface Data Eraser](microsoft-surface-data-eraser.md)</p></td>
<td><p>Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)</p></td>
<td><p>See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)</p></td>
<td><p>Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Surface Dock Updater](surface-dock-updater.md)</p></td>
<td><p>Get a detailed walkthrough of Microsoft Surface Dock Updater.</p></td>
</tr>

138
devices/surface/manage-surface-uefi-settings.md Normal file
View File

@ -0,0 +1,138 @@
---
title: Manage Surface UEFI settings (Surface)
description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings.
keywords: firmware, security, features, configure, hardware
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices, surface
author: miladCA
---
#Manage Surface UEFI settings
Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the devices operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings.
>**Note:**&nbsp;&nbsp;Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI.
You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot.
##PC information
On the **PC information** page, detailed information about your Surface device is provided:
- **Model** Your Surface devices model will be displayed here, such as Surface Book or Surface Pro 4. The exact configuration of your device is not shown, (such as processor, disk size, or memory size).
- **UUID** This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management.
- **Serial Number** This number is used to identify this specific Surface device for asset tagging and support scenarios.
- **Asset Tag** The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://www.microsoft.com/en-us/download/details.aspx?id=44076).
You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC information** page (as shown in Figure 1):
- System UEFI
- SAM Controller
- Intel Management Engine
- System Embedded Controller
- Touch Firmware
*Figure 1. System information and firmware version information*
![figure 1](images/manage-surface-uefi-figure-1.png)
You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/en-us/support/install-update-activate/surface-update-history) for your device.
##Security
On the **Security** page of Surface UEFI settings, you can set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2):
- Uppercase letters: A-Z
- Lowercase letters: a-z
- Numbers: 1-0
- Special characters: !@#$%^&*()?<>{}[]-_=+|.,;:`”
The password must be at least 6 characters and is case sensitive.
*Figure 2. Add a password to protect Surface UEFI settings*
![figure 2](images/manage-surface-uefi-fig2.png)
On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
*Figure 3. Configure Secure Boot*
![figure 3](images/manage-surface-uefi-fig3.png)
You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your devices data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library.
*Figure 4. Configure Surface UEFI security settings*
![figure 4](images/manage-surface-uefi-fig4.png)
##Devices
On the **Devices** page you can enable or disable specific devices and components of your Surface device. Devices that you can enable or disable on this page include:
- Docking and USB Ports
- MicroSD or SD Card Slot
- Rear Camera
- Front Camera
- Infrared (IR) Camera
- Wi-Fi and Bluetooth
- Onboard Audio (Speakers and Microphone)
Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5.
*Figure 5. Enable and disable specific devices*
![figure 5](images/manage-surface-uefi-fig5.png)
##Boot configuration
On the **Boot Configuration** page, you can change the order of your boot devices and/or enable or disable boot of the following devices:
- Windows Boot Manager
- USB Storage
- PXE Network
- Internal Storage
You can boot from a specific device immediately, or you can swipe left on that devices entry in the list using the touchscreen. You can also boot immediately to a USB device or USB Ethernet adapter when the Surface device is powered off by pressing the **Volume Down** button and the **Power** button simultaneously.
For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6.
*Figure 6. Configure the boot order for your Surface device*
![figure 6](images/manage-surface-uefi-fig6.png)
You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.
##About
The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7.
*Figure 7. Regulatory information is displayed on the About page*
![figure 7](images/manage-surface-uefi-fig7.png)
##Exit
Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8.
*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
![figure 8](images/manage-surface-uefi-fig8.png)

48
windows/keep-secure/advanced-security-audit-policy-settings.md
View File

@ -2,52 +2,74 @@
title: Advanced security audit policy settings (Windows 10)
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Advanced security audit policy settings
**Applies to**
- Windows 10
This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
**Account Logon**
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories:
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
**Account Management**
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
- [Audit Application Group Management](audit-application-group-management.md)
- [Audit Computer Account Management](audit-computer-account-management.md)
- [Audit Distribution Group Management](audit-distribution-group-management.md)
- [Audit Other Account Management Events](audit-other-account-management-events.md)
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
**Detailed Tracking**
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
- [Audit DPAPI Activity](audit-dpapi-activity.md)
- [Audit PNP activity](audit-pnp-activity.md)
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
**DS Access**
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
- [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
- [Audit Directory Service Access](audit-directory-service-access.md)
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
**Logon/Logoff**
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
- [Audit Account Lockout](audit-account-lockout.md)
- [Audit User/Device Claims](audit-user-device-claims.md)
- [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
@ -59,10 +81,15 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
- [Audit Network Policy Server](audit-network-policy-server.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
**Object Access**
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
This category includes the following subcategories:
- [Audit Application Generated](audit-application-generated.md)
- [Audit Certification Services](audit-certification-services.md)
- [Audit Detailed File Share](audit-detailed-file-share.md)
@ -77,35 +104,46 @@ This category includes the following subcategories:
- [Audit Removable Storage](audit-removable-storage.md)
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
**Policy Change**
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories:
- [Audit Audit Policy Change](audit-audit-policy-change.md)
- [Audit Authentication Policy Change](audit-authentication-policy-change.md)
- [Audit Authorization Policy Change](audit-authorization-policy-change.md)
- [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
**Privilege Use**
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
**System**
System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories:
- [Audit IPsec Driver](audit-ipsec-driver.md)
- [Audit Other System Events](audit-other-system-events.md)
- [Audit Security State Change](audit-security-state-change.md)
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
**Global Object Access**
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
**Note**  
If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
> **Note:**  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object
Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
 
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
 
 

90
windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
View File

@ -2,90 +2,128 @@
title: Backup the TPM recovery Information to AD DS (Windows 10)
description: This topic for the IT professional describes how to back up a computers Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Backup the TPM recovery Information to AD DS
**Applies to**
- Windows 10
This topic for the IT professional describes how to back up a computers Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer.
## About administering TPM remotely
Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturers defaults when they decommission or repurpose computers, without having to be present at the computer.
You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**.
**Note**  
The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64encoded. The actual owner password is not stored.
> **Note:**  The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64encoded. The actual owner password is not stored.
 
Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment.
In this topic:
1. [Check status of prerequisites](#bkmk-prereqs)
2. [Set permissions to back up password information](#bkmk-setperms)
3. [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp)
4. [Use AD DS to recover TPM information](#bkmk-useit)
5. [Sample scripts](#bkmk-adds-tpm-scripts)
## <a href="" id="bkmk-prereqs"></a>Check status of prerequisites
Before you begin your backup, ensure that the following prerequisites are met:
1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema.
**Tip**  
For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
> **Tip:**  For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
 
2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions.
## <a href="" id="bkmk-setperms"></a>Set permissions to back up password information
This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added.
This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions:
- You have domain administrator credentials to set permissions for the top-level domain object.
- Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN.
**Note**  
You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
> **Note:**  You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example:
`LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`
 
- Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects.
Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions.
You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute.
**To add an ACE to allow TPM recovery information backup**
1. Open the sample script **Add-TPMSelfWriteACE.vbs**.
The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name.
2. Save your modifications to the script.
3. Type the following at a command prompt, and then press ENTER:
**cscript Add-TPMSelfWriteACE.vbs**
This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain.
Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary.
**Manage ACEs configured on TPM schema objects**
1. Open the sample script **List-ACEs.vbs**.
2. Modify **List-ACEs.vbs**.
You must modify:
- Value of **strPathToDomain**: Use your domain name.
- Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects.
3. Save your modifications to the script.
4. Type the following at a command prompt, and then press ENTER:
**cscript List-ACEs.vbs**
With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain.
## <a href="" id="bkmk-configuregp"></a>Configure Group Policy to back up TPM recovery information in AD DS
Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain.
**To enable local policy setting to back up TPM recovery information to AD DS**
1. Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group.
2. Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**.
3. Click **Trusted Platform Module Services**.
4. Double-click **Turn on TPM backup to Active Directory Domain Services**.
5. Click **Enabled**, and then click **OK**.
**Important**  
When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
> **Important:**  When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.
 
## <a href="" id="bkmk-useit"></a>Use AD DS to recover TPM information
When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required.
**To obtain TPM owner backup information from AD DS and create a password file**
1. Sign in to a domain controller by using domain administrator credentials.
2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.
The expected output is a string that is the hash of the password that you created earlier.
**Note**  
If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
> **Note:**  If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute.
The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.
 
5. Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!--
@ -101,13 +139,19 @@ When you need to recover the TPM owner information from AD DS and use it to man
</tpmOwnerData>
```
6. Save this file with a .tpm extension on a removable storage device, such as a USB flash drive. When you access the TPM, and you are required to provide the TPM owner password, choose the option for reading the password from a file and provide the path to this file.
## <a href="" id="bkmk-adds-tpm-scripts"></a>Sample scripts
You can use all or portions of the following sample scripts, which are used in the preceding procedures, to configure AD DS for backing up TPM recovery information. Customization is required depending on how your environment is configured.
- [Add-TPMSelfWriteACE.vbs: Use to add the access control entry (ACE) for the TPM to AD DS](#bkmk-add-tpmselfwriteace)
- [List-ACEs.vbs: Use to list or remove the ACEs that are configured on BitLocker and TPM schema objects](#bkmk-list-aces)
- [Get-TPMOwnerInfo.vbs: Use to retrieve the TPM recovery information from AD DS for a particular computer](#bkmk-get-tpmownerinfo)
### <a href="" id="bkmk-add-tpmselfwriteace"></a>Add-TPMSelfWriteACE.vbs
This script adds the access control entry (ACE) for the TPM to AD DS so that the computer can back up TPM recovery information in AD DS.
``` syntax
'===============================================================================
'
@ -203,8 +247,11 @@ objDomain.Put "ntSecurityDescriptor", Array(objDescriptor)
objDomain.SetInfo
WScript.Echo "SUCCESS!"
```
### <a href="" id="bkmk-list-aces"></a>List-ACEs.vbs
This script lists or removes the ACEs that are configured on BitLocker and TPM schema objects for the top-level domain. This enables you to verify that the expected ACEs have been added appropriately or to remove any ACEs that are related to BitLocker or the TPM, if necessary.
``` syntax
'===============================================================================
'
@ -379,8 +426,11 @@ else
end if
end if
```
### <a href="" id="bkmk-get-tpmownerinfo"></a>Get-TPMOwnerInfo.vbs
This script retrieves TPM recovery information from AD DS for a particular computer so that you can verify that only domain administrators (or delegated roles) can read backed up TPM recovery information and verify that the information is being backed up correctly.
``` syntax
'=================================================================================
'
@ -499,12 +549,12 @@ Set objComputer = objDSO.OpenDSObject(strPath, vbNullString, vbNullString, _
strOwnerInformation = objComputer.Get("msTPM-OwnerInformation")
WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
```
## Additional resources
[Trusted Platform Module technology overview](trusted-platform-module-overview.md)
[TPM fundamentals](tpm-fundamentals.md)
[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
[Prepare your organization for BitLocker: Planning and Policies](http://technet.microsoft.com/library/jj592683.aspx), see TPM considerations
 
 
- [Trusted Platform Module technology overview](trusted-platform-module-overview.md)
- [TPM fundamentals](tpm-fundamentals.md)
- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
- [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
- [Prepare your organization for BitLocker: Planning and Policies](http://technet.microsoft.com/library/jj592683.aspx), see TPM considerations

14
windows/keep-secure/basic-audit-account-logon-events.md
View File

@ -2,22 +2,31 @@
title: Audit account logon events (Windows 10)
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit account logon events
**Applies to**
- Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default**: Success
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Logon events | Description |
|--------------|--------------------------------------------------------------------------------------------------------------------------------------|
| 672 | An authentication service (AS) ticket was successfully issued and validated. |
@ -32,6 +41,7 @@ You can configure this security setting by opening the appropriate policy under
| 683 | A user disconnected a terminal server session without logging off. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

262
windows/keep-secure/basic-audit-account-management.md
View File

@ -2,226 +2,86 @@
title: Audit account management (Windows 10)
description: Determines whether to audit each event of account management on a device.
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit account management
**Applies to**
- Windows 10
Determines whether to audit each event of account management on a device.
Examples of account management events include:
- A user account or group is created, changed, or deleted.
- A user account is renamed, disabled, or enabled.
- A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To
set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Account management events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">624</td>
<td align="left">A user account was created.</td>
</tr>
<tr class="even">
<td align="left">627</td>
<td align="left">A user password was changed.</td>
</tr>
<tr class="odd">
<td align="left">628</td>
<td align="left">A user password was set.</td>
</tr>
<tr class="even">
<td align="left">630</td>
<td align="left">A user account was deleted.</td>
</tr>
<tr class="odd">
<td align="left">631</td>
<td align="left">A global group was created.</td>
</tr>
<tr class="even">
<td align="left">632</td>
<td align="left">A member was added to a global group.</td>
</tr>
<tr class="odd">
<td align="left">633</td>
<td align="left">A member was removed from a global group.</td>
</tr>
<tr class="even">
<td align="left">634</td>
<td align="left">A global group was deleted.</td>
</tr>
<tr class="odd">
<td align="left">635</td>
<td align="left">A new local group was created.</td>
</tr>
<tr class="even">
<td align="left">636</td>
<td align="left">A member was added to a local group.</td>
</tr>
<tr class="odd">
<td align="left">637</td>
<td align="left">A member was removed from a local group.</td>
</tr>
<tr class="even">
<td align="left">638</td>
<td align="left">A local group was deleted.</td>
</tr>
<tr class="odd">
<td align="left">639</td>
<td align="left">A local group account was changed.</td>
</tr>
<tr class="even">
<td align="left">641</td>
<td align="left">A global group account was changed.</td>
</tr>
<tr class="odd">
<td align="left">642</td>
<td align="left">A user account was changed</td>
</tr>
<tr class="even">
<td align="left">643</td>
<td align="left">A domain policy was modified.</td>
</tr>
<tr class="odd">
<td align="left">644</td>
<td align="left">A user account was auto locked.</td>
</tr>
<tr class="even">
<td align="left">645</td>
<td align="left">A computer account was created.</td>
</tr>
<tr class="odd">
<td align="left">646</td>
<td align="left">A computer account was changed.</td>
</tr>
<tr class="even">
<td align="left">647</td>
<td align="left">A computer account was deleted.</td>
</tr>
<tr class="odd">
<td align="left">648</td>
<td align="left">A local security group with security disabled was created.
<div class="alert">
<strong>Note</strong>  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">649</td>
<td align="left">A local security group with security disabled was changed.</td>
</tr>
<tr class="odd">
<td align="left">650</td>
<td align="left">A member was added to a security-disabled local security group.</td>
</tr>
<tr class="even">
<td align="left">651</td>
<td align="left">A member was removed from a security-disabled local security group.</td>
</tr>
<tr class="odd">
<td align="left">652</td>
<td align="left">A security-disabled local group was deleted.</td>
</tr>
<tr class="even">
<td align="left">653</td>
<td align="left">A security-disabled global group was created.</td>
</tr>
<tr class="odd">
<td align="left">645</td>
<td align="left">A security-disabled global group was changed.</td>
</tr>
<tr class="even">
<td align="left">655</td>
<td align="left">A member was added to a security-disabled global group.</td>
</tr>
<tr class="odd">
<td align="left">656</td>
<td align="left">A member was removed from a security-disabled global group.</td>
</tr>
<tr class="even">
<td align="left">657</td>
<td align="left">A security-disabled global group was deleted.</td>
</tr>
<tr class="odd">
<td align="left">658</td>
<td align="left">A security-enabled universal group was created.</td>
</tr>
<tr class="even">
<td align="left">659</td>
<td align="left">A security-enabled universal group was changed.</td>
</tr>
<tr class="odd">
<td align="left">660</td>
<td align="left">A member was added to a security-enabled universal group.</td>
</tr>
<tr class="even">
<td align="left">661</td>
<td align="left">A member was removed from a security-enabled universal group.</td>
</tr>
<tr class="odd">
<td align="left">662</td>
<td align="left">A security-enabled universal group was deleted.</td>
</tr>
<tr class="even">
<td align="left">663</td>
<td align="left">A security-disabled universal group was created.</td>
</tr>
<tr class="odd">
<td align="left">664</td>
<td align="left">A security-disabled universal group was changed.</td>
</tr>
<tr class="even">
<td align="left">665</td>
<td align="left">A member was added to a security-disabled universal group.</td>
</tr>
<tr class="odd">
<td align="left">666</td>
<td align="left">A member was removed from a security-disabled universal group.</td>
</tr>
<tr class="even">
<td align="left">667</td>
<td align="left">A security-disabled universal group was deleted.</td>
</tr>
<tr class="odd">
<td align="left">668</td>
<td align="left">A group type was changed.</td>
</tr>
<tr class="even">
<td align="left">684</td>
<td align="left">Set the security descriptor of members of administrative groups.</td>
</tr>
<tr class="odd">
<td align="left">685</td>
<td align="left">Set the security descriptor of members of administrative groups.
<div class="alert">
<strong>Note</strong>  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
</div>
<div>
 
</div></td>
</tr>
</tbody>
</table>
| Account management events | Description |
| - | - |
| 624 | A user account was created.|
| 627 | A user password was changed.|
| 628 | A user password was set. |
| 630 | A user account was deleted.|
| 631 | A global group was created. |
| 632 | A member was added to a global group.|
| 633 | A member was removed from a global group.|
| 634 | A global group was deleted. |
| 635 | A new local group was created.|
| 636 | A member was added to a local group.|
| 637 | A member was removed from a local group.|
| 638 | A local group was deleted. |
| 639 | A local group account was changed.|
| 641 | A global group account was changed.|
| 642 | A user account was changed. |
| 643 | A domain policy was modified. |
| 644 | A user account was auto locked. |
| 645 | A computer account was created. |
| 646 | A computer account was changed. |
| 647 | A computer account was deleted. |
| 648 | A local security group with security disabled was created.<br>**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | |
| 649 | A local security group with security disabled was changed. |
| 650 | A member was added to a security-disabled local security group. |
| 651 | A member was removed from a security-disabled local security group. |
| 652 | A security-disabled local group was deleted. |
| 653 | A security-disabled global group was created. |
| 645 | A security-disabled global group was changed. |
| 655 | A member was added to a security-disabled global group. |
| 656 | A member was removed from a security-disabled global group. |
| 657 | A security-disabled global group was deleted. |
| 658 | A security-enabled universal group was created. |
| 659 | A security-enabled universal group was changed. |
| 660 | A member was added to a security-enabled universal group. |
| 661 | A member was removed from a security-enabled universal group. |
| 662 | A security-enabled universal group was deleted. |
| 663 | A security-disabled universal group was created. |
| 664 | A security-disabled universal group was changed. |
| 665 | A member was added to a security-disabled universal group. |
| 666 | A member was removed from a security-disabled universal group. |
| 667 | A security-disabled universal group was deleted. |
| 668 | A group type was changed. |
| 684 | Set the security descriptor of members of administrative groups. |
| 685 | Set the security descriptor of members of administrative groups.<br>**Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.|
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

19
windows/keep-secure/basic-audit-directory-service-access.md
View File

@ -2,33 +2,42 @@
title: Audit directory service access (Windows 10)
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit directory service access
**Applies to**
- Windows 10
\[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Note**  
You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
> **Note:**  You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
 
**Default:**
- Success on domain controllers.
- Undefined for a member server.
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
There is only one directory service access event, which is identical to the Object Access security event message 566.
| Directory service access events | Description |
|---------------------------------|----------------------------------------|
| 566 | A generic object operation took place. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

41
windows/keep-secure/basic-audit-logon-events.md
View File

@ -2,24 +2,32 @@
title: Audit logon events (Windows 10)
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit logon events
**Applies to**
- Windows 10
\[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
Determines whether to audit each instance of a user logging on to or logging off from a device.
Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more info about account logon events, see [Audit account logon events](basic-audit-account-logon-events.md).
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
| Logon events | Description |
|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Logon events | Description |
| - | - |
| 528 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 529 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
| 530 | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. |
@ -48,20 +56,23 @@ You can configure this security setting by opening the appropriate policy under
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
 
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.
| Logon type | Logon title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| Logon type | Logon title | Description |
| - | - | - |
| 2 | Interactive | A user logged on to this computer.|
| 3 | Network | A user or computer logged on to this computer from the network.|
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.|
| 5 | Service | A service was started by the Service Control Manager.|
| 7 | Unlock | This workstation was unlocked.|
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

257
windows/keep-secure/basic-audit-object-access.md
View File

@ -2,221 +2,78 @@
title: Audit object access (Windows 10)
description: Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit object access
**Applies to**
- Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Note**  You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
> **Note:**  You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
 
**Default:** No auditing.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Object access events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">560</td>
<td align="left">Access was granted to an already existing object.</td>
</tr>
<tr class="even">
<td align="left">562</td>
<td align="left">A handle to an object was closed.</td>
</tr>
<tr class="odd">
<td align="left">563</td>
<td align="left">An attempt was made to open an object with the intent to delete it.
<div class="alert">
<strong>Note</strong>  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">564</td>
<td align="left">A protected object was deleted.</td>
</tr>
<tr class="odd">
<td align="left">565</td>
<td align="left">Access was granted to an already existing object type.</td>
</tr>
<tr class="even">
<td align="left">567</td>
<td align="left">A permission associated with a handle was used.
<div class="alert">
<strong>Note</strong>  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left">568</td>
<td align="left">An attempt was made to create a hard link to a file that is being audited.</td>
</tr>
<tr class="even">
<td align="left">569</td>
<td align="left">The resource manager in Authorization Manager attempted to create a client context.</td>
</tr>
<tr class="odd">
<td align="left">570</td>
<td align="left">A client attempted to access an object.
<div class="alert">
<strong>Note</strong>  An event will be generated for every attempted operation on the object.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">571</td>
<td align="left">The client context was deleted by the Authorization Manager application.</td>
</tr>
<tr class="odd">
<td align="left">572</td>
<td align="left">The administrator manager initialized the application.</td>
</tr>
<tr class="even">
<td align="left">772</td>
<td align="left">The certificate manager denied a pending certificate request.</td>
</tr>
<tr class="odd">
<td align="left">773</td>
<td align="left">Certificate Services received a resubmitted certificate request.</td>
</tr>
<tr class="even">
<td align="left">774</td>
<td align="left">Certificate Services revoked a certificate.</td>
</tr>
<tr class="odd">
<td align="left">775</td>
<td align="left">Certificate Services received a request to publish the certificate revocation list (CRL).</td>
</tr>
<tr class="even">
<td align="left">776</td>
<td align="left">Certificate Services published the certificate revocation list (CRL).</td>
</tr>
<tr class="odd">
<td align="left">777</td>
<td align="left">A certificate request extension was made.</td>
</tr>
<tr class="even">
<td align="left">778</td>
<td align="left">One or more certificate request attributes changed.</td>
</tr>
<tr class="odd">
<td align="left">779</td>
<td align="left">Certificate Services received a request to shutdown.</td>
</tr>
<tr class="even">
<td align="left">780</td>
<td align="left">Certificate Services backup started.</td>
</tr>
<tr class="odd">
<td align="left">781</td>
<td align="left">Certificate Services backup completed</td>
</tr>
<tr class="even">
<td align="left">782</td>
<td align="left">Certificate Services restore started.</td>
</tr>
<tr class="odd">
<td align="left">783</td>
<td align="left">Certificate Services restore completed.</td>
</tr>
<tr class="even">
<td align="left">784</td>
<td align="left">Certificate Services started.</td>
</tr>
<tr class="odd">
<td align="left">785</td>
<td align="left">Certificate Services stopped.</td>
</tr>
<tr class="even">
<td align="left">786</td>
<td align="left">The security permissions for Certificate Services changed.</td>
</tr>
<tr class="odd">
<td align="left">787</td>
<td align="left">Certificate Services retrieved an archived key.</td>
</tr>
<tr class="even">
<td align="left">788</td>
<td align="left">Certificate Services imported a certificate into its database.</td>
</tr>
<tr class="odd">
<td align="left">789</td>
<td align="left">The audit filter for Certificate Services changed.</td>
</tr>
<tr class="even">
<td align="left">790</td>
<td align="left">Certificate Services received a certificate request.</td>
</tr>
<tr class="odd">
<td align="left">791</td>
<td align="left">Certificate Services approved a certificate request and issued a certificate.</td>
</tr>
<tr class="even">
<td align="left">792</td>
<td align="left">Certificate Services denied a certificate request.</td>
</tr>
<tr class="odd">
<td align="left">793</td>
<td align="left">Certificate Services set the status of a certificate request to pending.</td>
</tr>
<tr class="even">
<td align="left">794</td>
<td align="left">The certificate manager settings for Certificate Services changed.</td>
</tr>
<tr class="odd">
<td align="left">795</td>
<td align="left">A configuration entry changed in Certificate Services.</td>
</tr>
<tr class="even">
<td align="left">796</td>
<td align="left">A property of Certificate Services changed.</td>
</tr>
<tr class="odd">
<td align="left">797</td>
<td align="left">Certificate Services archived a key.</td>
</tr>
<tr class="even">
<td align="left">798</td>
<td align="left">Certificate Services imported and archived a key.</td>
</tr>
<tr class="odd">
<td align="left">799</td>
<td align="left">Certificate Services published the CA certificate to Active Directory.</td>
</tr>
<tr class="even">
<td align="left">800</td>
<td align="left">One or more rows have been deleted from the certificate database.</td>
</tr>
<tr class="odd">
<td align="left">801</td>
<td align="left">Role separation enabled.</td>
</tr>
</tbody>
</table>
 
| Object access events | Description |
| - | - |
| 560 | Access was granted to an already existing object.|
| 562 | A handle to an object was closed. |
| 563 | An attempt was made to open an object with the intent to delete it.<br>**Note: **  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().||
| 564 | A protected object was deleted. |
| 565 | Access was granted to an already existing object type.|
| 567 | A permission associated with a handle was used.<br>**Note: **  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.|
| 568 | An attempt was made to create a hard link to a file that is being audited. |
| 569 | The resource manager in Authorization Manager attempted to create a client context.|
| 570 | A client attempted to access an object.<br>**Note:**  An event will be generated for every attempted operation on the object.|
| 571 | The client context was deleted by the Authorization Manager application. |
| 572 | The administrator manager initialized the application. |
| 772 | The certificate manager denied a pending certificate request.|
| 773 | Certificate Services received a resubmitted certificate request.|
| 774 | Certificate Services revoked a certificate.|
| 775 | Certificate Services received a request to publish the certificate revocation list (CRL).|
| 776 | Certificate Services published the certificate revocation list (CRL). |
| 777 | A certificate request extension was made. |
| 778 | One or more certificate request attributes changed.|
| 779 | Certificate Services received a request to shutdown.|
| 780 | Certificate Services backup started. |
| 781 | Certificate Services backup completed |
| 782 | Certificate Services restore started. |
| 783 | Certificate Services restore completed.|
| 784 | Certificate Services started. |
| 785 | Certificate Services stopped. |
| 786 | The security permissions for Certificate Services changed.|
| 787 | Certificate Services retrieved an archived key. |
| 788 | Certificate Services imported a certificate into its database.|
| 789 | The audit filter for Certificate Services changed. |
| 790 | Certificate Services received a certificate request.|
| 791 | Certificate Services approved a certificate request and issued a certificate.|
| 792 | Certificate Services denied a certificate request. |
| 793 | Certificate Services set the status of a certificate request to pending.|
| 794 | The certificate manager settings for Certificate Services changed. |
| 795 | A configuration entry changed in Certificate Services. |
| 796 | A property of Certificate Services changed. |
| 797 | Certificate Services archived a key. |
| 798 | Certificate Services imported and archived a key.|
| 799 | Certificate Services published the CA certificate to Active Directory.|
| 800 | One or more rows have been deleted from the certificate database. |
| 801 | Role separation enabled. |
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

160
windows/keep-secure/basic-audit-policy-change.md
View File

@ -2,147 +2,59 @@
title: Audit policy change (Windows 10)
description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit policy change
**Applies to**
- Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Policy change events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">608</td>
<td align="left">A user right was assigned.</td>
</tr>
<tr class="even">
<td align="left">609</td>
<td align="left">A user right was removed.</td>
</tr>
<tr class="odd">
<td align="left">610</td>
<td align="left">A trust relationship with another domain was created.</td>
</tr>
<tr class="even">
<td align="left">611</td>
<td align="left">A trust relationship with another domain was removed.</td>
</tr>
<tr class="odd">
<td align="left">612</td>
<td align="left">An audit policy was changed.</td>
</tr>
<tr class="even">
<td align="left">613</td>
<td align="left">An Internet Protocol security (IPSec) policy agent started.</td>
</tr>
<tr class="odd">
<td align="left">614</td>
<td align="left">An IPSec policy agent was disabled.</td>
</tr>
<tr class="even">
<td align="left">615</td>
<td align="left">An IPSec policy agent changed.</td>
</tr>
<tr class="odd">
<td align="left">616</td>
<td align="left">An IPSec policy agent encountered a potentially serious failure.</td>
</tr>
<tr class="even">
<td align="left">617</td>
<td align="left">A Kerberos policy changed.</td>
</tr>
<tr class="odd">
<td align="left">618</td>
<td align="left">Encrypted Data Recovery policy changed.</td>
</tr>
<tr class="even">
<td align="left">620</td>
<td align="left">A trust relationship with another domain was modified.</td>
</tr>
<tr class="odd">
<td align="left">621</td>
<td align="left">System access was granted to an account.</td>
</tr>
<tr class="even">
<td align="left">622</td>
<td align="left">System access was removed from an account.</td>
</tr>
<tr class="odd">
<td align="left">623</td>
<td align="left">Per user auditing policy was set for a user.</td>
</tr>
<tr class="even">
<td align="left">625</td>
<td align="left">Per user audit policy was refreshed.</td>
</tr>
<tr class="odd">
<td align="left">768</td>
<td align="left">A collision was detected between a namespace element in one forest and a namespace element in another forest.
<div class="alert">
<strong>Note</strong>  When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">769</td>
<td align="left">Trusted forest information was added.
<div class="alert">
<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left">770</td>
<td align="left">Trusted forest information was deleted.
<div class="alert">
<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">771</td>
<td align="left">Trusted forest information was modified.
<div class="alert">
<strong>Note</strong>  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.
</div>
<div>
 
</div></td>
</tr>
<tr class="odd">
<td align="left">805</td>
<td align="left">The event log service read the security log configuration for a session.</td>
</tr>
</tbody>
</table>
| Policy change events | Description |
| - | - |
| 608 | A user right was assigned.|
| 609 | A user right was removed. |
| 610 | A trust relationship with another domain was created.|
| 611 | A trust relationship with another domain was removed.|
| 612 | An audit policy was changed.|
| 613 | An Internet Protocol security (IPSec) policy agent started.|
| 614 | An IPSec policy agent was disabled. |
| 615 | An IPSec policy agent changed. |
| 616 | An IPSec policy agent encountered a potentially serious failure.|
| 617 | A Kerberos policy changed. |
| 618 | Encrypted Data Recovery policy changed.|
| 620 | A trust relationship with another domain was modified.|
| 621 | System access was granted to an account. |
| 622 | System access was removed from an account.|
| 623 | Per user auditing policy was set for a user.|
| 625 | Per user audit policy was refreshed. |
| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.<br>**Note**  When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.|
| 769 | Trusted forest information was added.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 770 | Trusted forest information was deleted.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 771 | Trusted forest information was modified.<br>**Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type &quot;TopLevelName&quot;.|
| 805 | The event log service read the security log configuration for a session.
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

53
windows/keep-secure/basic-audit-privilege-use.md
View File

@ -2,20 +2,28 @@
title: Audit privilege use (Windows 10)
description: Determines whether to audit each instance of a user exercising a user right.
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit privilege use
**Applies to**
- Windows 10
Determines whether to audit each instance of a user exercising a user right.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:** No auditing.
Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for **Audit privilege use**. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the **FullPrivilegeAuditing** registry key.
- Bypass traverse checking
- Debug programs
- Create a token object
@ -23,42 +31,19 @@ Audits are not generated for use of the following user rights, even if success a
- Generate security audits
- Back up files and directories
- Restore files and directories
## Configure this audit setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Privilege use events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">576</td>
<td align="left">Specified privileges were added to a user's access token.
<div class="alert">
<strong>Note</strong>  This event is generated when the user logs on.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">577</td>
<td align="left">A user attempted to perform a privileged system service operation.</td>
</tr>
<tr class="odd">
<td align="left">578</td>
<td align="left">Privileges were used on an already open handle to a protected object.</td>
</tr>
</tbody>
</table>
| Privilege use events | Description |
| - | - |
| 576 | Specified privileges were added to a user's access token.<br>**Note:**  This event is generated when the user logs on.|
| 577 | A user attempted to perform a privileged system service operation. |
| 578 | Privileges were used on an already open handle to a protected object. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

91
windows/keep-secure/basic-audit-process-tracking.md
View File

@ -2,87 +2,46 @@
title: Audit process tracking (Windows 10)
description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit process tracking
**Applies to**
- Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate an audit entry when the process being tracked fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
**Default:** No auditing.
## Configure this this security setting
You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Process tracking events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">592</td>
<td align="left">A new process was created.</td>
</tr>
<tr class="even">
<td align="left">593</td>
<td align="left">A process exited.</td>
</tr>
<tr class="odd">
<td align="left">594</td>
<td align="left">A handle to an object was duplicated.</td>
</tr>
<tr class="even">
<td align="left">595</td>
<td align="left">Indirect access to an object was obtained.</td>
</tr>
<tr class="odd">
<td align="left">596</td>
<td align="left">A data protection master key was backed up.
<div class="alert">
<strong>Note</strong>  The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left">597</td>
<td align="left">A data protection master key was recovered from a recovery server.</td>
</tr>
<tr class="odd">
<td align="left">598</td>
<td align="left">Auditable data was protected.</td>
</tr>
<tr class="even">
<td align="left">599</td>
<td align="left">Auditable data was unprotected.</td>
</tr>
<tr class="odd">
<td align="left">600</td>
<td align="left">A process was assigned a primary token.</td>
</tr>
<tr class="even">
<td align="left">601</td>
<td align="left">A user attempted to install a service.</td>
</tr>
<tr class="odd">
<td align="left">602</td>
<td align="left">A scheduler job was created.</td>
</tr>
</tbody>
</table>
| Process tracking events | Description |
| - | - |
| 592 | A new process was created.|
| 593 | A process exited. |
| 594 | A handle to an object was duplicated.|
| 595 | Indirect access to an object was obtained.|
| 596 | A data protection master key was backed up.<br>**Note:** The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.|
| 597 | A data protection master key was recovered from a recovery server.|
| 598 | Auditable data was protected. |
| 599 | Auditable data was unprotected.|
| 600 | A process was assigned a primary token.|
| 601 | A user attempted to install a service. |
| 602 | A scheduler job was created. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

84
windows/keep-secure/basic-audit-system-events.md
View File

@ -2,81 +2,47 @@
title: Audit system events (Windows 10)
description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit system events
**Applies to**
- Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.
To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
**Default:**
- Success on domain controllers.
- No auditing on member servers.
## Configure this audit setting
You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Logon events</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">512</td>
<td align="left">Windows is starting up.</td>
</tr>
<tr class="even">
<td align="left">513</td>
<td align="left">Windows is shutting down.</td>
</tr>
<tr class="odd">
<td align="left">514</td>
<td align="left">An authentication package was loaded by the Local Security Authority.</td>
</tr>
<tr class="even">
<td align="left">515</td>
<td align="left">A trusted logon process has registered with the Local Security Authority.</td>
</tr>
<tr class="odd">
<td align="left">516</td>
<td align="left">Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.</td>
</tr>
<tr class="even">
<td align="left">517</td>
<td align="left">The audit log was cleared.</td>
</tr>
<tr class="odd">
<td align="left">518</td>
<td align="left">A notification package was loaded by the Security Accounts Manager.</td>
</tr>
<tr class="even">
<td align="left">519</td>
<td align="left">A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.</td>
</tr>
<tr class="odd">
<td align="left">520</td>
<td align="left">The system time was changed.
<div class="alert">
<strong>Note</strong>  This audit normally appears twice.
</div>
<div>
 
</div></td>
</tr>
</tbody>
</table>
 
| Logon events | Description |
| - | - |
| 512 | Windows is starting up. |
| 513 | Windows is shutting down. |
| 514 | An authentication package was loaded by the Local Security Authority.|
| 515 | A trusted logon process has registered with the Local Security Authority.|
| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.|
| 517 | The audit log was cleared. |
| 518 | A notification package was loaded by the Security Accounts Manager.|
| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.|
| 520 | The system time was changed.<br>**Note:**  This audit normally appears twice.|
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

47
windows/keep-secure/basic-security-audit-policies.md
View File

@ -2,17 +2,22 @@
title: Basic security audit policies (Windows 10)
description: Before you implement auditing, you must decide on an auditing policy.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Basic security audit policies
**Applies to**
- Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
The event categories that you can choose to audit are:
- Audit account logon events
- Audit account management
- Audit directory service access
@ -22,38 +27,16 @@ The event categories that you can choose to audit are:
- Audit privilege use
- Audit process tracking
- Audit system events
If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category (for auditing objects on a domain controller), or the audit object access category (for auditing objects on a member server or workstation). Once you have enabled the object access category, you can specify the types of access you want to audit for each group or user.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)</p></td>
<td align="left"><p>By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md)</p></td>
<td align="left"><p>You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[View the security event log](view-the-security-event-log.md)</p></td>
<td align="left"><p>The security log records each event as defined by the audit policies you set on each object.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Basic security audit policy settings](basic-security-audit-policy-settings.md)</p></td>
<td align="left"><p>Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.</p></td>
</tr>
</tbody>
</table>
 
| Topic | Description |
| - | - |
| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. |
| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. |
| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.|
| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|
 
 

71
windows/keep-secure/basic-security-audit-policy-settings.md
View File

@ -2,69 +2,36 @@
title: Basic security audit policy settings (Windows 10)
description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Basic security audit policy settings
**Applies to**
- Windows 10
Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Audit account logon events](basic-audit-account-logon-events.md)</p></td>
<td align="left"><p>Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Audit account management](basic-audit-account-management.md)</p></td>
<td align="left"><p>Determines whether to audit each event of account management on a device.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Audit directory service access](basic-audit-directory-service-access.md)</p></td>
<td align="left"><p>Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Audit logon events](basic-audit-logon-events.md)</p></td>
<td align="left"><p>Determines whether to audit each instance of a user logging on to or logging off from a device.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Audit object access](basic-audit-object-access.md)</p></td>
<td align="left"><p>Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Audit policy change](basic-audit-policy-change.md)</p></td>
<td align="left"><p>Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Audit privilege use](basic-audit-privilege-use.md)</p></td>
<td align="left"><p>Determines whether to audit each instance of a user exercising a user right.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Audit process tracking](basic-audit-process-tracking.md)</p></td>
<td align="left"><p>Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Audit system events](basic-audit-system-events.md)</p></td>
<td align="left"><p>Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.</p></td>
</tr>
</tbody>
</table>
| Topic | Description |
| - | - |
| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.|
| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.|
| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.|
| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. |
| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.|
| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. |
| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.|
| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
 
## Related topics
[Basic security audit policy settings](basic-security-audit-policy-settings.md)
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
 
 

1119
windows/keep-secure/bcd-settings-and-bitlocker.md
View File

File diff suppressed because it is too large Load Diff

197
windows/keep-secure/bitlocker-basic-deployment.md
View File

@ -2,36 +2,49 @@
title: BitLocker basic deployment (Windows 10)
description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# BitLocker basic deployment
**Applies to**
- Windows 10
This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
The following sections provide information that will help you put together your basic deployment plan for implementing BitLocker in your organization:
- [Using BitLocker to encrypt volumes](#bkmk-dep1)
- [Down-level compatibility](#bkmk-dep2)
- [Using manage-bde to encrypt volumes with BitLocker](#bkmk-dep3)
- [Using PowerShell to encrypt volumes with BitLocker](#bkmk-dep4)
## <a href="" id="bkmk-dep1"></a>Using BitLocker to encrypt volumes
BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data volumes. To support fully encrypted operating system volumes, BitLocker uses an unencrypted system volume for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
**Note**  
For more info about using this tool, see [Bdehdcfg](http://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
> **Note:**  For more info about using this tool, see [Bdehdcfg](http://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
 
BitLocker encryption can be done using the following methods:
- BitLocker control panel
- Windows Explorer
- manage-bde command line interface
- BitLocker Windows PowerShell cmdlets
### Encrypting volumes using the BitLocker control panel
Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
### Operating system volume
Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
<table>
<colgroup>
@ -81,32 +94,53 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
 
Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive.
You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options:
- Encrypt used disk space only - Encrypts only disk space that contains data
- Encrypt entire drive - Encrypts the entire volume including free space
It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option.
**Note**  
Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
> **Note:**  Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
 
Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off.
### Data volume
Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard.
Unlike for operating system volumes, data volumes are not required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked.
After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it is recommended that used space only encryption is selected.
With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption.
Encryption status displays in the notification area or within the BitLocker control panel.
### <a href="" id="-onedrive-option-"></a> OneDrive option
There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Using BitLocker within Windows Explorer
Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
## <a href="" id="bkmk-dep2"></a>Down-level compatibility
The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented to a different version of Windows.
Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
<table>
<colgroup>
<col width="25%" />
@ -149,48 +183,66 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
</table>
 
### Encrypting volumes using the manage-bde command line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx).
Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
### Operating system volume
Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
**Determining volume status**
A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
``` syntax
manage-bde -status
```
`manage-bde -status`
This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
**Enabling BitLocker without a TPM**
For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process.
``` syntax
manage-bde protectors -add C: -startupkey E:
manage-bde -on C:
```
**Enabling BitLocker with a TPM only**
It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
``` syntax
manage-bde -on C:
```
`manage-bde -on C:`
This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
``` syntax
manage-bde -protectors -get <volume>
```
`manage-bde -protectors -get <volume>`
**Provisioning BitLocker with two protectors**
Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
``` syntax
manage-bde -protectors -add C: -pw -sid <user or group>
```
`manage-bde -protectors -add C: -pw -sid <user or group>`
This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
### Data volume
Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or users can choose to add protectors to the volume. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
**Enabling BitLocker with a password**
A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
``` syntax
manage-bde -protectors -add -pw C:
manage-bde -on C:
```
## <a href="" id="bkmk-dep3"></a>Using manage-bde to encrypt volumes with BitLocker
### Encrypting volumes using the BitLocker Windows PowerShell cmdlets
Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
<table>
<colgroup>
@ -322,12 +374,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
**Note**  
In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
> **Note:**  In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
 
``` syntax
Get-BitLockerVolume C: | fl
```
`Get-BitLockerVolume C: | fl`
If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
``` syntax
@ -339,138 +390,150 @@ Using this information, we can then remove the key protector for a specific volu
``` syntax
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
```
**Note**  
The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
> **Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
 
### Operating system volume
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
To enable BitLocker with just the TPM protector. This can be done using the command:
``` syntax
Enable-BitLocker C:
```
The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
``` syntax
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
```
### Data volume
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
``` syntax
$pw = Read-Host -AsSecureString
<user inputs password>
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
### Using a SID based protector in Windows PowerShell
The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
**Warning**  
The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
>**Warning:**  The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
 
To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
``` syntax
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
```
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
``` syntax
get-aduser -filter {samaccountname -eq "administrator"}
```
**Note**  
Use of this command requires the RSAT-AD-PowerShell feature.
> **Note:**  Use of this command requires the RSAT-AD-PowerShell feature.
 
**Tip**  
In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
> **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
 
In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
``` syntax
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
```
**Note**  
Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
> **Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
 
## <a href="" id="bkmk-dep4"></a>Using PowerShell to encrypt volumes with BitLocker
### Checking BitLocker status
To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
### Checking BitLocker status with the control panel
Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume will display next to the volume description and drive letter. Available status return values with the control panel include:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Status</strong></p></td>
<td align="left"><p><strong>Description</strong></p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>On</strong></p></td>
<td align="left"><p>BitLocker is enabled for the volume</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Off</strong></p></td>
<td align="left"><p>BitLocker is not enabled for the volume</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Suspended</strong></p></td>
<td align="left"><p>BitLocker is suspended and not actively protecting the volume</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Waiting for Activation</strong></p></td>
<td align="left"><p>BitLocker is enabled with a clear protector key and requires further action to be fully protected</p></td>
</tr>
</tbody>
</table>
| Status | Description |
| - | - |
| **On**|BitLocker is enabled for the volume |
| **Off**| BitLocker is not enabled for the volume |
| **Suspended** | BitLocker is suspended and not actively protecting the volume |
| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
 
If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
Once BitLocker protector activation is completed, the completion notice is displayed.
### Checking BitLocker status with manage-bde
Administrators who prefer a command line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
To check the status of a volume using manage-bde, use the following command:
``` syntax
manage-bde -status <volume>
```
**Note**  
If no volume letter is associated with the -status command, all volumes on the computer display their status.
> **Note:**  If no volume letter is associated with the -status command, all volumes on the computer display their status.
 
### Checking BitLocker status with Windows PowerShell
Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
``` syntax
Get-BitLockerVolume <volume> -Verbose | fl
```
This command will display information about the encryption method, volume type, key protectors, etc.
### Provisioning BitLocker during operating system deployment
Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
### Decrypting BitLocker volumes
Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption should not occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We will discuss each method further below.
### Decrypting volumes using the BitLocker control panel applet
BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process.
Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel.
The control panel does not report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
### Decrypting volumes using the manage-bde command line interface
Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
``` syntax
manage-bde -off C:
```
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command:
``` syntax
manage-bde -status C:
```
### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is:
``` syntax
DisableBitLocker
```
If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
``` syntax
Disable-BitLocker -MountPoint E:,F:,G:
```
## See also
[Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
[BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
[BitLocker overview](bitlocker-overview.md)
- [Prepare your organization for BitLocker: Planning and p\\olicies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker overview](bitlocker-overview.md)
 
 

31
windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
View File

@ -285,8 +285,7 @@ When you enable the **Don't search the web or display web results in Search** Gr
- For **Remote port**, choose **All ports**.
**Note**
If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer.
### <a href="" id="bkmk-cortana-mdm"></a>1.2 Cortana MDM policies
@ -321,8 +320,7 @@ Starting with Windows 10, fonts that are included in Windows but that are not st
To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
**Note**
This may change in future versions of Windows.
> **Note:** This may change in future versions of Windows.
### <a href="" id="bkmk-previewbuilds"></a>5. Insider Preview builds
@ -408,8 +406,7 @@ Use either Group Policy or MDM policies to manage settings for Microsoft Edge. F
Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**.
**Note**
The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes.
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -453,10 +450,6 @@ You can turn off NCSI through Group Policy:
You can turn off the ability to download and update offline maps.
- In the UI: **Settings** &gt; **System** &gt; **Offline maps** &gt; **Automatically update maps**
-or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data**
### <a href="" id="bkmk-onedrive"></a>12. OneDrive
@ -617,10 +610,7 @@ Use Settings &gt; Privacy to configure some settings that may be important to yo
To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
**Note**
When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
- Turn off the feature in the UI.
@ -660,8 +650,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
**Note**
If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically.
@ -793,8 +782,7 @@ To turn off **Choose apps that can use your microphone**:
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
**Note**
For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
@ -987,8 +975,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
**Note**
You can't use the UI to change the telemetry level to **Security**.
> **Note:** You can't use the UI to change the telemetry level to **Security**.
@ -1108,6 +1095,10 @@ You can opt of the Microsoft Antimalware Protection Service.
- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
-and-
From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0**
You can stop sending file samples back to Microsoft.
- Set the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender** &gt; **MAPS** &gt; **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.

52
windows/plan/deploy-windows-10-in-a-school.md
View File

@ -49,8 +49,7 @@ This school configuration has the following characteristics:
- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
**Note**&nbsp;&nbsp;In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
>**Note:**&nbsp;&nbsp;In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
- The devices use Azure AD in Office 365 Education for identity management.
- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/).</li>
- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices.
@ -140,7 +139,7 @@ Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windo
You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems.
**Note**&nbsp;&nbsp;If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
>**Note:**&nbsp;&nbsp;If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT).
@ -225,13 +224,13 @@ You will use the Office 365 Education license plan information you record in Tab
To create a new Office 365 Education subscription for use in the classroom, use your educational institutions email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions.
**Note**&nbsp;&nbsp;If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains).
>**Note:**&nbsp;&nbsp;If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains).
#### To create a new Office 365 subscription
1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
**Note**&nbsp;&nbsp;If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
>**Note**&nbsp;&nbsp;If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:<br/>
- Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**.
- Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**.
@ -256,7 +255,7 @@ Now that you have created your new Office 365 Education subscription, add the do
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
**Note**&nbsp;&nbsp;By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
>**Note:**&nbsp;&nbsp;By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
Office 365 uses the domain portion of the users email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
@ -265,7 +264,7 @@ Office 365 uses the domain portion of the users email address to know which O
You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365.
**Note**&nbsp;&nbsp;You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
>**Note:**&nbsp;&nbsp;You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
@ -277,13 +276,13 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by
| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`|
| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`|
<p>
**Note**&nbsp;&nbsp;If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
>**Note:**&nbsp;&nbsp;If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
### Disable automatic licensing
To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
**Note**&nbsp;&nbsp;By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
>**Note:**&nbsp;&nbsp;By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
@ -336,7 +335,7 @@ Now that you have an Office 365 subscription, you need to determine how you will
In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
**Note**&nbsp;&nbsp;Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396).
>**Note:**&nbsp;&nbsp;Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396).
![fig 4](images/deploy-win-10-school-figure4.png)
@ -365,7 +364,7 @@ In this section, you selected the method for creating user accounts in your Offi
You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
**Note**&nbsp;&nbsp;If your institution does not have an on-premises AD DS domain, you can skip this section.
>**Note:**&nbsp;&nbsp;If your institution does not have an on-premises AD DS domain, you can skip this section.
### Select synchronization model
@ -426,7 +425,7 @@ In this section, you selected your synchronization model, deployed Azure AD Conn
You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS.
**Note**&nbsp;&nbsp;If your institution doesnt have an on-premises AD DS domain, you can skip this section.
>**Note:**&nbsp;&nbsp;If your institution doesnt have an on-premises AD DS domain, you can skip this section.
### Select the bulk import method
@ -456,7 +455,7 @@ After you have selected your user and group account bulk import method, youre
With the bulk-import source file finished, youre ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
**Note**&nbsp;&nbsp;Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
>**Note:**&nbsp;&nbsp;Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
For more information about how to import user accounts into AD DS by using:
@ -482,7 +481,7 @@ The bulk-add process assigns the same Office 365 Education license plan to all u
For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
**Note**&nbsp;&nbsp;If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
>**Note:**&nbsp;&nbsp;If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365.
@ -490,13 +489,13 @@ The email accounts are assigned temporary passwords upon creation. You must comm
Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
**Note**&nbsp;&nbsp;If your institution has AD DS, dont create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
>**Note:**&nbsp;&nbsp;If your institution has AD DS, dont create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
You can add and remove users from security groups at any time.
**Note**&nbsp;&nbsp;Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect.
>**Note:**&nbsp;&nbsp;Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect.
### Create email distribution groups
@ -504,7 +503,7 @@ Microsoft Exchange Online uses an email distribution group as a single email rec
You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
**Note**&nbsp;&nbsp;Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
>**Note:**&nbsp;&nbsp;Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps.
For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US).
@ -542,7 +541,8 @@ To create and configure your Windows Store for Business portal, simply use the a
#### To create and configure a Windows Store for Business portal
1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar.
2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.<p>**Note**&nbsp;&nbsp;If your institution has AD DS, then dont create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.
>**Note:**&nbsp;&nbsp;If your institution has AD DS, then dont create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in.
4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept**
5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**.
@ -565,7 +565,7 @@ After you create the Windows Store for Business portal, configure it by using th
Now that you have created your Windows Store for Business portal, youre ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business.
**Note**&nbsp;&nbsp;Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
>**Note:**&nbsp;&nbsp;Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business.
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
@ -596,11 +596,11 @@ Depending on your schools requirements, you may need any combination of the f
- Upgrade institution-owned devices to Windows 10 Education.
- Deploy new instances of Windows 10 Education so that new devices have a known configuration.
**Note**&nbsp;&nbsp;Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home.
>**Note:**&nbsp;&nbsp;Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home.
One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
**Note**&nbsp;&nbsp;On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
>**Note:**&nbsp;&nbsp;On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
@ -738,9 +738,7 @@ In addition, you must prepare your environment for sideloading (deploying) Windo
To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).<br/><br/>
If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.<br/><br/>
**Note**&nbsp;&nbsp;You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.<br/><br/>
If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.<br/><br/>**Note:**&nbsp;&nbsp;You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.<br/><br/>
For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
@ -897,7 +895,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
<tr>
<td valign="top">Use of Microsoft accounts</td>
<td>You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>
**Note**&nbsp;&nbsp;Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>
**Note:**&nbsp;&nbsp;Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>
**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users cant add Microsoft accounts setting option.<br/><br/>
**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
</td>
@ -1042,7 +1040,7 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
**Note**&nbsp;&nbsp;To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx).
>**Note:**&nbsp;&nbsp;To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx).
In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
@ -1055,7 +1053,7 @@ In most instances, deployments occur without incident. Only in rare occasions do
After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you dont have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section.
**Note**&nbsp;&nbsp;If youre performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
>**Note:**&nbsp;&nbsp;If youre performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section.
#### To set up printers