deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix: MD037/no-space-in-emphasis

Browse Source 
Spaces inside emphasis markers
This commit is contained in:
Nick Schonning 2019-07-12 16:46:03 -04:00
parent 92dd028f0e
commit 680646be9a
48 changed files with 76 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
mdop/appv-v4/app-v-45-sp2-release-notes.md
View File

@ -73,11 +73,11 @@ When this has been completed, install the App-V 4.5 SP2 Clients by using Setup.m
When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 SP2 Desktop Client:
**    msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
**msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
Alternatively, if you are installing or upgrading to the App-V 4.5 SP2 Client for Remote Desktop Services (formerly Terminal Services), use the following command:
**    msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
**msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus**
**Note**  
- The APPGUID parameter references the product code of the App-V Clients that you install or upgrade. The product code is unique for each Setup.msi. You can use the Orca Database Editor or a similar tool to examine Windows Installer files and determine the product code. This step is required for all installations or upgrades to App-V 4.5 SP2.

2
mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
View File

@ -156,7 +156,7 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil
3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled.
**     fsutil behavior set SymlinkEvaluation R2R:1**
**fsutil behavior set SymlinkEvaluation R2R:1**
**Note**  
On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.

2
mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
View File

@ -167,7 +167,7 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi
3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled.
**     fsutil behavior set SymlinkEvaluation R2R:1**
**fsutil behavior set SymlinkEvaluation R2R:1**
**Note**  
On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.

24
mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md
View File

@ -76,7 +76,7 @@ This section is divided into two parts: (1) features in all versions of App-V an
Microsoft Error Reporting provides a service that allows you to report problems you may be having with App-V to Microsoft and to receive information that may help you avoid or solve such problems.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at <https://go.microsoft.com/fwlink/?linkid=50293>.
@ -84,7 +84,7 @@ For information about the information collected, processed, or transmitted by Mi
We use the error reporting data to solve customer problems and improve our software and services.
**Choice/Control: **
**Choice/Control:**
App-V does not change your Microsoft Error Reporting settings. If you previously turned on error reporting, it will send Microsoft the information about the errors you encountered. When Microsoft needs additional data to analyze the problem, you will be prompted to review the data and choose whether or not to send it.  App-V will always respect your Microsoft Error Reporting settings.
@ -98,7 +98,7 @@ Enterprise customers can use Group Policy to configure how Microsoft Error Repor
Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software, including App-V.  For details about what information is collected, how it is used and how to change your settings, see the Update Services Privacy Statement at <https://go.microsoft.com/fwlink/?linkid=50142>.
**Choice/Control: **
**Choice/Control:**
If Microsoft Update is not enabled, you can opt-in during setup and subsequent checks for updates will follow the machine-wide schedule. You can update this option from the Microsoft Update Control Panel item.
@ -108,7 +108,7 @@ If Microsoft Update is not enabled, you can opt-in during setup and subsequent c
The product will collect various configuration items, including UserID, MachineID and SecurityGroup details, to be able to enforce settings on managed nodes. The data is stored in the App-V SQL database and transmitted across the App-V server and client components to enforce the configuration on the managed node.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
User and machine information and configuration content
@ -116,7 +116,7 @@ User and machine information and configuration content
The information is used to enforce the application access configuration on the managed nodes within the enterprise. The information does not leave the enterprise.
**Choice/Control: **
**Choice/Control:**
By default, the product does not have any data. All data is entered and enabled by the admin and can be viewed in the Management console. The feature cannot be disabled as this is the product functionality. To disable this, App-V will need to be uninstalled.
@ -130,7 +130,7 @@ None of this information is sent out of the enterprise.
It captures package history and asset information as part of the package.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
Information about the package and the sequencing environment is collected and stored in the package manifest during sequencing.
@ -138,7 +138,7 @@ Information about the package and the sequencing environment is collected and st
The information will be used by the admin to track the updates done to a package during its lifecycle. It will also be used by software deployment systems to track the package deployments within the organization.
**Choice/Control: **
**Choice/Control:**
This feature is always enabled and cannot be turned off.
@ -152,7 +152,7 @@ This administrator information will be stored in the package and can be viewed b
The product will collect a variety of reporting data points, including the username, to allow reporting on the usage of the product.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
Information about the machine, package and application usage are collected from every machine that reporting is enabled on.
@ -160,7 +160,7 @@ Information about the machine, package and application usage are collected from
The information is used to report on application usage within the enterprise. The information does not leave the enterprise.
**Choice/Control: **
**Choice/Control:**
By default, the product does not have any data. Data is only collected once the reporting feature is enabled on the App-V Client. To disable the collection of reporting data, the reporting feature must be disabled on all clients.
@ -178,7 +178,7 @@ This section addresses specific features available in App-V 4.6 SP1 and later.
The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at <https://go.microsoft.com/fwlink/?LinkID=52097>.
@ -186,7 +186,7 @@ For more information about the information collected, processed, or transmitted
We use this information to improve the quality, reliability, and performance of Microsoft software and services.
**Choice/Control: **
**Choice/Control:**
CEIP is optional and the opt-in status can be updated during install or post install from the GUI.  
@ -196,7 +196,7 @@ CEIP is optional and the opt-in status can be updated during install or post ins
Customers can use Application Package Accelerators to automatically package complex applications without installing the application. The App-V sequencer allows you to create package accelerators for each virtual package. You can then use these package accelerators to automatically re-create the same virtual package in the future. You may also use package accelerators released by Microsoft or other third parties to simplify and automate packaging of complex applications.
**Information Collected, Processed, or Transmitted: **
**Information Collected, Processed, or Transmitted:**
Application Package Accelerators may contain information such as computer names, user account information, and information about applications included in the Package Accelerator file.

4
mdop/appv-v4/planning-for-client-security.md
View File

@ -34,7 +34,7 @@ By default, at installation the App-V client is configured with the minimum perm
By default, the installation of the client registers file type associations (FTAs) for OSD files, which enables users to start applications directly from OSD files instead of the published shortcuts. If a user with local administrator rights receives an OSD file containing malicious code, either in e-mail or downloaded from a Web site, the user can open the OSD file and start the application even if the client has been set to restrict the **Add Application** permission. You can unregister the FTAs for the OSD to reduce this risk. Also, consider blocking this extension in the e-mail system and at the firewall. For more information about configuring Outlook to block extensions, see <https://go.microsoft.com/fwlink/?LinkId=133278>.
**Security Note:  **
**Security Note:**
Starting with App-V version 4.6, the file type association is no longer created for OSD files during a new installation of the client, although the existing settings will be maintained during an upgrade from version 4.2 or 4.5 of the App-V client. If for any reason it is essential to create the file type association, you can create the following registry keys and set their values as shown:
@ -50,7 +50,7 @@ During installation, you can use the **RequireAuthorizationIfCached** parameter
Antivirus software running on an App-V Client computer can detect and report an infected file in the virtual environment. However, it cannot disinfect the file. If a virus is detected in the virtual environment, the antivirus software would perform the configured quarantine or repair operation in the cache, not in the actual package. Configure the antivirus software with an exception for the sftfs.fsd file. This file is the cache file that stores packages on the App-V Client.
**Security Note:  **
**Security Note:**
If a virus is detected in an application or package deployed in the production environment, replace the application or package with a virus-free version.

2
mdop/appv-v4/security-and-protection-overview.md
View File

@ -21,7 +21,7 @@ Microsoft Application Virtualization 4.5 provides the following enhanced securi
- Application Virtualization now supports Transport Layer Security (TLS) using X.509 V3 certificates. Provided that a server certificate has been provisioned to the planned Application Virtualization Management or Streaming Server, the installation will default to secure, using the RTSPS protocol over port 322. Using RTSPS ensures that communication between the Application Virtualization Servers and the Application Virtualization Clients is signed and encrypted. If no certificate is assigned to the server during the Application Virtualization Server installation, the communication will be set to RTSP over port 554.
**Security Note:  **
**Security Note:**
To help provide a secure setup of the server, you must make sure that RTSP ports are disabled even if you have all packages configured to use RTSPS.

12
mdop/medv-v1/how-to-configure-image-pre-staging.md
View File

@ -72,17 +72,17 @@ Image pre-staging is useful only for the initial image download. It is not suppo
**NT AUTHORITY\\Authenticated Users:(OI)(CI)(special access:)**
**                                READ\_CONTROL**
**READ\_CONTROL**
**                                                                                SYNCHRONIZE**
**SYNCHRONIZE**
**                                                                                FILE\_GENERIC\_READ**
**FILE\_GENERIC\_READ**
**                                                                                                FILE\_READ\_DATA**
**FILE\_READ\_DATA**
**                                                                                FILE\_READ\_EA**
**FILE\_READ\_EA**
**                                                                                FILE\_READ\_ATTRIBUTES**
**FILE\_READ\_ATTRIBUTES**
**NT AUTHORITY\\SYSTEM:(OI)(CI)F**

2
mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
View File

@ -193,7 +193,7 @@ Youll need to deploy a settings storage location, a standard network share wh
**Security Note:  **
**Security Note:**
If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor:

2
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -537,7 +537,7 @@ Added in Windows 10, version 1607. Boolean value that disables the launch of al
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Disable all apps from Microsoft Store *
- GP English name: *Disable all apps from Microsoft Store*
- GP name: *DisableStoreApps*
- GP path: *Windows Components/Store*
- GP ADMX file name: *WindowsStore.admx*

4
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -13428,7 +13428,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer *
- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer*
- GP name: *VerMgmtDisableRunThisTime*
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
- GP ADMX file name: *inetres.admx*
@ -16504,7 +16504,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy.
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Security Zones: Use only machine settings *
- GP English name: *Security Zones: Use only machine settings*
- GP name: *Security_HKLM_only*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*

2
windows/client-management/mdm/policy-csp-remotemanagement.md
View File

@ -365,7 +365,7 @@ If you disable or do not configure this policy setting, the WinRM service will n
The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges.
You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses.
For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty.

4
windows/client-management/mdm/policy-csp-system.md
View File

@ -1068,7 +1068,7 @@ If you disable or don't configure this policy setting, the Delete diagnostic dat
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Disable deleting diagnostic data *
- GP English name: *Disable deleting diagnostic data*
- GP name: *DisableDeviceDelete*
- GP element: *DisableDeviceDelete*
- GP path: *Data Collection and Preview Builds*
@ -1131,7 +1131,7 @@ If you disable or don't configure this policy setting, the Diagnostic Data Viewe
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Disable diagnostic data viewer. *
- GP English name: *Disable diagnostic data viewer.*
- GP name: *DisableDiagnosticDataViewer*
- GP element: *DisableDiagnosticDataViewer*
- GP path: *Data Collection and Preview Builds*

2
windows/client-management/troubleshoot-inaccessible-boot-device.md
View File

@ -171,7 +171,7 @@ Run the following command to verify the Windows update installation and dates:
Dism /Image:<Specify the OS drive>: /Get-packages
```
After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages:
After you run this command, you will see the **Install pending** and **Uninstall Pending** packages:
![Dism output](images/pendingupdate.png)

4
windows/security/identity-protection/access-control/security-identifiers.md
View File

@ -194,9 +194,9 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.|
| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.|
| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.|
| S-1-5-5- *X *- *Y * | Logon Session| The *X * and *Y * values for these SIDs uniquely identify a particular logon session.|
| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.|
| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.|
| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.<br/>The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName *, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName * (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.<br/>The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|

2
windows/security/identity-protection/hello-for-business/hello-features.md
View File

@ -147,7 +147,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
### On-premises Deployments
** Requirements**
**Requirements**
* Active Directory
* On-premises Windows Hello for Business deployment
* Reset from settings - Windows 10, version 1703, Professional

4
windows/security/threat-protection/auditing/event-4612.md
View File

@ -30,9 +30,9 @@ There is no example of this event in this document.
***Event Schema:***
*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. *
*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.*
*Number of audit messages discarded: %1 *
*Number of audit messages discarded: %1*
*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*

2
windows/security/threat-protection/auditing/event-4615.md
View File

@ -48,7 +48,7 @@ It appears that this event never occurs.
*LPC Server Port Name:%6*
*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSAs use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." *
*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSAs use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."*
***Required Server Roles:*** None.

2
windows/security/threat-protection/auditing/event-4624.md
View File

@ -138,7 +138,7 @@ This event generates when a logon session is created (on destination machine). I
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
**Logon Information** \[Version 2\]**: **
**Logon Information** \[Version 2\]**:**
- **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field.

2
windows/security/threat-protection/auditing/event-4670.md
View File

@ -142,7 +142,7 @@ Before this event can generate, certain ACEs might need to be set in the object
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4688.md
View File

@ -151,7 +151,7 @@ This event generates every time a new process starts.
- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
- **Token Elevation Type** \[Type = UnicodeString\]**: **
- **Token Elevation Type** \[Type = UnicodeString\]**:**
- **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.

2
windows/security/threat-protection/auditing/event-4704.md
View File

@ -99,7 +99,7 @@ You will see unique event for every user.
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**New Right: **
**New Right:**
- **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:

2
windows/security/threat-protection/auditing/event-4705.md
View File

@ -99,7 +99,7 @@ You will see unique event for every user.
- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**Removed Right: **
**Removed Right:**
- **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:

2
windows/security/threat-protection/auditing/event-4715.md
View File

@ -100,7 +100,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4717.md
View File

@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were granted to mu
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**Access Granted: **
**Access Granted:**
- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:

2
windows/security/threat-protection/auditing/event-4718.md
View File

@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were removed for m
- **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
**Access Removed: **
**Access Removed:**
- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:

2
windows/security/threat-protection/auditing/event-4738.md
View File

@ -266,7 +266,7 @@ For 4738(S): A user account was changed.
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Display Name**<br>**User Principal Name**<br>**Home Directory**<br>**Home Drive**<br>**Script Path**<br>**Profile Path**<br>**User Workstations**<br>**Password Last Set**<br>**Account Expires**<br>**Primary Group ID<br>Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. |
| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. |
| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt; ** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt;** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following user account control flags:

2
windows/security/threat-protection/auditing/event-4742.md
View File

@ -276,7 +276,7 @@ For 4742(S): A computer account was changed.
| **Display Name** is not -<br>**User Principal Name** is not -<br>**Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not -<br>**Account Expires** is not -<br>**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. |
| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. |
| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:<br>**516** for domain controllers<br>**521** for read only domain controllers (RODCs)<br>**515** for servers and workstations (domain computers)<br>Other values should be monitored. |
| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt; ** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt;** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following account control flags:

4
windows/security/threat-protection/auditing/event-4817.md
View File

@ -116,7 +116,7 @@ Separate events will be generated for “Registry” and “File system” polic
| Job | Port | FilterConnectionPort | |
| ALPC Port | Semaphore | Adapter | |
- **Object Name: **
- **Object Name:**
- Key if “Registry” Global Object Access Auditing policy was changed.
@ -128,7 +128,7 @@ Separate events will be generated for “Registry” and “File system” polic
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4864.md
View File

@ -44,7 +44,7 @@ There is no example of this event in this document.
*Security ID:%7*
*New Flags:%8 *
*New Flags:%8*
***Required Server Roles:*** Active Directory domain controller.

2
windows/security/threat-protection/auditing/event-4907.md
View File

@ -159,7 +159,7 @@ This event doesn't generate for Active Directory objects.
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4911.md
View File

@ -152,7 +152,7 @@ Resource attributes for file or folder can be changed, for example, using Window
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-4913.md
View File

@ -156,7 +156,7 @@ This event always generates, regardless of the objects [SACL](https://msdn.mi
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-5143.md
View File

@ -141,7 +141,7 @@ This event generates every time network share object was modified.
- **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-5145.md
View File

@ -177,7 +177,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
- ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access.
> **Note**&nbsp;&nbsp;The ** <span id="SDDL" class="anchor"></span>Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> **Note**&nbsp;&nbsp;The **<a id="SDDL" class="anchor"></a>Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
>
> Example:
>

2
windows/security/threat-protection/auditing/event-5150.md
View File

@ -52,7 +52,7 @@ There is no example of this event in this document.
>
> *Layer Name:%9*
>
> *Layer Run-Time ID:%10 *
> *Layer Run-Time ID:%10*
***Required Server Roles:*** None.

2
windows/security/threat-protection/auditing/event-5151.md
View File

@ -52,7 +52,7 @@ There is no example of this event in this document.
>
> *Layer Name:%9*
>
> *Layer Run-Time ID:%10 *
> *Layer Run-Time ID:%10*
***Required Server Roles:*** None.

2
windows/security/threat-protection/auditing/event-6400.md
View File

@ -30,7 +30,7 @@ There is no example of this event in this document.
*BranchCache: Received an incorrectly formatted response while discovering availability of content.*
*IP address of the client that sent this response:%1 *
*IP address of the client that sent this response:%1*
***Required Server Roles:*** None.

2
windows/security/threat-protection/auditing/event-6401.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: Received invalid data from a peer. Data discarded. *
*BranchCache: Received invalid data from a peer. Data discarded.*
*IP address of the client that sent this data:%1*

2
windows/security/threat-protection/auditing/event-6402.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. *
*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.*
*IP address of the client that sent this message: %1*

2
windows/security/threat-protection/auditing/event-6403.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: The hosted cache sent an incorrectly formatted response to the clients message to offer it data. *
*BranchCache: The hosted cache sent an incorrectly formatted response to the clients message to offer it data.*
*Domain name of the hosted cache is:%1*

2
windows/security/threat-protection/auditing/event-6404.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. *
*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.*
*Domain name of the hosted cache:%1*

2
windows/security/threat-protection/auditing/event-6409.md
View File

@ -28,7 +28,7 @@ There is no example of this event in this document.
***Event Schema:***
*BranchCache: A service connection point object could not be parsed. *
*BranchCache: A service connection point object could not be parsed.*
*SCP object GUID: %1*

2
windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
View File

@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
GET /api/users/{id}/alerts
```
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) **
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
## Request headers

2
windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
View File

@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
GET /api/users/{id}/machines
```
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) **
**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
## Request headers

2
windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
View File

@ -102,7 +102,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.<br>**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
| 569 | The resource manager in Authorization Manager attempted to create a client context. |
| 570 | A client attempted to access an object.<br>**Note: ** An event will be generated for every attempted operation on the object. |
| 570 | A client attempted to access an object.<br>**Note:** An event will be generated for every attempted operation on the object. |
## Security considerations

6
windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -54,10 +54,10 @@ As a cloud service, it is required that computers have access to the internet an
| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com|
| *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com|
| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com|
| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com|
| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: *vortex-win.data.microsoft.com* settings-win.data.microsoft.com|
## Validate connections between your network and the cloud

8
windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
View File

@ -50,11 +50,11 @@ The following table contains information about the events that you can use to de
| 8000 | Error| Application Identity Policy conversion failed. Status *&lt;%1&gt; *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.|
| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
| 8002 | Information| *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt; * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.|
| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.|
| 8005| Information| *&lt;File name&gt; * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. |
| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt; * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.|
| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.|
| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.|
| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|

2
windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
View File

@ -30,7 +30,7 @@ This topic for IT professionals provides links to procedural topics about creati
| Topic | Description |
| - | - |
| [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.|
| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.|
| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.|
| [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.|
| [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.|
| [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.|