From b3227046e30ed5a32c2150fc501391a3587fafd4 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Thu, 19 May 2016 12:11:02 -0700 Subject: [PATCH 01/16] update notes --- windows/plan/deploy-windows-10-in-a-school.md | 52 +++++++++---------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md index 53a866f3b8..f1ba01d1a5 100644 --- a/windows/plan/deploy-windows-10-in-a-school.md +++ b/windows/plan/deploy-windows-10-in-a-school.md @@ -49,8 +49,7 @@ This school configuration has the following characteristics: - You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. - You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. - You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. - - **Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. +>**Note:**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. - The devices use Azure AD in Office 365 Education for identity management. - If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/). - Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices. @@ -140,7 +139,7 @@ Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windo You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. -**Note**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system. +>**Note:**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system. For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT). @@ -225,13 +224,13 @@ You will use the Office 365 Education license plan information you record in Tab To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. -**Note**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains). +>**Note:**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains). #### To create a new Office 365 subscription 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - **Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following: + >**Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
- Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**. - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**. @@ -256,7 +255,7 @@ Now that you have created your new Office 365 Education subscription, add the do To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. -**Note**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. +>**Note:**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: @@ -265,7 +264,7 @@ Office 365 uses the domain portion of the user’s email address to know which O You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. -**Note**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. +>**Note:**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). @@ -277,13 +276,13 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by | Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`| | Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`|

-**Note**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. +>**Note:**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. ### Disable automatic licensing To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. -**Note**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. +>**Note:**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). @@ -336,7 +335,7 @@ Now that you have an Office 365 subscription, you need to determine how you will In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. -**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396). +>**Note:**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396). ![fig 4](images/deploy-win-10-school-figure4.png) @@ -365,7 +364,7 @@ In this section, you selected the method for creating user accounts in your Offi You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. -**Note**  If your institution does not have an on-premises AD DS domain, you can skip this section. +>**Note:**  If your institution does not have an on-premises AD DS domain, you can skip this section. ### Select synchronization model @@ -426,7 +425,7 @@ In this section, you selected your synchronization model, deployed Azure AD Conn You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. -**Note**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. +>**Note:**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. ### Select the bulk import method @@ -456,7 +455,7 @@ After you have selected your user and group account bulk import method, you’re With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. -**Note**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. +>**Note:**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. For more information about how to import user accounts into AD DS by using: @@ -482,7 +481,7 @@ The bulk-add process assigns the same Office 365 Education license plan to all u For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). -**Note**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. +>**Note:**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. @@ -490,13 +489,13 @@ The email accounts are assigned temporary passwords upon creation. You must comm Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. -**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +>**Note:**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). You can add and remove users from security groups at any time. -**Note**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect. +>**Note:**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect. ### Create email distribution groups @@ -504,7 +503,7 @@ Microsoft Exchange Online uses an email distribution group as a single email rec You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. -**Note**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. +>**Note:**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). @@ -542,7 +541,8 @@ To create and configure your Windows Store for Business portal, simply use the a #### To create and configure a Windows Store for Business portal 1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar. -2. On the **Windows Store for Business** page, click **Sign in with an organizational account**.

**Note**  If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +2. On the **Windows Store for Business** page, click **Sign in with an organizational account**. +>**Note:**  If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. 3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in. 4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept** 5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**. @@ -565,7 +565,7 @@ After you create the Windows Store for Business portal, configure it by using th Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business. -**Note**  Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business. +>**Note:**  Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business. You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users. @@ -596,11 +596,11 @@ Depending on your school’s requirements, you may need any combination of the f - Upgrade institution-owned devices to Windows 10 Education. - Deploy new instances of Windows 10 Education so that new devices have a known configuration. -**Note**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home. +>**Note:**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home. One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. -**Note**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. +>**Note:**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. @@ -738,9 +738,7 @@ In addition, you must prepare your environment for sideloading (deploying) Windo To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).

-If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

- -**Note**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

+If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

**Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). @@ -897,7 +895,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 Use of Microsoft accounts You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

-**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

+**Note:**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. @@ -1042,7 +1040,7 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. -**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx). +>**Note:**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx). In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. @@ -1055,7 +1053,7 @@ In most instances, deployments occur without incident. Only in rare occasions do After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. -**Note**  If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. +>**Note:**  If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. #### To set up printers From 454859072b25e3987dce582f73f5406cec5120e7 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 19 May 2016 13:37:36 -0700 Subject: [PATCH 02/16] adding content to i'm done topic --- ...done-finishing-your-surface-hub-meeting.md | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md new file mode 100644 index 0000000000..5e30b15a8a --- /dev/null +++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md @@ -0,0 +1,79 @@ +--- +title: I'm done - ending a Surface Hub meeting (Surface Hub) +description: To end a Surface Hub meeting, tap I'm Done. Surface Hub cleans up the spplication state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. +keywords: ["I"m Done", "end Surface Hub meeting", "finish Surface Hub meeting", "clean up Surface Hub meeting"] +author: TrudyHa +--- + +# End a Surface Hub meeting with I'm Done +Surface Hub is a collaboration device designed to be used simultaneously and sequentially by multiple people. At the end of a Surface Hub meeting, one of the attendees can tap or click **I'm Done** to end the meeting. Tapping **I'm Done** tells Surface Hub to clean up info from the current meeting, so that it will be ready for the next meeting. When a meeting attendee taps **I'm Done**, Surface Hub cleans up, or resets, these states. +- Applications +- Operating system +- User interface + +This topic explains what **I'm Done** resets for each of these states. + +## Applications +When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs. + +### Close applications +Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. + +### Delete browser history +Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **I'm Done** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. + +### Reset applications +**I'm Done** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub. + +### Remove Skype logs +Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **I'm Done** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs. + +## Operating System +The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. +### File System +Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:
+- Music +- Videos +- Documents +- Pictures +- Downloads + +Surface Hub also clears these directories, since many applications often write to these directories: +- Desktop +- Favorites +- Recent +- Public Documents +- Public Music +- Public Videos +- Public Downloads + +### Credentials +User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap I’m done. + +## User interface +User interface (UI) settings are returned to their default values when **I'm Done** is selected. + +### UI items +- Reset Quick Actions to default state +- Clear Toast notifications +- Reset volume levels +- Reset Cortana relaunch count +- Reset sidebar width +- Reset tablet mode layout + +### Accessibility +Accessibility features and apps are returned to default settings when **I'm Done** is selected. +- Filter keys +- High contrast +- Stickey keys +- Toggle keys +- Mouse keys +- Magnifier +- Narrator + +### Clipboard +The clipboard is cleared to remove data that was copied to the clipboard during the session. + +## Frequently asked questions + + \ No newline at end of file From 689be8641e9ce3765d1101c82bfab67ddb27f639 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 19 May 2016 14:39:25 -0700 Subject: [PATCH 03/16] Adding FAQ section --- devices/surface-hub/TOC.md | 1 + .../i-am-done-finishing-your-surface-hub-meeting.md | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 65f42da6b5..ea7471374a 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -20,6 +20,7 @@ #### [Accessibility](accessibility-surface-hub.md) #### [Change the Surface Hub device account](change-surface-hub-device-account.md) #### [Device reset](device-reset-suface-hub.md) +#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your -surface-hub-meeting.md) #### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) #### [Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md) #### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md index 5e30b15a8a..4e46440aa0 100644 --- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md @@ -75,5 +75,13 @@ Accessibility features and apps are returned to default settings when **I'm Done The clipboard is cleared to remove data that was copied to the clipboard during the session. ## Frequently asked questions +**What happens if I forget to tap **I'm Done** at the end of a meeting, and someone else uses the Surface Hub later?**
+When you don't tap **I"m Done** at the end of your meeting, Surface Hub enters a Resume state. This is similar to leaving content on a whiteboard in a meeting room, and forgetting to erase the whiteboard. When you return to the meeting room, that content will still be on the whiteboard unless someone erarses it. With Surface Hub, meeting content is still available if an attendee doesn't tap **I'm Done**. However, Surface Hub removes all meeting data during daily maintenance. Any meeting that wasn't ended with **I'm Done** will be cleaned up during maintenance. + +**Are documents recoverable?**
+Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. 3rd-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. + +**Do the clean-up actions from **I'm Done** comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
+No. Currently, the clean-up actions from **I'm Done** do not comply with this standard. \ No newline at end of file From eb9290389d9671f9ce784afecfc3034d19c6166d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 19 May 2016 14:52:11 -0700 Subject: [PATCH 04/16] fixing spacing issues --- ...schema-extensions-to-support-tpm-backup.md | 16 +- ...ged-apps-to-existing-applocker-rule-set.md | 7 +- .../keep-secure/add-workstations-to-domain.md | 88 +++---- .../adjust-memory-quotas-for-a-process.md | 94 ++++---- windows/keep-secure/administer-applocker.md | 92 +++----- .../administer-security-policy-settings.md | 111 ++++++++- .../advanced-security-auditing-faq.md | 115 +++++---- .../keep-secure/advanced-security-auditing.md | 46 +--- windows/keep-secure/allow-log-on-locally.md | 100 ++++---- ...-log-on-through-remote-desktop-services.md | 94 ++++---- .../applocker-architecture-and-components.md | 17 +- windows/keep-secure/applocker-functions.md | 63 ++--- windows/keep-secure/applocker-overview.md | 155 ++++++------ .../applocker-policies-deployment-guide.md | 60 ++--- .../applocker-policies-design-guide.md | 63 ++--- .../applocker-policy-use-scenarios.md | 25 +- .../applocker-processes-and-interactions.md | 45 +++- windows/keep-secure/applocker-settings.md | 63 ++--- .../applocker-technical-reference.md | 76 ++---- ...-basic-audit-policy-on-a-file-or-folder.md | 13 +- windows/keep-secure/audit-account-lockout.md | 34 ++- .../audit-application-generated.md | 49 ++-- .../audit-application-group-management.md | 77 ++---- .../keep-secure/audit-audit-policy-change.md | 93 +++----- ...dit-the-access-of-global-system-objects.md | 207 ++++++---------- ...the-use-of-backup-and-restore-privilege.md | 81 +++---- .../audit-authentication-policy-change.md | 79 ++----- .../audit-authorization-policy-change.md | 56 ++--- .../audit-central-access-policy-staging.md | 32 +-- .../audit-certification-services.md | 185 ++++----------- .../audit-computer-account-management.md | 43 ++-- .../audit-credential-validation.md | 57 ++--- ...-detailed-directory-service-replication.md | 66 ++---- .../keep-secure/audit-detailed-file-share.md | 35 ++- .../audit-directory-service-access.md | 35 ++- .../audit-directory-service-changes.md | 59 ++--- .../audit-directory-service-replication.md | 37 ++- .../audit-distribution-group-management.md | 106 +++------ windows/keep-secure/audit-dpapi-activity.md | 48 ++-- windows/keep-secure/audit-file-share.md | 63 ++--- windows/keep-secure/audit-file-system.md | 44 ++-- .../audit-filtering-platform-connection.md | 80 ++----- .../audit-filtering-platform-packet-drop.md | 39 ++-- .../audit-filtering-platform-policy-change.md | 14 +- ...policy-subcategory-settings-to-override.md | 90 +++---- windows/keep-secure/audit-group-membership.md | 36 ++- .../keep-secure/audit-handle-manipulation.md | 47 ++-- windows/keep-secure/audit-ipsec-driver.md | 86 +++---- .../keep-secure/audit-ipsec-extended-mode.md | 109 ++------- windows/keep-secure/audit-ipsec-main-mode.md | 87 ++----- windows/keep-secure/audit-ipsec-quick-mode.md | 43 ++-- .../audit-kerberos-authentication-service.md | 43 ++-- ...udit-kerberos-service-ticket-operations.md | 39 ++-- windows/keep-secure/audit-kernel-object.md | 52 ++--- windows/keep-secure/audit-logoff.md | 42 ++-- windows/keep-secure/audit-logon.md | 51 ++-- .../audit-mpssvc-rule-level-policy-change.md | 100 +++----- .../audit-network-policy-server.md | 73 ++---- .../audit-non-sensitive-privilege-use.md | 45 ++-- .../audit-other-account-logon-events.md | 83 ++----- .../audit-other-account-management-events.md | 41 ++-- .../audit-other-logonlogoff-events.md | 80 ++----- .../audit-other-object-access-events.md | 91 +++----- .../audit-other-policy-change-events.md | 99 +++----- .../audit-other-privilege-use-events.md | 8 +- .../keep-secure/audit-other-system-events.md | 142 +++-------- windows/keep-secure/audit-pnp-activity.md | 34 ++- windows/keep-secure/audit-policy.md | 31 ++- windows/keep-secure/audit-process-creation.md | 38 ++- .../keep-secure/audit-process-termination.md | 37 ++- windows/keep-secure/audit-registry.md | 42 ++-- .../keep-secure/audit-removable-storage.md | 11 +- windows/keep-secure/audit-rpc-events.md | 33 ++- windows/keep-secure/audit-sam.md | 58 ++--- .../audit-security-group-management.md | 111 +++------ .../audit-security-state-change.md | 59 ++--- .../audit-security-system-extension.md | 57 ++--- .../audit-sensitive-privilege-use.md | 70 +++--- ...iately-if-unable-to-log-security-audits.md | 81 +++---- windows/keep-secure/audit-special-logon.md | 35 ++- windows/keep-secure/audit-system-integrity.md | 87 ++----- .../audit-user-account-management.md | 110 +++------ .../keep-secure/audit-user-device-claims.md | 11 +- .../back-up-files-and-directories.md | 95 ++++---- windows/plan/chromebook-migration-guide.md | 221 +++++++++++++++--- 85 files changed, 2243 insertions(+), 3427 deletions(-) diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md index 926c8832ea..214bc1763d 100644 --- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md +++ b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md @@ -2,20 +2,28 @@ title: AD DS schema extensions to support TPM backup (Windows 10) description: This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization. ms.assetid: beb7097c-e674-4eab-b8e2-6f67c85d1f3f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AD DS schema extensions to support TPM backup + **Applies to** - Windows 10 + This topic provides more details about this change and provides template schema extensions that you can incorporate into your organization. + ## Why a schema extension is needed + The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 schemas. Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change. If Active Directory backup of the TPM owner authorization value is enabled in a Windows Server 2008 R2 environment without extending the schema, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8. The following are the two schema extensions that you can use to bring your Windows Server 2008 R2 domain to parity with Windows Server 2012: + ### TpmSchemaExtension.ldf + This schema extension brings parity with the Windows Server 2012 schema and is required if you want to store the TPM owner authorization value for a computer running Windows 8 in a Windows Server 2008 R2 AD DS domain. With this extension the TPM owner authorization information will be stored in a separate TPM object linked to the corresponding computer object. + ``` syntax #=============================================================================== # @@ -212,11 +220,13 @@ dn: CN=TPM Devices,DC=X changetype: add objectClass: msTPM-InformationObjectsContainer ``` + You should be aware that only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. If you are planning to support such scenarios, you will need to update the schema further as shown in the schema extension example, TpmSchemaExtensionACLChanges.ldf. + ### TpmSchemaExtensionACLChanges.ldf + This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. -**Important**   -After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects. +> **Important**  After implementing this schema update, any computer in the domain can update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth). When using this extension, perform a regular backup of the TPM objects and enable auditing to track the changes for these objects.   ``` syntax #=============================================================================== diff --git a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 3de0486b5b..c05eb4ebd2 100644 --- a/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/keep-secure/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -2,17 +2,22 @@ title: Add rules for packaged apps to existing AppLocker rule-set (Windows 10) description: This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Add rules for packaged apps to existing AppLocker rule-set + **Applies to** - Windows 10 + This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). + You can create packaged app rules for the computers running Windows Server 2012 or Windows 8 and later in your domain by updating your existing AppLocker rule set. All you need is a computer running at least Windows 8. Download and install the Remote Server Administration Toolkit (RSAT) from the Microsoft Download Center. + RSAT comes with the Group Policy Management Console which allows you to edit the GPO or GPOs where your existing AppLocker policy are authored. RSAT has the necessary files required to author packaged app rules. Packaged app rules will be ignored on computers running Windows 7 and earlier but will be enforced on those computers in your domain running at least Windows Server 2012 and Windows 8.     diff --git a/windows/keep-secure/add-workstations-to-domain.md b/windows/keep-secure/add-workstations-to-domain.md index a03bb784f4..7cdeb90a8b 100644 --- a/windows/keep-secure/add-workstations-to-domain.md +++ b/windows/keep-secure/add-workstations-to-domain.md @@ -2,90 +2,94 @@ title: Add workstations to domain (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Add workstations to domain security policy setting. ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Add workstations to domain + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management and security considerations for the **Add workstations to domain** security policy setting. + ## Reference + This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain. Adding a machine account to the domain allows the device to participate in Active Directory-based networking. + Constant: SeMachineAccountPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - Configure this setting so that only authorized members of the IT team are allowed to add devices to the domain. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\ + ### Default values + By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers. + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Not Defined

Stand-Alone Server Default Settings

Not Defined

Domain Controller Effective Default Settings

Authenticated Users

Member Server Effective Default Settings

Not Defined

Client Computer Effective Default Settings

Not Defined

-  + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Not Defined | +| Stand-Alone Server Default Settings | Not Defined | +| Domain Controller Effective Default Settings | Authenticated Users | +| Member Server Effective Default Settings | Not Defined | +| Client Computer Effective Default Settings | Not Defined | + ## Policy management + Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they have the **Add workstations to domain** user right. + Furthermore, machine accounts that are created by means of the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created by means of permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right. + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This policy has the following security considerations: + ### Vulnerability -The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group. + +The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative +privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group. + ### Countermeasure + Configure this setting so that only authorized members of the IT team are allowed to add computers to the domain. + ### Potential impact + For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/adjust-memory-quotas-for-a-process.md b/windows/keep-secure/adjust-memory-quotas-for-a-process.md index b97b1d7de9..4568ef9fe0 100644 --- a/windows/keep-secure/adjust-memory-quotas-for-a-process.md +++ b/windows/keep-secure/adjust-memory-quotas-for-a-process.md @@ -2,101 +2,91 @@ title: Adjust memory quotas for a process (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Adjust memory quotas for a process security policy setting. ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Adjust memory quotas for a process + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Adjust memory quotas for a process** security policy setting. + ## Reference + This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis. + This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers. + Constant: SeIncreaseQuotaPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + 1. Restrict the **Adjust memory quotas for a process** user right to only users who require the ability to adjust memory quotas to perform their jobs. 2. If this user right is necessary for a user account, it can be assigned to a local machine account instead of to a domain account. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignment\\ + ### Default values + By default, members of the Administrators, Local Service, and Network Service groups have this right. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Administrators

-

Local Service

-

Network Service

Default Domain Controller Policy

Administrators

-

Local Service

-

Network Service

Stand-Alone Server Default Settings

Administrators

-

Local Service

-

Network Service

Domain Controller Effective Default Settings

Administrators

-

Local Service

-

Network Service

Member Server Effective Default Settings

Administrators

-

Local Service

-

Network Service

Client Computer Effective Default Settings

Administrators

-

Local Service

-

Network Service

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Administrators
Local Service
Network Service | +| Default Domain Controller Policy | Administrators
Local Service
Network Service | +| Stand-Alone Server Default Settings | Administrators
Local Service
Network Service | +| Domain Controller Effective Default Settings | Administrators
Local Service
Network Service | +| Member Server Effective Default Settings | Administrators
Local Service
Network Service | +| Client Computer Effective Default Settings | Administrators
Local Service
Network Service |   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A user with the **Adjust memory quotas for a process** privilege can reduce the amount of memory that is available to any process, which could cause business-critical network applications to become slow or to fail. This privilege could be used by a malicious user to start a denial-of-service (DoS) attack. + ### Countermeasure + Restrict the **Adjust memory quotas for a process** user right to users who require it to perform their jobs, such as application administrators who maintain database management systems or domain administrators who manage the organization's directory and its supporting infrastructure. + ### Potential impact + Organizations that have not restricted users to roles with limited privileges may find it difficult to impose this countermeasure. Also, if you have installed optional components such as ASP.NET or IIS, you may need to assign the **Adjust memory quotas for a process** user right to additional accounts that are required by those components. IIS requires that this privilege be explicitly assigned to the IWAM\_<ComputerName>, Network Service, and Service accounts. Otherwise, this countermeasure should have no impact on most computers. If this user right is necessary for a user account, it can be assigned to a local computer account instead of to a domain account. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/administer-applocker.md b/windows/keep-secure/administer-applocker.md index c9bbf2a122..232b69b1ef 100644 --- a/windows/keep-secure/administer-applocker.md +++ b/windows/keep-secure/administer-applocker.md @@ -2,98 +2,66 @@ title: Administer AppLocker (Windows 10) description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Administer AppLocker + **Applies to** - Windows 10 + This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. + AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can: + - Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. - Assign a rule to a security group or an individual user. - Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe). - Use audit-only mode to deploy the policy and understand its impact before enforcing it. - Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten. - Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets. -**Note**   -For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). +> **Note**  For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).   ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Maintain AppLocker policies](maintain-applocker-policies.md)

This topic describes how to maintain rules within AppLocker policies.

[Edit an AppLocker policy](edit-an-applocker-policy.md)

This topic for IT professionals describes the steps required to modify an AppLocker policy.

[Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)

This topic discusses the steps required to test an AppLocker policy prior to deployment.

[Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)

This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.

[Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)

This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.

[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)

This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.

[Optimize AppLocker performance](optimize-applocker-performance.md)

This topic for IT professionals describes how to optimize AppLocker policy enforcement.

[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)

This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.

[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)

This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.

[Working with AppLocker rules](working-with-applocker-rules.md)

This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.

[Working with AppLocker policies](working-with-applocker-policies.md)

This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies.

-  + +| Topic | Description | +| - | - | +| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. | +| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. | +| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. | +| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. | +| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. | +| [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) | This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. | +| [Optimize AppLocker performance](optimize-applocker-performance.md) | This topic for IT professionals describes how to optimize AppLocker policy enforcement. | +| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. | +| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. | +| [Working with AppLocker rules](working-with-applocker-rules.md) | This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. | +| [Working with AppLocker policies](working-with-applocker-policies.md) | This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. | + ## Using the MMC snap-ins to administer AppLocker + You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc). + ### Administer Applocker using Group Policy + You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer. + 1. Open the Group Policy Management Console (GPMC). 2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**. 3. In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for. + ### Administer AppLocker on the local PC + 1. Click **Start**, type **local security policy**, and then click **Local Security Policy**. 2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. 3. In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for. + ## Using Windows PowerShell to administer AppLocker + For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](http://technet.microsoft.com/library/hh847210.aspx).     diff --git a/windows/keep-secure/administer-security-policy-settings.md b/windows/keep-secure/administer-security-policy-settings.md index 7bf3505369..59bc1ce37f 100644 --- a/windows/keep-secure/administer-security-policy-settings.md +++ b/windows/keep-secure/administer-security-policy-settings.md @@ -2,28 +2,39 @@ title: Administer security policy settings (Windows 10) description: This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. ms.assetid: 7617d885-9d28-437a-9371-171197407599 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Administer security policy settings + **Applies to** - Windows 10 + This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. + Security policy settings should be used as part of your overall security implementation to help secure domain controllers, servers, client devices, and other resources in your organization. + Security settings policies are rules that you can configure on a device, or multiple devices, for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain. + Security settings can control: + - User authentication to a network or device. - The resources that users are permitted to access. - Whether to record a user’s or group’s actions in the event log. - Membership in a group. + For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md). + To manage security configurations for multiple computers, you can use one of the following options: - Edit specific security settings in a GPO. - Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security. + ## What’s changed in how settings are administered? + Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered. @@ -82,7 +93,9 @@ Over time, new ways to manage security policy settings have been introduced, whi
  ## Using the Local Security Policy snap-in + The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features: + - Account Policies - Local Policies - Windows Firewall with Advanced Security @@ -92,26 +105,40 @@ The Local Security Policy snap-in (Secpol.msc) restricts the view of local polic - Application Control Policies - IP Security Policies on Local Computer - Advanced Audit Policy Configuration + Policies set locally might be overwritten if the computer is joined to the domain. + The Local Security Policy snap-in is part of the Security Configuration Manager tool set. For info about other tools in this tool set, see [Working with the Security Configuration Manager](#bkmk-scmtool) in this topic. + ## Using the secedit command-line tool + The secedit command-line tool works with security templates and provides six primary functions: + - The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server. - The **Analyze** parameter compares the server’s security configuration with the selected template. - The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also. - The **Export** parameter allows you to export the settings from a database into a security settings template. - The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue. - The **Generate Rollback** parameter saves the server’s current security settings into a security template so it can be used to restore most of the server’s security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template. + ## Using the Security Compliance Manager + The Security Compliance Manager is a downloadable tool that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and for Microsoft applications. It contains a complete database of recommended security settings, methods to customize your baselines, and the option to implement those settings in multiple formats—including XLS, GPOs, Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP). The Security Compliance Manager is used to export the baselines to your environment to automate the security baseline deployment and compliance verification process. + **To administer security policies by using the Security Compliance Manager** + 1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](http://blogs.technet.com/b/secguide/) blog. 2. Read the relevant security baseline documentation that is included in this tool. 3. Download and import the relevant security baselines. The installation process steps you through baseline selection. 4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines. + ## Using the Security Configuration Wizard -The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller. + +The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. +SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller. + The following are considerations for using SCW: + - SCW disables unnecessary services and provides Windows Firewall with Advanced Security support. - Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file. - You can deploy security policies that you create with SCW by using Group Policy. @@ -119,19 +146,25 @@ The following are considerations for using SCW: - SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles. - All apps that use the IP protocol and ports must be running on the server when you run SCW. - In some cases, you must be connected to the Internet to use the links in the SCW help. -**Note**   -The SCW is available only on Windows Server and only applicable to server installations. +> **Note**  The SCW is available only on Windows Server and only applicable to server installations.   The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to: + - Create a security policy that can be applied to any server on your network. - Edit an existing security policy. - Apply an existing security policy. - Roll back the last applied security policy. + The Security Policy Wizard configures services and network security based on the server’s role, as well as configures auditing and registry settings. + For more information about SCW, including procedures, see [Security Configuration Wizard](http://technet.microsoft.com/library/cc754997.aspx). + ## Working with the Security Configuration Manager + The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain. + For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](http://technet.microsoft.com/library/cc758219(WS.10).aspx). + The following table lists the features of the Security Configuration Manager. @@ -169,18 +202,32 @@ The following table lists the features of the Security Configuration Manager.
  ### Security Configuration and Analysis + Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security. + ### Security analysis + The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security. + Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time. -Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. + +Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security +Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. + ### Security configuration + Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template. + ### Security templates + With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. + Importing a security template to a Group Policy Object eases domain administration by configuring security for a domain or organizational unit at once. + To apply a security template to your local device, you can use Security Configuration and Analysis or the secedit command-line tool. + Security templates can be used to define: + - Account Policies - Password Policy - Account Lockout Policy @@ -194,67 +241,105 @@ Security templates can be used to define: - System Services: Startup and permissions for system services - Registry: Permissions for registry keys - File System: Permissions for folders and files + Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. + ### Security settings extension to Group Policy + Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain. + Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control: + - How users are authenticated to a network or device - What resources users are authorized to use. - Whether or not a user's or group's actions are recorded in the event log. - Group membership. + You can change the security configuration on multiple computers in two ways: + - Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object. - Change a few select settings with security settings. + ### Local Security Policy + A security policy is a combination of security settings that affect the security on a device. You can use your local security policy to edit account policies and local policies on your local device + With the local security policy, you can control: + - Who accesses your device. - What resources users are authorized to use on your device. - Whether or not a user’s or group's actions are recorded in the event log. + If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence. + 1. Organizational unit policy 2. Domain policy 3. Site policy 4. Local computer policy + If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. + ### Using the Security Configuration Manager + For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](http://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about: + - [Applying security settings](#bkmk-applysecsettings) - [Importing and exporting security templates](#bkmk-impexpsectmpl) - [Analyzing security and viewing results](#bkmk-anasecviewresults) - [Resolving security discrepancies](#bkmk-resolvesecdiffs) - [Automating security configuration tasks](#bkmk-autoseccfgtasks) + ### Applying security settings + Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object: + - When a device is restarted, the settings on that device will be refreshed. - To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe. + **Precedence of a policy when more than one policy is applied to a computer** + For security settings that are defined by more than one policy, the following order of precedence is observed: + 1. Organizational Unit Policy 2. Domain Policy 3. Site Policy 4. Local computer Policy -For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence. -**Note**   -Use gpresult.exe to find out what policies are applied to a device and in what order. + +For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override +both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence. +> **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order. For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.   **Persistence in security settings** + Security settings may still persist even if a setting is no longer defined in the policy that originally applied it. + Persistence in security settings occurs when: + - The setting has not been previously defined for the device. - The setting is for a registry object. - The setting is for a file system object. + All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing." + Registry and file settings will maintain the values applied through policy until that setting is set to other values. + **Filtering security settings based on group membership** + You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy. + ### Importing and exporting security templates + Security Configuration and Analysis provides the ability to import and export security templates into or from a database. + If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object. + ### Analyzing security and viewing results + Security Configuration and Analysis performs security analysis by comparing the current state of system security against an *analysis database*. During creation, the analysis database uses at least one security template. If you choose to import more than one security template, the database will merge the various templates and create one composite template. It resolves conflicts in order of import; the last template that is imported takes precedence. + Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**. + @@ -292,18 +377,24 @@ Security Configuration and Analysis displays the analysis results by security ar
  If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis. + To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. + ### Resolving security discrepancies + You can resolve discrepancies between analysis database and system settings by: + - Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**. - Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels. - Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system. Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file. You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. + ### Automating security configuration tasks + By calling the secedit.exe tool at a command prompt from a batch file or automatic task scheduler, you can use it to automatically create and apply templates, and analyze system security. You can also run it dynamically from a command prompt. Secedit.exe is useful when you have multiple devices on which security must be analyzed or configured, and you need to perform these tasks during off-hours. + ## Working with Group Policy tools + Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop. -  -  diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md index e41d1389f7..eef52f8d63 100644 --- a/windows/keep-secure/advanced-security-auditing-faq.md +++ b/windows/keep-secure/advanced-security-auditing-faq.md @@ -2,16 +2,20 @@ title: Advanced security auditing FAQ (Windows 10) description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Advanced security auditing FAQ + **Applies to** - Windows 10 + This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. + - [What is Windows security auditing and why might I want to use it?](#bkmk-1) - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#bkmk-2) - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#bkmk-3) @@ -30,100 +34,118 @@ This topic for the IT professional lists questions and answers about understandi - [What are the best tools to model and manage audit policy?](#bkmk-17) - [Where can I find information about all the possible events that I might receive?](#bkmk-11) - [Where can I find more detailed information?](#bkmk-18) + ## What is Windows security auditing and why might I want to use it? + Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is more narrowly defined as the features and services that enable an administrator to log and review events for specified security-related activities. + Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities. + ## What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration? + The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. + There are a number of additional differences between the security audit policy settings in these two locations. -There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking. + +There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy +Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking. + In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing. + The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later. + ## What is the interaction between basic audit policy settings and advanced audit policy settings? + Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. + Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied. -**Important**   -Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. + +> **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. + If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.   ## How are audit settings merged by Group Policy? + By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level. + For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). + The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Auditing subcategorySetting configured in an OU GPO (higher priority)Setting configured in a domain GPO (lower priority)Resulting policy for the target computer

Detailed File Share Auditing

Success

Failure

Success

Process Creation Auditing

Disabled

Success

Disabled

Logon Auditing

Success

Failure

Failure

-  + + +| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer | +| - | - | - | -| +| Detailed File Share Auditing | Success | Failure | Success | +| Process Creation Auditing | Disabled | Success | Disabled | +| Logon Auditing | Success | Failure | Failure | + ## What is the difference between an object DACL and an object SACL? + All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs: + - A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access - A system access control list (SACL) that controls how access is audited + The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access. + If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied. + ## Why are audit policies applied on a per-computer basis rather than per user? + In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer. + In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user. + However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. + ## What are the differences in auditing functionality between versions of Windows? + Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings. + ## Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server? + To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported. + ## What is the difference between success and failure events? Is something wrong if I get a failure audit? + A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully. + A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully. + The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user mistyped his or her password. + ## How can I set an audit policy that affects all objects on a computer? + System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL. Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy. + ## How do I figure out why someone was able to access a resource? + Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting. + ## How do I know when changes are made to access control settings, by whom, and what the changes were? + To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs: - **Audit File System** subcategory: Enable for success, failure, or success and failure - **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure - A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor + In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory. + ## How can I roll back security audit policies from the advanced audit policy to the basic audit policy? + Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you subsequently change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings: + 1. Set all Advanced Audit Policy subcategories to **Not configured**. 2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller. 3. Reconfigure and apply the basic audit policy settings. + Unless you complete all of these steps, the basic audit policy settings will not be restored. + ## How can I monitor if changes are made to audit policy settings? + Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place: + - Permissions and audit settings on the audit policy object are changed - The system audit policy is changed - Security event sources are registered or unregistered @@ -131,20 +153,31 @@ Changes to security audit policies are critical security events. You can use the - The value of **CrashOnAuditFail** is modified - Audit settings on a file or registry key are changed - A Special Groups list is changed + ## How can I minimize the number of events that are generated? + Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md). + ## What are the best tools to model and manage audit policies? + The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies. On an individual computer, the Auditpol command-line tool can be used to complete a number of important audit policy–related management tasks. + In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data. + ## Where can I find information about all the possible events that I might receive? + Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources: + - [Windows 8 and Windows Server 2012 Security Event Details](http://www.microsoft.com/download/details.aspx?id=35753) - [Security Audit Events for Windows 7 and Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?linkid=157780) - [Security Audit Events for Windows Server 2008 and Windows Vista](http://go.microsoft.com/fwlink/p/?linkid=121868) - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + ## Where can I find more detailed information? + To learn more about security audit policies, see the following resources: + - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) - [Security Monitoring and Attack Detection Planning Guide](http://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx) - [Security Audit Events for Windows 7 and Windows Server 2008 R2](http://go.microsoft.com/fwlink/p/?linkid=157780) diff --git a/windows/keep-secure/advanced-security-auditing.md b/windows/keep-secure/advanced-security-auditing.md index b0a362ac4a..5ed85a625d 100644 --- a/windows/keep-secure/advanced-security-auditing.md +++ b/windows/keep-secure/advanced-security-auditing.md @@ -2,48 +2,26 @@ title: Advanced security audit policies (Windows 10) description: Advanced security audit policy settings are found in Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies and appear to overlap with basic security audit policies, but they are recorded and applied differently. ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Advanced security audit policies + **Applies to** - Windows 10 + Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)

This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.

[Advanced security auditing FAQ](advanced-security-auditing-faq.md)

This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.

[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)

This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.

[Advanced security audit policy settings](advanced-security-audit-policy-settings.md)

This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.

-  -  -  + +| Topic | Description | +| - | - | +| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies | +| [Advanced security auditing FAQ](advanced-security-auditing-faq.md) | This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. +| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. +| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md index 997c23bdaa..fdfa7ab402 100644 --- a/windows/keep-secure/allow-log-on-locally.md +++ b/windows/keep-secure/allow-log-on-locally.md @@ -2,118 +2,106 @@ title: Allow log on locally (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting. ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Allow log on locally + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Allow log on locally** security policy setting. + ## Reference + This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller. -**Note**   -Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right. +> **Note:**  Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.   Constant: SeInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not Defined + By default, the members of the following groups have this right on workstations and servers: + - Administrators - Backup Operators - Users + By default, the members of the following groups have this right on domain controllers: + - Account Operators - Administrators - Backup Operators - Print Operators - Server Operators + ### Best practices + 1. Restrict this user right to legitimate users who must log on to the console of the device. 2. If you selectively remove default groups, you can limit the abilities of users who are assigned to specific administrative roles in your organization. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Account Operators

-

Administrators

-

Backup Operators

-

Print Operators

-

Server Operators

Stand-Alone Server Default Settings

Administrators

-

Backup Operators

-

Users

Domain Controller Effective Default Settings

Account Operators

-

Administrators

-

Backup Operators

-

Print Operators

-

Server Operators

Member Server Effective Default Settings

Administrators

-

Backup Operators

-

Users

Client Computer Effective Default Settings

Administrators

-

Backup Operators

-

Users

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy| Not Defined | +| Default Domain Controller Policy | Account Operators
Administrators
Backup Operators
Print Operators
Server Operators | +| Stand-Alone Server Default Settings| Administrators
Backup Operators
Users | +| Domain Controller Effective Default Settings | Account Operators
Administrators
Backup Operators
Print Operators
Server Operators | +| Member Server Effective Default Settings | Administrators
Backup Operators
Users | +| Client Computer Effective Default Settings | Administrators
Backup Operators
Users |   ## Policy management + Restarting the device is not required to implement this change. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Modifying this setting might affect compatibility with clients, services, and applications. Use caution when removing service accounts that are used by components and by programs on member devices and on domain controllers in the domain from the default domain controller's policy. Also use caution when removing users or security groups that log on to the console of member devices in the domain, or removing service accounts that are defined in the local Security Accounts Manager (SAM) database of member devices or of workgroup devices. If you want to grant a user account the ability to log on locally to a domain controller, you must make that user a member of a group that already has the **Allowed logon locally** system right or grant the right to that user account. The domain controllers in the domain share the Default Domain Controllers Group Policy Object (GPO). When you grant an account the **Allow logon locally** right, you are allowing that account to log on locally to all domain controllers in the domain. If the Users group is listed in the **Allow log on locally** setting for a GPO, all domain users can log on locally. The Users built-in group contains Domain Users as a member. + ### Group Policy + Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the **Allow log on locally** user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. + ### Countermeasure + For domain controllers, assign the **Allow log on locally** user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators. For end-user computers, you should also assign this right to the Users group. Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the **Deny log on locally** user right. + ### Potential impact + If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Allow log on locally** user right to additional accounts that are required by those components. IIS requires that this user right be assigned to the IUSR\_*<ComputerName>* account. You should confirm that delegated activities are not adversely affected by any changes that you make to the **Allow log on locally** user rights assignments. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md index 53a391cc89..cc51c9cbea 100644 --- a/windows/keep-secure/allow-log-on-through-remote-desktop-services.md +++ b/windows/keep-secure/allow-log-on-through-remote-desktop-services.md @@ -2,97 +2,99 @@ title: Allow log on through Remote Desktop Services (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Allow log on through Remote Desktop Services + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Allow log on through Remote Desktop Services** security policy setting. + ## Reference + This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server. + Constant: SeRemoteInteractiveLogonRight + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + - To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, members of the Administrators group have this right on domain controllers, workstations, and servers. The Remote Desktops Users group also has this right on workstations and servers. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Administrators

Stand-Alone Server Default Settings

Administrators

-

Remote Desktop Users

Domain Controller Effective Default Settings

Administrators

Member Server Effective Default Settings

Administrators

-

Remote Desktop Users

Client Computer Effective Default Settings

Administrators

-

Remote Desktop Users

-  + + +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Administrators | +| Stand-Alone Server Default Settings | Administrators
Remote Desktop Users | +| Domain Controller Effective Default Settings | Administrators | +| Member Server Effective Default Settings | Administrators
Remote Desktop Users | +| Client Computer Effective Default Settings | Administrators
Remote Desktop Users | + ## Policy management + This section describes different features and tools available to help you manage this policy. + ### Group Policy + To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server. + To exclude users or groups, you can assign the **Deny log on through Remote Desktop Services** user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the **Allow log on through Remote Desktop Services** user right. + For more information, see [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md). + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + Group Policy settings are applied through GPOs in the following order, which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Any account with the **Allow log on through Remote Desktop Services** user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. + ### Countermeasure + For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups. -**Caution**   -For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default. + +> **Caution:**  For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.   Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right. + ### Potential impact + Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) + +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/keep-secure/applocker-architecture-and-components.md b/windows/keep-secure/applocker-architecture-and-components.md index e91704b0e9..39e8bbf34c 100644 --- a/windows/keep-secure/applocker-architecture-and-components.md +++ b/windows/keep-secure/applocker-architecture-and-components.md @@ -2,25 +2,38 @@ title: AppLocker architecture and components (Windows 10) description: This topic for IT professional describes AppLocker’s basic architecture and its major components. ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker architecture and components + **Applies to** - Windows 10 + This topic for IT professional describes AppLocker’s basic architecture and its major components. + AppLocker relies on the Application Identity service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control **SeAccessCheckWithSecurityAttributes** or **AuthzAccessCheck** functions. + AppLocker provides three ways to intercept and validate if a file is allowed to execute according to an AppLocker policy. + **A new process is created** + When a new process is created, such as an executable file or a Universal Windows app is run, AppLocker invokes the Application Identity component to calculate the attributes of the main executable file used to create a new process. It then updates the new process's token with these attributes and checks the AppLocker policy to verify that the executable file is allowed to run. + **A DLL is loaded** + When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process. + **A script is run** + Before a script file is run, the script host (for example. for .ps1 files the script host is PowerShell) invokes AppLocker to verify the script. AppLocker invokes the Application Identity component in user-mode with the file name or file handle to calculate the file properties. The script file then is evaluated against the AppLocker policy to verify that it is allowed to run. In each case, the actions taken by AppLocker are written to the event log. + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) + +- [AppLocker technical reference](applocker-technical-reference.md)     diff --git a/windows/keep-secure/applocker-functions.md b/windows/keep-secure/applocker-functions.md index 38ca82ba69..d3ab5362dd 100644 --- a/windows/keep-secure/applocker-functions.md +++ b/windows/keep-secure/applocker-functions.md @@ -2,18 +2,24 @@ title: AppLocker functions (Windows 10) description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker functions + **Applies to** - Windows 10 + This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. + ## Functions + The following list includes the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2 and links to current documentation on MSDN: + - [SaferGetPolicyInformation Function](http://go.microsoft.com/fwlink/p/?LinkId=159781) - [SaferCreateLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159782) - [SaferCloseLevel Function](http://go.microsoft.com/fwlink/p/?LinkId=159783) @@ -22,52 +28,23 @@ The following list includes the SRP functions beginning with Windows Server 200 - [SaferGetLevelInformation Function](http://go.microsoft.com/fwlink/p/?LinkId=159787) - [SaferRecordEventLogEntry Function](http://go.microsoft.com/fwlink/p/?LinkId=159789) - [SaferiIsExecutableFileType Function](http://go.microsoft.com/fwlink/p/?LinkId=159790) + ## Security level ID + AppLocker and SRP use the security level IDs to stipulate the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Security level IDSRPAppLocker

SAFER_LEVELID_FULLYTRUSTED

Supported

Supported

SAFER_LEVELID_NORMALUSER

Supported

Not supported

SAFER_LEVELID_CONSTRAINED

Supported

Not supported

SAFER_LEVELID_UNTRUSTED

Supported

Not supported

SAFER_LEVELID_DISALLOWED

Supported

Supported

+ +| Security level ID | SRP | AppLocker | +| - | - | - | +| SAFER_LEVELID_FULLYTRUSTED | Supported | Supported | +| SAFER_LEVELID_NORMALUSER | Supported | Not supported | +| SAFER_LEVELID_CONSTRAINED | Supported | Not supported | +| SAFER_LEVELID_UNTRUSTED | Supported | Not supported | +| SAFER_LEVELID_DISALLOWED | Supported | Supported |   In addition, URL zone ID is not supported in AppLocker. + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) + +- [AppLocker technical reference](applocker-technical-reference.md)     diff --git a/windows/keep-secure/applocker-overview.md b/windows/keep-secure/applocker-overview.md index 27ac2175a6..6918af6f1e 100644 --- a/windows/keep-secure/applocker-overview.md +++ b/windows/keep-secure/applocker-overview.md @@ -2,42 +2,66 @@ title: AppLocker (Windows 10) description: This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker + **Applies to** - Windows 10 + This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. + AppLocker can help you: + - Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash. - Assign a rule to a security group or an individual user. - Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe). - Use audit-only mode to deploy the policy and understand its impact before enforcing it. - Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object. - Simplify creating and managing AppLocker rules by using Windows PowerShell. + AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios: + - **Application inventory** + AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically. + - **Protection against unwanted software** + AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running. + - **Licensing conformance** + AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users. + - **Software standardization** + AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment. + - **Manageability improvement** + AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies. + ## New and changed functionality + To find out what's new in AppLocker for Windows 10, see [What's new in AppLocker?](../whats-new/applocker.md) + ## When to use AppLocker + In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access. + However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls. + AppLocker is ideal for organizations that currently use Group Policy to manage their PCs. + The following are examples of scenarios in which AppLocker can be used: + - Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users. - An app is no longer supported by your organization, so you need to prevent it from being used by everyone. - The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat. @@ -47,116 +71,67 @@ The following are examples of scenarios in which AppLocker can be used: - A single user or small group of users needs to use a specific app that is denied for all others. - Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps. - In addition to other measures, you need to control the access to sensitive data through app usage. + AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. + ## System requirements + AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). + AppLocker rules can be created on domain controllers. + ## Installing AppLocker + AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC). -**Note**   -The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature. + +> **Note:**  The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.   ### Using AppLocker on Server Core + AppLocker on Server Core installations is not supported. + ### Virtualization considerations + You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails. + ### Security considerations + Application control policies specify which apps are allowed to run on the local computer. + The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer. + The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers. + A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies. + For additional information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). + When you use AppLocker to create application control policies, you should be aware of the following security considerations: + - Who has the rights to set AppLocker policies? - How do you validate that the policies are enforced? - What events should you audit? + For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed: - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SettingDefault value

Accounts created

None

Authentication method

Not applicable

Management interfaces

AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell

Ports opened

None

Minimum privileges required

Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects.

Protocols used

Not applicable

Scheduled Tasks

Appidpolicyconverter.exe is put in a scheduled task to be run on demand.

Security Policies

None required. AppLocker creates security policies.

System Services required

Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation.

Storage of credentials

None

+ +| Setting | Default value | +| - | - | +| Accounts created | None | +| Authentication method | Not applicable | +| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell | +| Ports opened | None | +| Minimum privileges required | Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. | +| Protocols used | Not applicable | +| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. | +| Security Policies | None required. AppLocker creates security policies. | +| System Services required |Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. | +| Storage of credentials | None |   ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Administer AppLocker](administer-applocker.md)

This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.

[AppLocker design guide](applocker-policies-design-guide.md)

This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker.

[AppLocker deployment guide](applocker-policies-deployment-guide.md)

This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.

[AppLocker technical reference](applocker-technical-reference.md)

This overview topic for IT professionals provides links to the topics in the technical reference.

-  -  -  + +| Topic | Description | +| - | - | +| [Administer AppLocker](administer-applocker.md) | This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. | +| [AppLocker design guide](applocker-policies-design-guide.md) | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. | +| [AppLocker deployment guide](applocker-policies-deployment-guide.md) | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. | +| [AppLocker technical reference](applocker-technical-reference.md) | This overview topic for IT professionals provides links to the topics in the technical reference. | diff --git a/windows/keep-secure/applocker-policies-deployment-guide.md b/windows/keep-secure/applocker-policies-deployment-guide.md index b9f0050193..f0bce74c2a 100644 --- a/windows/keep-secure/applocker-policies-deployment-guide.md +++ b/windows/keep-secure/applocker-policies-deployment-guide.md @@ -2,20 +2,29 @@ title: AppLocker deployment guide (Windows 10) description: This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + + # AppLocker deployment guide + **Applies to** - Windows 10 + This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. + This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change. + This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. For a comparison of SRP and AppLocker, see [Using Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) in this guide. To understand if AppLocker is the correct application control solution for you, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). + ## Prerequisites to deploying AppLocker policies + The following are prerequisites or recommendations to deploying policies: + - Understand the capabilities of AppLocker: - [AppLocker](applocker-overview.md) - Document your application control policy deployment plan by addressing these tasks: @@ -27,43 +36,18 @@ The following are prerequisites or recommendations to deploying policies: - [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md) + ## Contents of this guide + This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)

This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies.

[Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)

This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies.

[Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)

This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.

[Create Your AppLocker policies](create-your-applocker-policies.md)

This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment.

[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)

This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings.

-  -  -  + +| Topic | Description | +| - | - | +| [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) | This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. | +| [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) | This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. | +| [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) | This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. | +| [Create Your AppLocker policies](create-your-applocker-policies.md) | This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. | +| [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) | This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. | + diff --git a/windows/keep-secure/applocker-policies-design-guide.md b/windows/keep-secure/applocker-policies-design-guide.md index b36e9be24e..7954db3edb 100644 --- a/windows/keep-secure/applocker-policies-design-guide.md +++ b/windows/keep-secure/applocker-policies-design-guide.md @@ -2,63 +2,36 @@ title: AppLocker design guide (Windows 10) description: This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker design guide + **Applies to** - Windows 10 + This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. + This guide provides important designing and planning information for deploying application control policies by using AppLocker. It is intended for security architects, security administrators, and system administrators. Through a sequential and iterative process, you can create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group. + This guide does not cover the deployment of application control policies by using Software Restriction Policies (SRP). However, SRP is discussed as a deployment option in conjunction with AppLocker policies. For info about these options, see [Determine your application control objectives](determine-your-application-control-objectives.md). + To understand if AppLocker is the correct application control solution for your organization, see [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md). ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)

This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment.

[Determine your application control objectives](determine-your-application-control-objectives.md)

This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.

[Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)

This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.

[Select the types of rules to create](select-types-of-rules-to-create.md)

This topic lists resources you can use when selecting your application control policy rules by using AppLocker.

[Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)

This overview topic describes the process to follow when you are planning to deploy AppLocker rules.

[Plan for AppLocker policy management](plan-for-applocker-policy-management.md)

This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies.

[Create your AppLocker planning document](create-your-applocker-planning-document.md)

This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.

+ +| Topic | Description | +| - | - | +| [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) | This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. | +| [Determine your application control objectives](determine-your-application-control-objectives.md) | This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. | +| [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) | This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. | +| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. | +| [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. | +| [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. | +| [Create your AppLocker planning document](create-your-applocker-planning-document.md) | This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. |   After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. -  -  +  \ No newline at end of file diff --git a/windows/keep-secure/applocker-policy-use-scenarios.md b/windows/keep-secure/applocker-policy-use-scenarios.md index 3c538ffbf1..ce30809f52 100644 --- a/windows/keep-secure/applocker-policy-use-scenarios.md +++ b/windows/keep-secure/applocker-policy-use-scenarios.md @@ -2,29 +2,47 @@ title: AppLocker policy use scenarios (Windows 10) description: This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker policy use scenarios + **Applies to** - Windows 10 + This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. + AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows: + 1. **App inventory** + AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand app usage and access. + 2. **Protection against unwanted software** + AppLocker has the ability to deny apps from running simply by excluding them from the list of allowed apps per business group or user. If an app is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails. + 3. **Licensing conformance** + AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements. + 4. **Software standardization** + AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment. + 5. **Manageability improvement** - AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers. + + AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's apps, you can modify policies and use + the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers. + ### Use scenarios + The following are examples of scenarios in which AppLocker can be used: + - Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage. - The security policy for application usage has changed, and you need to evaluate where and when those deployed apps are being accessed. - Your organization's security policy dictates the use of only licensed software, so you need to determine which apps are not licensed or prevent unauthorized users from running licensed software. @@ -37,7 +55,8 @@ The following are examples of scenarios in which AppLocker can be used: - A single user or small group of users needs to use a specific app that is denied for all others. - Some computers in your organization are shared by people who have different software usage needs. - In addition to other measures, you need to control the access to sensitive data through app usage. + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) +- [AppLocker technical reference](applocker-technical-reference.md)     diff --git a/windows/keep-secure/applocker-processes-and-interactions.md b/windows/keep-secure/applocker-processes-and-interactions.md index 19857f7670..0243055da8 100644 --- a/windows/keep-secure/applocker-processes-and-interactions.md +++ b/windows/keep-secure/applocker-processes-and-interactions.md @@ -2,64 +2,97 @@ title: AppLocker processes and interactions (Windows 10) description: This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker processes and interactions + **Applies to** - Windows 10 + This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. + ## How policies are implemented by AppLocker + AppLocker policies are collections of AppLocker rules that might contain any one of the enforcement settings configured. When applied, each rule is evaluated within the policy and the collection of rules is applied according to the enforcement setting and according to your Group Policy structure. + The AppLocker policy is enforced on a computer through the Application Identity service, which is the engine that evaluates the policies. If the service is not running, policies will not be enforced. The Application Identity service returns the information from the binary—even if product or binary names are empty—to the results pane of the Local Security Policy snap-in. + AppLocker policies are stored in a security descriptor format according to Application Identity service requirements. It uses file path, hash, or fully qualified binary name attributes to form allow or deny actions on a rule. Each rule is stored as an access control entry (ACE) in the security descriptor and contains the following information: + - Either an allow or a deny ACE ("XA" or "XD" in security descriptor definition language (SDDL) form). - The user security identifier (SID) that this rule is applicable to. (The default is the authenticated user SID, or "AU" in SDDL.) - The rule condition containing the **appid** attributes. + For example, an SDDL for a rule that allows all files in the %windir% directory to run uses the following format: XA;;FX;;;AU;(APPID://PATH == "%windir%\\\*"). + An AppLocker policy for DLLs and executable files is read and cached by kernel mode code, which is part of appid.sys. Whenever a new policy is applied, appid.sys is notified by a policy converter task. For other file types, the AppLocker policy is read every time a **SaferIdentifyLevel** call is made. + ### Understanding AppLocker rules + An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to five different types, or collections, of files: + - An executable rule controls whether a user or group can run an executable file. Executable files most often have the .exe or .com file name extensions and apply to applications. - A script rule controls whether a user or group can run scripts with a file name extension of .ps1, .bat, .cmd, .vbs, and .js. - A Windows Installer rule controls whether a user or group can run files with a file name extension of .msi, mst and .msp (Windows Installer patch). - A DLL rule controls whether a user or group can run files with a file name extension of .dll and .ocx. - A packaged app and packaged app installer rule controls whether a user or group can run or install a packaged app. A Packaged app installer has the .appx extension. + There are three different types of conditions that can be applied to rules: + - A publisher condition on a rule controls whether a user or group can run files from a specific software publisher. The file must be signed. - A path condition on a rule controls whether a user or group can run files from within a specific directory or its subdirectories. - A file hash condition on a rule controls whether a user or group can run files with matching encrypted hashes. - + - [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md) + An AppLocker rule collection is a set of rules that apply to one of the following types: executable files, Windows Installer files, scripts, DLLs, and packaged apps. + - [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md) + Rule conditions are criteria that the AppLocker rule is based on. Primary conditions are required to create an AppLocker rule. The three primary rule conditions are publisher, path, and file hash. + - [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md) - [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md) - [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md) - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. + - [Executable rules in AppLocker](executable-rules-in-applocker.md) - [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md) - [Script rules in AppLocker](script-rules-in-applocker.md) - [DLL rules in AppLocker](dll-rules-in-applocker.md) - [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) - [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md) + You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow only a subset of a user group to use an application, you can create a special rule for that subset. + - [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md) and [Understanding AppLocker allow and deny actions on Rules](understanding-applocker-allow-and-deny-actions-on-rules.md) + Each AppLocker rule collection functions as an allowed list of files. + ### Understanding AppLocker policies + An AppLocker policy is a set of rule collections and their corresponding configured enforcement settings that have been applied to one or more computers. + - [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) + Rule enforcement is applied only to collections of rules, not individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. The options for rule enforcement are **Not configured**, **Enforce rules**, or **Audit only**. Together, all AppLocker rule collections compose the application control policy, or AppLocker policy. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. + ### Understanding AppLocker and Group Policy + Group Policy can be used to create, modify, and distribute AppLocker policies in separate objects or in combination with other policies. + - [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) - When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied. + + When Group Policy is used to distribute AppLocker policies, rule collections that are not configured will be enforced. Group Policy does not overwrite or replace rules that are already present in a linked Group Policy Object (GPO) and applies the AppLocker rules in addition to existing rules. + AppLocker processes the explicit deny rule configuration before the allow rule configuration, and for rule enforcement, the last write to the GPO is applied. + ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) -  -  + +- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/keep-secure/applocker-settings.md b/windows/keep-secure/applocker-settings.md index 527922ad1c..77509f8e43 100644 --- a/windows/keep-secure/applocker-settings.md +++ b/windows/keep-secure/applocker-settings.md @@ -2,61 +2,32 @@ title: AppLocker settings (Windows 10) description: This topic for the IT professional lists the settings used by AppLocker. ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker settings + **Applies to** - Windows 10 + This topic for the IT professional lists the settings used by AppLocker. + The following table describes the settings and values used by AppLocker. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SettingValue

Registry path

Policies are stored in \HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2

Firewall ports

Not applicable

Security policies

Custom created, no default

Group Policy settings

Custom created, no default

Network ports

Not applicable

Service accounts

Not applicable

Performance counters

Not applicable

+ +| Setting | Value | +| - | - | +| Registry path | Policies are stored in **HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2** | +| Firewall ports | Not applicable | +| Security policies | Custom created, no default | +| Group Policy settings | Custom created, no default | +| Network ports | Not applicable | +| Service accounts | Not applicable | +| Performance counters | Not applicable |   ## Related topics -[AppLocker technical reference](applocker-technical-reference.md) -  -  + +- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/keep-secure/applocker-technical-reference.md b/windows/keep-secure/applocker-technical-reference.md index 415b5baa88..164a159782 100644 --- a/windows/keep-secure/applocker-technical-reference.md +++ b/windows/keep-secure/applocker-technical-reference.md @@ -2,72 +2,32 @@ title: AppLocker technical reference (Windows 10) description: This overview topic for IT professionals provides links to the topics in the technical reference. ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # AppLocker technical reference + **Applies to** - Windows 10 + This overview topic for IT professionals provides links to the topics in the technical reference. AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[What Is AppLocker?](what-is-applocker.md)

This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies.

[Requirements to use AppLocker](requirements-to-use-applocker.md)

This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.

[AppLocker policy use scenarios](applocker-policy-use-scenarios.md)

This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.

[How AppLocker works](how-applocker-works-techref.md)

This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies.

[AppLocker architecture and components](applocker-architecture-and-components.md)

This topic for IT professional describes AppLocker’s basic architecture and its major components.

[AppLocker processes and interactions](applocker-processes-and-interactions.md)

This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules.

[AppLocker functions](applocker-functions.md)

This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features.

[Security considerations for AppLocker](security-considerations-for-applocker.md)

This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.

[Tools to Use with AppLocker](tools-to-use-with-applocker.md)

This topic for the IT professional describes the tools available to create and administer AppLocker policies.

[AppLocker Settings](applocker-settings.md)

This topic for the IT professional lists the settings used by AppLocker.

-  -  -  + +| Topic | Description | +| - | - | +| [What Is AppLocker?](what-is-applocker.md) | This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. | +| [Requirements to use AppLocker](requirements-to-use-applocker.md) | This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. | +| [AppLocker policy use scenarios](applocker-policy-use-scenarios.md) | This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. | +| [How AppLocker works](how-applocker-works-techref.md) | This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. | +| [AppLocker architecture and components](applocker-architecture-and-components.md) | This topic for IT professional describes AppLocker’s basic architecture and its major components. | +| [AppLocker processes and interactions](applocker-processes-and-interactions.md) | This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. | +| [AppLocker functions](applocker-functions.md) | This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. | +| [Security considerations for AppLocker](security-considerations-for-applocker.md) | This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. | +| [Tools to Use with AppLocker](tools-to-use-with-applocker.md) | This topic for the IT professional describes the tools available to create and administer AppLocker policies. | +| [AppLocker Settings](applocker-settings.md) | This topic for the IT professional lists the settings used by AppLocker. | diff --git a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md index cf1717d5af..5828778660 100644 --- a/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/keep-secure/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -2,19 +2,24 @@ title: Apply a basic audit policy on a file or folder (Windows 10) description: You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Apply a basic audit policy on a file or folder + **Applies to** - Windows 10 + You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right. + **To apply or modify auditing policy settings for a local file or folder** -1. 2.Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab. + +1. Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab. 2. Click **Advanced**. 3. In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**. 4. Do one of the following: @@ -25,9 +30,11 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** -**Important**  Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. + +> **Important:**  Before setting up auditing for files and folders, you must enable object access auditing by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   ## Additional considerations + - After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes. - You can set up file and folder auditing only on NTFS drives. - Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer. diff --git a/windows/keep-secure/audit-account-lockout.md b/windows/keep-secure/audit-account-lockout.md index 206ac496c6..6c7ebbb0e2 100644 --- a/windows/keep-secure/audit-account-lockout.md +++ b/windows/keep-secure/audit-account-lockout.md @@ -2,41 +2,35 @@ title: Audit Account Lockout (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Account Lockout + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the advanced security audit policy setting, **Audit Account Lockout**, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. + If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts. + Account lockout events are essential for understanding user activity and detecting potential attacks. + Event volume: Low + Default setting: Success - ---- - - - - - - - - - - - - -
Event IDEvent message

4625

An account failed to log on.

+ +| Event ID | Event message | +| - | - | +| 4625 | An account failed to log on. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-application-generated.md b/windows/keep-secure/audit-application-generated.md index 23e33b3b6b..f7c31ca13a 100644 --- a/windows/keep-secure/audit-application-generated.md +++ b/windows/keep-secure/audit-application-generated.md @@ -2,54 +2,39 @@ title: Audit Application Generated (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Application Generated + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Application Generated**, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs). + The following events can generate audit activity: + - Creation, deletion, or initialization of an application client context - Application operations + Applications that are designed to use the Windows Auditing APIs can use this subcategory to log auditing events that are related to those APIs. The level, volume, relevance, and importance of these audit events depend on the application that generates them. The operating system logs the events as they are generated by the application. + Event volume: Depends on the installed app's use of the Windows Auditing APIs + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4665

An attempt was made to create an application client context.

4666

An application attempted an operation:

4667

An application client context was deleted.

4668

An application was initialized.

+ +| Event ID | Event message | +| - | - | +| 4665 | An attempt was made to create an application client context. | +| 4666 | An application attempted an operation: | +| 4667 | An application client context was deleted. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-application-group-management.md b/windows/keep-secure/audit-application-group-management.md index 15d44e5eab..3055b72f6d 100644 --- a/windows/keep-secure/audit-application-group-management.md +++ b/windows/keep-secure/audit-application-group-management.md @@ -2,77 +2,42 @@ title: Audit Application Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed. ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Application Group Management + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Application Group Management**, which determines whether the operating system generates audit events when application group management tasks are performed. + Application group management tasks include: + - An application group is created, changed, or deleted. - A member is added to or removed from an application group. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4783

A basic application group was created.

-

4784

A basic application group was changed.

-

4785

A member was added to a basic application group.

-

4786

A member was removed from a basic application group.

-

4787

A non-member was added to a basic application group.

-

4788

A non-member was removed from a basic application group.

-

4789

A basic application group was deleted.

-

4790

An LDAP query group was created.

-

+ +| Event ID | Event message | +| - | - | +| 4783 | A basic application group was created. | +| 4784 | A basic application group was changed. | +| 4785 | A member was added to a basic application group. | +| 4786 | A member was removed from a basic application group. | +| 4787 | A non-member was added to a basic application group. | +| 4788 | A non-member was removed from a basic application group. | +| 4789 | A basic application group was deleted. | +| 4790 | An LDAP query group was created. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-audit-policy-change.md b/windows/keep-secure/audit-audit-policy-change.md index beb42d48f1..65b7d6261e 100644 --- a/windows/keep-secure/audit-audit-policy-change.md +++ b/windows/keep-secure/audit-audit-policy-change.md @@ -2,95 +2,54 @@ title: Audit Audit Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Audit Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Audit Policy Change**, which determines whether the operating system generates audit events when changes are made to audit policy. + Changes to audit policy that are audited include: + - Changing permissions and audit settings on the audit policy object (by using **auditpol /set /sd**). - Changing the system audit policy. - Registering and unregistering security event sources. - Changing per-user audit settings. - Changing the value of **CrashOnAuditFail**. - Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key). - **Note**   - SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change. + + > **Note:** SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.   - Changing anything in the Special Groups list. -**Important**   -Changes to the audit policy are critical security events. + +> **Important:**  Changes to the audit policy are critical security events.   Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4715

The audit policy (SACL) on an object was changed.

4719

System audit policy was changed.

4817

Auditing settings on an object were changed.

-
-Note   -

This event is logged only on computers running the supported versions of the Windows operating system.

-
-
-  -

4902

The Per-user audit policy table was created.

4904

An attempt was made to register a security event source.

4905

An attempt was made to unregister a security event source.

4906

The CrashOnAuditFail value has changed.

4907

Auditing settings on object were changed.

4908

Special Groups Logon table modified.

4912

Per User Audit Policy was changed.

+ +| Event ID | Event message | +| - | - | +| 4715 | The audit policy (SACL) on an object was changed. | +| 4719 | System audit policy was changed. | +| 4817 | Auditing settings on an object were changed.
**Note: ** This event is logged only on computers running the supported versions of the Windows operating system. | +| 4902 | The Per-user audit policy table was created. | +| 4904 | An attempt was made to register a security event source. | +| 4905 | An attempt was made to unregister a security event source. | +| 4906 | The CrashOnAuditFail value has changed. | +| 4907 | Auditing settings on object were changed. | +| 4908 | Special Groups Logon table modified. | +| 4912 | Per User Audit Policy was changed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md index d9e3f7d10d..767ec7c30a 100644 --- a/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md +++ b/windows/keep-secure/audit-audit-the-access-of-global-system-objects.md @@ -2,192 +2,117 @@ title: Audit Audit the access of global system objects (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting. ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit: Audit the access of global system objects + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting. + ## Reference + If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](basic-audit-object-access.md) audit setting, access to these system objects is audited. + Global system objects, also known as "base system objects" or "base named objects," are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created. + The threat is that a globally visible named object, if incorrectly secured, might be acted on by a malicious program that knows the name of the object. For instance, if a synchronization object such as a mutex has a poorly constructed discretionary access control list (DACL), a malicious program can access that mutex by name and cause the program that created it to malfunction. However, the risk of this occurring is very low. + Enabling this policy setting can generate a large number of security events, especially on busy domain controllers and application servers. This might cause servers to respond slowly and force the security log to record numerous events of little significance. Auditing for access to global system objects is an all-or-nothing affair; there is no way to filter which events get recorded and which do not. Even if an organization has the resources to analyze events generated when this policy setting is enabled, it is unlikely to have the source code or a description of what each named object is used for; therefore, it is unlikely that many organizations could benefit from enabling this policy setting. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled | +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ### Auditing + To audit attempts to access global system objects, you can use one of two security audit policy settings: + - [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access - [Audit object access](basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy + If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate. + If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated: - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4659

A handle to an object was requested with intent to delete.

4660

An object was deleted.

4661

A handle to an object was requested.

4663

An attempt was made to access an object.

-  -If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

560

Access was granted to an already existing object.

562

A handle to an object was closed.

563

An attempt was made to open an object with the intent to delete it.

-
-Note   -

This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().

-
-
-  -

564

A protected object was deleted.

565

Access was granted to an already existing object type.

567

A permission associated with a handle was used.

-
-Note   -

A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.

-
-
-  -

569

The resource manager in Authorization Manager attempted to create a client context.

570

A client attempted to access an object.

-
-Note   -

An event will be generated for every attempted operation on the object.

-
-
-  -
+ +| Event ID | Event message | +| - | - | +| 4659 | A handle to an object was requested with intent to delete. | +| 4660 | An object was deleted. | +| 4661 | A handle to an object was requested. | +| 4663 | An attempt was made to access an object. |   +If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated: + +| Event ID | Event message | +| - | - | +| 560 | Access was granted to an already existing object. | +| 562 | A handle to an object was closed. | +| 563 | An attempt was made to open an object with the intent to delete it.
**Note: **This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() | +| 564 | A protected object was deleted. | +| 565 | Access was granted to an already existing object type. | +| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. | +| 569 | The resource manager in Authorization Manager attempted to create a client context. | +| 570 | A client attempted to access an object.
**Note: ** An event will be generated for every attempted operation on the object. | + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + A globally visible named object, if incorrectly secured, could be acted upon by malicious software by using the name of the object. For instance, if a synchronization object such as a mutex had a poorly chosen discretionary access control list (DACL), malicious software could access that mutex by name and cause the program that created it to malfunction. However, the risk of such an occurrence is very low. + ### Countermeasure + Enable the **Audit: Audit the access of global system objects** setting. + ### Potential impact + If you enable the **Audit: Audit the access of global system objects** setting, a large number of security events could be generated, especially on busy domain controllers and application servers. Such an occurrence could cause servers to respond slowly and force the Security log to record numerous events of little significance. This policy setting can only be enabled or disabled, and there is no way to choose which events are recorded from this setting. Even organizations that have the resources to analyze events that are generated by this policy setting are not likely to have the source code or a description of what each named object is used for. Therefore, it is unlikely that most organizations would benefit by enabling this policy setting. To reduce the number of audit events generated, use the advanced audit policy. + ## Related topics -[Security Options](security-options.md) -  -  + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md index d028cb4d3e..49b518da5a 100644 --- a/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -2,85 +2,86 @@ title: Audit Audit the use of Backup and Restore privilege (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting. ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit: Audit the use of Backup and Restore privilege + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting. + ## Reference + The **Audit: Audit the use of Backup and Restore privilege** policy setting determines whether to audit the use of all user rights, including Backup and Restore, when the **Audit privilege use** policy setting is configured. Enabling both policy settings generates an audit event for every file that is backed up or restored. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Set **Audit: Audit the use of Backup and Restore privilege** to Disabled. Enabling this policy setting can generate a large number of security events, which might cause servers to respond slowly and force the security event log to record numerous events of little significance. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Disabled | +| DC Effective Default Settings | Disabled | +| Member Server Effective Default Settings | Disabled | +| Client Computer Effective Default Settings | Disabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Auditing + Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users use backup or restore user rights, those events will not be audited. + Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. + Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md), which can help you manage the number of events generated. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + When the backup and restore function is used, it creates a copy of the file system that is identical to the target of the backup. Making regular backup and restore volumes is an important part of your incident response plan. However, a malicious user could use a legitimate backup copy to gain access to information or to impersonate a legitimate network resource to compromise your enterprise. + ### Countermeasure + Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner. For more information about configuring this key, see Microsoft Knowledge Base article [100879](http://go.microsoft.com/fwlink/p/?LinkId=100879). + ### Potential impact + If you enable this policy setting, a large number of security events could be generated, which could cause servers to respond slowly and force the security event log to record numerous events of little significance. If you increase the security event log size to reduce the chances of a system shutdown, an excessively large log file may affect system performance. + ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/audit-authentication-policy-change.md b/windows/keep-secure/audit-authentication-policy-change.md index 81c47c8ea2..e26a96a284 100644 --- a/windows/keep-secure/audit-authentication-policy-change.md +++ b/windows/keep-secure/audit-authentication-policy-change.md @@ -2,21 +2,26 @@ title: Audit Authentication Policy Change (Windows 10) description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Authentication Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes this Advanced Security Audit policy setting, **Audit Authentication Policy Change**, which determines whether the operating system generates audit events when changes are made to authentication policy. + Changes made to authentication policy include: + - Creation, modification, and removal of forest and domain trusts. - Changes to Kerberos policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**. - **Note**   - The audit event is logged when the policy is applied, not when settings are modified by the administrator. + + > **Note:**  The audit event is logged when the policy is applied, not when settings are modified by the administrator.   - When any of the following user rights is granted to a user or group: - **Access this computer from the network** @@ -25,61 +30,27 @@ Changes made to authentication policy include: - **Logon as a batch job** - **Logon as a service** - Namespace collision, such as when an added trust collides with an existing namespace name. + This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4713

Kerberos policy was changed.

4716

Trusted domain information was modified.

4717

System security access was granted to an account.

4718

System security access was removed from an account.

4739

Domain Policy was changed.

4864

A namespace collision was detected.

4865

A trusted forest information entry was added.

4866

A trusted forest information entry was removed.

4867

A trusted forest information entry was modified.

+ +| Event ID | Event message | +| - | - | +| 4713 | Kerberos policy was changed. | +| 4716 | Trusted domain information was modified. | +| 4717 | System security access was granted to an account. | +| 4718 | System security access was removed from an account. | +| 4739 | Domain Policy was changed. | +| 4864 | A namespace collision was detected. | +| 4865 | A trusted forest information entry was added. | +| 4866 | A trusted forest information entry was removed. | +| 4867 | A trusted forest information entry was modified. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + + - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-authorization-policy-change.md b/windows/keep-secure/audit-authorization-policy-change.md index 56c26436a8..3bff0a5dd9 100644 --- a/windows/keep-secure/audit-authorization-policy-change.md +++ b/windows/keep-secure/audit-authorization-policy-change.md @@ -2,63 +2,39 @@ title: Audit Authorization Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Authorization Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Authorization Policy Change**, which determines whether the operating system generates audit events when specific changes are made to the authorization policy. + Authorization policy changes that can be audited include: + - Assigning or removing user rights (privileges) such as **SeCreateTokenPrivilege**, except for the system access rights that are audited by using the [Audit Authentication Policy Change](audit-authentication-policy-change.md) subcategory. - Changing the Encrypting File System (EFS) policy. -<<<<<<< HEAD -Event volume: Low -======= Event volume: Very high ->>>>>>> master Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4704

A user right was assigned.

4705

A user right was removed.

4706

A new trust was created to a domain.

4707

A trust to a domain was removed.

4714

Encrypted data recovery policy was changed.

+ +| Event ID | Event message | +| - | - | +| 4704 | A user right was assigned. | +| 4705 | A user right was removed. | +| 4706 | A new trust was created to a domain. | +| 4707 | A trust to a domain was removed. | +| 4714 | Encrypted data recovery policy was changed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-central-access-policy-staging.md b/windows/keep-secure/audit-central-access-policy-staging.md index 525c573cb3..e53abd2a09 100644 --- a/windows/keep-secure/audit-central-access-policy-staging.md +++ b/windows/keep-secure/audit-central-access-policy-staging.md @@ -2,38 +2,30 @@ title: Audit Central Access Policy Staging (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy. ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Central Access Policy Staging + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Central Access Policy Staging**, which determines permissions on a Central Access Policy. + Event volume: Medium + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

4818

Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy

+ +| Event ID | Event message | +| - | - | +| 4818 | Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-certification-services.md b/windows/keep-secure/audit-certification-services.md index 4d94779c67..f23bdde027 100644 --- a/windows/keep-secure/audit-certification-services.md +++ b/windows/keep-secure/audit-certification-services.md @@ -2,17 +2,22 @@ title: Audit Certification Services (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Certification Services + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Certification Services**, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. + Examples of AD CS operations include: + - AD CS starts, shuts down, is backed up, or is restored. - Certificate revocation list (CRL)-related tasks are performed. - Certificates are requested, issued, or revoked. @@ -24,149 +29,49 @@ Examples of AD CS operations include: - Security permissions for AD CS role services are modified. - Keys are archived, imported, or retrieved. - The OCSP Responder Service is started or stopped. + Monitoring these operational events is important to ensure that AD CS role services are functioning properly. + Event volume: Low to medium on servers that host AD CS role services + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4868

The certificate manager denied a pending certificate request.

4869

Certificate Services received a resubmitted certificate request.

4870

Certificate Services revoked a certificate.

4871

Certificate Services received a request to publish the certificate revocation list (CRL).

4872

Certificate Services published the certificate revocation list (CRL).

4873

A certificate request extension changed.

4874

One or more certificate request attributes changed.

4875

Certificate Services received a request to shut down.

4876

Certificate Services backup started.

4877

Certificate Services backup completed.

4878

Certificate Services restore started.

4879

Certificate Services restore completed.

4880

Certificate Services started.

4881

Certificate Services stopped.

4882

The security permissions for Certificate Services changed.

4883

Certificate Services retrieved an archived key.

4884

Certificate Services imported a certificate into its database.

4885

The audit filter for Certificate Services changed.

4886

Certificate Services received a certificate request.

4887

Certificate Services approved a certificate request and issued a certificate.

4888

Certificate Services denied a certificate request.

4889

Certificate Services set the status of a certificate request to pending.

4890

The certificate manager settings for Certificate Services changed.

4891

A configuration entry changed in Certificate Services.

4892

A property of Certificate Services changed.

4893

Certificate Services archived a key.

4894

Certificate Services imported and archived a key.

4895

Certificate Services published the CA certificate to Active Directory Domain Services.

4896

One or more rows have been deleted from the certificate database.

4897

Role separation enabled:

4898

Certificate Services loaded a template.

+ +| Event ID | Event message | +| - | - | +| 4868 | The certificate manager denied a pending certificate request. | +| 4869 | Certificate Services received a resubmitted certificate request. | +| 4870 | Certificate Services revoked a certificate. | +| 4871 | Certificate Services received a request to publish the certificate revocation list (CRL). | +| 4872 | Certificate Services published the certificate revocation list (CRL). | +| 4873 | A certificate request extension changed. | +| 4874 | One or more certificate request attributes changed. | +| 4875 | Certificate Services received a request to shut down. | +| 4876 | Certificate Services backup started. | +| 4877 | Certificate Services backup completed. | +| 4878 | Certificate Services restore started. | +| 4879 | Certificate Services restore completed. | +| 4880 | Certificate Services started. | +| 4881 | Certificate Services stopped. | +| 4882 | The security permissions for Certificate Services changed. | +| 4883 | Certificate Services retrieved an archived key. | +| 4884 | Certificate Services imported a certificate into its database. | +| 4885 | The audit filter for Certificate Services changed. | +| 4886 | Certificate Services received a certificate request. | +| 4887 | Certificate Services approved a certificate request and issued a certificate. | +| 4888 | Certificate Services denied a certificate request. | +| 4889 | Certificate Services set the status of a certificate request to pending. | +| 4890 | The certificate manager settings for Certificate Services changed. | +| 4891 | A configuration entry changed in Certificate Services. | +| 4892 | A property of Certificate Services changed. | +| 4893 | Certificate Services archived a key. | +| 4894 | Certificate Services imported and archived a key. | +| 4895 | Certificate Services published the CA certificate to Active Directory Domain Services. | +| 4896 | One or more rows have been deleted from the certificate database. | +| 4897 | Role separation enabled: | +| 4898 | Certificate Services loaded a template. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-computer-account-management.md b/windows/keep-secure/audit-computer-account-management.md index 60524de373..5211936625 100644 --- a/windows/keep-secure/audit-computer-account-management.md +++ b/windows/keep-secure/audit-computer-account-management.md @@ -2,47 +2,34 @@ title: Audit Computer Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Computer Account Management + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Computer Account Management**, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted. + This policy setting is useful for tracking account-related changes to computers that are members of a domain. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4741

A computer account was created.

4742

A computer account was changed.

4743

A computer account was deleted.

+ +| Event ID | Event message | +| - | - | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index add71830c8..7f4232806f 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -2,59 +2,42 @@ title: Audit Credential Validation (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Credential Validation + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the advanced security audit policy setting, **Audit Credential Validation**, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. + These events occur on the computer that is authoritative for the credentials as follows: + - For domain accounts, the domain controller is authoritative. - For local accounts, the local computer is authoritative. + Event volume: High on domain controllers -Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events. + +Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they +may occur in conjunction with or on separate computers from Logon and Logoff events. + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4774

An account was mapped for logon.

-

4775

An account could not be mapped for logon.

-

4776

The domain controller attempted to validate the credentials for an account.

-

4777

The domain controller failed to validate the credentials for an account.

-

+ +| Event ID | Event message | +| - | - | +| 4774 | An account was mapped for logon. | +| 4775 | An account could not be mapped for logon. | +| 4776 | The domain controller attempted to validate the credentials for an account. | +| 4777 | The domain controller failed to validate the credentials for an account. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-detailed-directory-service-replication.md b/windows/keep-secure/audit-detailed-directory-service-replication.md index 99ff8d4881..ae2e46a570 100644 --- a/windows/keep-secure/audit-detailed-directory-service-replication.md +++ b/windows/keep-secure/audit-detailed-directory-service-replication.md @@ -8,61 +8,33 @@ ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft --- + # Audit Detailed Directory Service Replication + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Detailed Directory Service Replication**, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. + This audit subcategory can be useful to diagnose replication issues. + Event volume: These events can create a very high volume of event data. + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4928

An Active Directory replica source naming context was established.

4929

An Active Directory replica source naming context was removed.

4930

An Active Directory replica source naming context was modified.

4931

An Active Directory replica destination naming context was modified.

4934

Attributes of an Active Directory object were replicated.

4935

Replication failure begins.

4936

Replication failure ends.

4937

A lingering object was removed from a replica.

+ +| Event ID | Event message | +| - | - | +| 4928 | An Active Directory replica source naming context was established. | +| 4929 | An Active Directory replica source naming context was removed. | +| 4930 | An Active Directory replica source naming context was modified. | +| 4931 | An Active Directory replica destination naming context was modified. | +| 4934 | Attributes of an Active Directory object were replicated. | +| 4935 | Replication failure begins. | +| 4936 | Replication failure ends. | +| 4937 | A lingering object was removed from a replica. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-detailed-file-share.md b/windows/keep-secure/audit-detailed-file-share.md index b4376be5d3..f60e4dd5f2 100644 --- a/windows/keep-secure/audit-detailed-file-share.md +++ b/windows/keep-secure/audit-detailed-file-share.md @@ -2,42 +2,33 @@ title: Audit Detailed File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder. ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Detailed File Share + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Detailed File Share**, which allows you to audit attempts to access files and folders on a shared folder. + The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. -**Note**   -There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. +> **Note:**  There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.   Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

5145

A network share object was checked to see whether the client can be granted desired access.

+ +| Event ID | Event message | +| - | - | +| 5145 | A network share object was checked to see whether the client can be granted desired access. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-directory-service-access.md b/windows/keep-secure/audit-directory-service-access.md index 7448d1b505..230dce9a69 100644 --- a/windows/keep-secure/audit-directory-service-access.md +++ b/windows/keep-secure/audit-directory-service-access.md @@ -2,42 +2,33 @@ title: Audit Directory Service Access (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Directory Service Access + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Access**, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. + These events are similar to the Directory Service Access events in previous versions of the Windows Server operating systems. -**Important**   -Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings. +> **Important:**  Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings.   Event volume: High on servers running AD DS role services; none on client computers + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

4662

An operation was performed on an object.

+ +| Event ID | Event message | +| - | - | +| 4662 | An operation was performed on an object. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-directory-service-changes.md b/windows/keep-secure/audit-directory-service-changes.md index a474407c2f..361827a614 100644 --- a/windows/keep-secure/audit-directory-service-changes.md +++ b/windows/keep-secure/audit-directory-service-changes.md @@ -2,65 +2,48 @@ title: Audit Directory Service Changes (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Directory Service Changes + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Changes**, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). + The types of changes that are reported are: + - Create - Delete - Modify - Move - Undelete + Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. -**Important**   -Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. + +> **Important:**  Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.   This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track in order to understand the state of the network policy. + Event volume: High on domain controllers; none on client computers + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

5136

A directory service object was modified.

5137

A directory service object was created.

5138

A directory service object was undeleted.

5139

A directory service object was moved.

5141

A directory service object was deleted.

+ +| Event ID | Event message | +| - | - | +| 5136 | A directory service object was modified. | +| 5137 | A directory service object was created. | +| 5138 | A directory service object was undeleted. | +| 5139 | A directory service object was moved. | +| 5141 | A directory service object was deleted. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-directory-service-replication.md b/windows/keep-secure/audit-directory-service-replication.md index 907f50fda7..9f09abada9 100644 --- a/windows/keep-secure/audit-directory-service-replication.md +++ b/windows/keep-secure/audit-directory-service-replication.md @@ -2,42 +2,31 @@ title: Audit Directory Service Replication (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Directory Service Replication + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Replication**, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends. + Event volume: Medium on domain controllers; none on client computers + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4932

Synchronization of a replica of an Active Directory naming context has begun.

4933

Synchronization of a replica of an Active Directory naming context has ended.

+ +| Event ID | Event Message | +| - | - | +| 4932 | Synchronization of a replica of an Active Directory naming context has begun. | +| 4933 | Synchronization of a replica of an Active Directory naming context has ended. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-distribution-group-management.md b/windows/keep-secure/audit-distribution-group-management.md index 91c5876a9c..1e259424ed 100644 --- a/windows/keep-secure/audit-distribution-group-management.md +++ b/windows/keep-secure/audit-distribution-group-management.md @@ -2,97 +2,51 @@ title: Audit Distribution Group Management (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks. ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Distribution Group Management + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Distribution Group Management**, which determines whether the operating system generates audit events for specific distribution-group management tasks. + Tasks for distribution-group management that can be audited include: + - A distribution group is created, changed, or deleted. - A member is added to or removed from a distribution group. + This subcategory to which this policy belongs is logged only on domain controllers. -**Note**   -Distribution groups cannot be used to manage access control permissions. +> **Note:**  Distribution groups cannot be used to manage access control permissions.   Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4744

A security-disabled local group was created.

4745

A security-disabled local group was changed.

4746

A member was added to a security-disabled local group.

4747

A member was removed from a security-disabled local group.

4748

A security-disabled local group was deleted.

4749

A security-disabled global group was created.

4750

A security-disabled global group was changed.

4751

A member was added to a security-disabled global group.

4752

A member was removed from a security-disabled global group.

4753

A security-disabled global group was deleted.

4759

A security-disabled universal group was created.

4760

A security-disabled universal group was changed.

4761

A member was added to a security-disabled universal group.

4762

A member was removed from a security-disabled universal group.

-  -## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +| Event ID | Event message | +| - | - | +| 4744 | A security-disabled local group was created. | +| 4745 | A security-disabled local group was changed. | +| 4746 | A member was added to a security-disabled local group. | +| 4747 | A member was removed from a security-disabled local group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | + + ## Related topics + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-dpapi-activity.md b/windows/keep-secure/audit-dpapi-activity.md index 0d82bf9af5..1e7c77ac71 100644 --- a/windows/keep-secure/audit-dpapi-activity.md +++ b/windows/keep-secure/audit-dpapi-activity.md @@ -2,53 +2,37 @@ title: Audit DPAPI Activity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit DPAPI Activity + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit DPAPI Activity**, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI). DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see [Windows Data Protection](http://go.microsoft.com/fwlink/p/?linkid=121720) (http://go.microsoft.com/fwlink/p/?linkid=121720). + Event volume: Low + Default: Not configured + If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista. - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4692

Backup of data protection master key was attempted.

4693

Recovery of data protection master key was attempted.

4694

Protection of auditable protected data was attempted.

4695

Unprotection of auditable protected data was attempted.

+ +| Event ID | Event message | +| - | - | +| 4692 | Backup of data protection master key was attempted. | +| 4693 | Recovery of data protection master key was attempted. | +| 4694 | Protection of auditable protected data was attempted. | +| 4695 | Unprotection of auditable protected data was attempted. |   ## Related resource -[Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md) + +- [Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-file-share.md b/windows/keep-secure/audit-file-share.md index e1d039ce4d..8040bc118a 100644 --- a/windows/keep-secure/audit-file-share.md +++ b/windows/keep-secure/audit-file-share.md @@ -2,66 +2,39 @@ title: Audit File Share (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed. ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit File Share + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File Share**, which determines whether the operating system generates audit events when a file share is accessed. + Audit events are not generated when shares are created, deleted, or when share permissions change. -**Note**   -There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited. +> **Note:**  There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.   Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. + Event volume: High on a file server or domain controller (due to SYSVOL access by client computers for policy processing) + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

5140

A network share object was accessed.

-
-Note   -

This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

-
-
-  -

5142

A network share object was added.

5143

A network share object was modified.

5144

A network share object was deleted.

5168

SPN check for SMB/SMB2 failed.

+ +| Event ID | Event message | +| - |- | +| 5140 | A network share object was accessed.
**Note:** This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. | +| 5142 | A network share object was added. | +| 5143 | A network share object was modified. | +| 5144 | A network share object was deleted. | +| 5168 | SPN check for SMB/SMB2 failed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-file-system.md b/windows/keep-secure/audit-file-system.md index 1eaab87e2c..53faccfac6 100644 --- a/windows/keep-secure/audit-file-system.md +++ b/windows/keep-secure/audit-file-system.md @@ -2,51 +2,39 @@ title: Audit File System (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects. ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy +ms.pagetype: security ms.sitesec: library author: brianlic-msft --- + # Audit File System + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File System**, which determines whether the operating system generates audit events when users attempt to access file system objects. Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. + These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring. + Event volume: Varies, depending on how file system SACLs are configured + No audit events are generated for the default file system SACLs. + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4664

An attempt was made to create a hard link.

4985

The state of a transaction has changed.

5051

A file was virtualized.

+ +| Event ID | Event message | +| - | - | +| 4664 | An attempt was made to create a hard link. | +| 4985 | The state of a transaction has changed. | +| 5051 | A file was virtualized. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-filtering-platform-connection.md b/windows/keep-secure/audit-filtering-platform-connection.md index 4931fa3cd4..a23961c6d9 100644 --- a/windows/keep-secure/audit-filtering-platform-connection.md +++ b/windows/keep-secure/audit-filtering-platform-connection.md @@ -2,80 +2,48 @@ title: Audit Filtering Platform Connection (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Filtering Platform Connection + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Connection**, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform. + Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). + This security policy enables you to audit the following types of actions: + - The Windows Firewall service blocks an application from accepting incoming connections on the network. - The Windows Filtering Platform allows or blocks a connection. - The Windows Filtering Platform permits or blocks a bind to a local port. - The Windows Filtering Platform permits or blocks an application or service from listening for incoming connections on a port. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

5031

The Windows Firewall Service blocked an application from accepting incoming connections on the network.

5140

A network share object was accessed.

5150

The Windows Filtering Platform blocked a packet.

5151

A more restrictive Windows Filtering Platform filter has blocked a packet.

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

5156

The Windows Filtering Platform has allowed a connection.

5157

The Windows Filtering Platform has blocked a connection.

5158

The Windows Filtering Platform has permitted a bind to a local port.

5159

The Windows Filtering Platform has blocked a bind to a local port.

+ +| Event ID | Event message | +| - | - | +| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. | +| 5140 | A network share object was accessed. | +| 5150 | The Windows Filtering Platform blocked a packet. | +| 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet. | +| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. | +| 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. | +| 5156 | The Windows Filtering Platform has allowed a connection. | +| 5157 | The Windows Filtering Platform has blocked a connection. | +| 5158 | The Windows Filtering Platform has permitted a bind to a local port. | +| 5159 | The Windows Filtering Platform has blocked a bind to a local port. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-filtering-platform-packet-drop.md b/windows/keep-secure/audit-filtering-platform-packet-drop.md index e9afd9f620..fda5bc89e7 100644 --- a/windows/keep-secure/audit-filtering-platform-packet-drop.md +++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md @@ -2,44 +2,35 @@ title: Audit Filtering Platform Packet Drop (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Filtering Platform Packet Drop + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Packet Drop**, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. + Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). + A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network. + Event volume: High + Default setting: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

5152

The Windows Filtering Platform blocked a packet.

5153

A more restrictive Windows Filtering Platform filter has blocked a packet.

+ +| Event ID | Event message | +| - | - | +| 5152 | The Windows Filtering Platform blocked a packet. | +| 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-filtering-platform-policy-change.md b/windows/keep-secure/audit-filtering-platform-policy-change.md index 07394011e0..97f04007ea 100644 --- a/windows/keep-secure/audit-filtering-platform-policy-change.md +++ b/windows/keep-secure/audit-filtering-platform-policy-change.md @@ -2,24 +2,33 @@ title: Audit Filtering Platform Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Filtering Platform Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Policy Change**, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions. + Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). + This security policy setting determines whether the operating system generates audit events for: + - IPsec services status. - Changes to IPsec settings. - Status and changes to the Windows Filtering Platform engine and providers. - IPsec Policy Agent service activities. + Event volume: Low + Default: Not configured + @@ -210,6 +219,7 @@ Default: Not configured
  ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md index dd5a17ef22..2ceff2fa34 100644 --- a/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/keep-secure/audit-force-audit-policy-subcategory-settings-to-override.md @@ -2,90 +2,94 @@ title: Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings security policy setting. ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings + **Applies to** - Windows 10 + Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. + ## Reference + You can manage your audit policy in a more precise way by using audit policy subcategories. + There are over 40 auditing subcategories that provide precise details about activities on a device. For info about these subcategories, see the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). + ### Possible values + - Enabled - Disabled + ### Best practices + - Leave the setting enabled. This provides the ability to audit events at the category level without revising a policy. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Enabled

DC Effective Default Settings

Enabled

Member Server Effective Default Settings

Enabled

Client Computer Effective Default Settings

Enabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Enabled | +| DC Effective Default Settings | Enabled | +| Member Server Effective Default Settings | Enabled | +| Client Computer Effective Default Settings | Enabled |   ## Policy management + This section describes features and tools that are available to help you manage this policy. + ### Restart requirement + None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + ### Group Policy + All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). + ### Auditing + To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value , prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. + If the category level audit policy that is set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set. + ### Command-line tools + You can use auditpol.exe to display and manage audit policies from a command prompt. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events, and the key information that needed to be audited was difficult to find. + ### Countermeasure + Enable audit policy subcategories as needed to track specific events. + ### Potential impacts -If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the **SCENoApplyLegacyAuditPolicy** key. -**Important**   -Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance. + +If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the +**SCENoApplyLegacyAuditPolicy** key. +> **Important:**  Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.   ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/audit-group-membership.md b/windows/keep-secure/audit-group-membership.md index 795f24a6ef..bfbd5e7887 100644 --- a/windows/keep-secure/audit-group-membership.md +++ b/windows/keep-secure/audit-group-membership.md @@ -2,43 +2,37 @@ title: Audit Group Membership (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC. ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Group Membership + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Group Membership**, which enables you to audit group memberships when they are enumerated on the client PC. + This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. + For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. -**Note**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. +> **Note:**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**.   Multiple events are generated if the group membership information cannot fit in a single security audit event + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

4627

Group membership information.

+ +| Event ID | Event message | +| - | - | +| 4627 | Group membership information. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-handle-manipulation.md b/windows/keep-secure/audit-handle-manipulation.md index e168f2a962..da8a48ee26 100644 --- a/windows/keep-secure/audit-handle-manipulation.md +++ b/windows/keep-secure/audit-handle-manipulation.md @@ -2,50 +2,37 @@ title: Audit Handle Manipulation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Handle Manipulation + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed. + Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL. -**Important**   -Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md). + +> **Important:**  Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).   + Event volume: High, depending on how SACLs are configured + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4656

A handle to an object was requested.

4658

The handle to an object was closed.

4690

An attempt was made to duplicate a handle to an object.

+ +| Event ID | Event message | +| - | - | +| 4656 | A handle to an object was requested. | +| 4658 | The handle to an object was closed. | +| 4690 | An attempt was made to duplicate a handle to an object. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-ipsec-driver.md b/windows/keep-secure/audit-ipsec-driver.md index 7c7fd0de22..7394906faa 100644 --- a/windows/keep-secure/audit-ipsec-driver.md +++ b/windows/keep-secure/audit-ipsec-driver.md @@ -2,87 +2,53 @@ title: Audit IPsec Driver (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver. ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit IPsec Driver + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit IPsec Driver**, which determines whether the operating system generates audit events for the activities of the IPsec driver. + The IPsec driver, using the IP Filter List from the active IPsec policy, watches for outbound IP packets that must be secured and inbound IP packets that must be verified and decrypted. This security policy setting reports on the following activities of the IPsec driver: + - Startup and shutdown of IPsec services. - Packets dropped due to integrity-check failure. - Packets dropped due to replay-check failure. - Packets dropped due to being in plaintext. - Packets received with an incorrect Security Parameter Index (SPI). (This can indicate malfunctioning hardware or interoperability problems.) - Failure to process IPsec filters. + A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems. + Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. + Event volume: Medium + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4960

IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

4961

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

4962

IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

4963

IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

4965

IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

5478

IPsec Services has started successfully.

5479

IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

5480

IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

5483

IPsec Services failed to initialize RPC server. IPsec Services could not be started.

5484

IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

5485

IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

+ +| Event ID | Event message | +| - | - | +| 4960 | IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. | +| 4961 | IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. | +| 4962 | IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. | +| 4963 | IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. | +| 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. | +| 5478 | IPsec Services has started successfully. | +| 5479 | IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | +| 5480 | IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. | +| 5483 | IPsec Services failed to initialize RPC server. IPsec Services could not be started. | +| 5484 | IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | +| 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-ipsec-extended-mode.md b/windows/keep-secure/audit-ipsec-extended-mode.md index 9b316c69be..89f0857940 100644 --- a/windows/keep-secure/audit-ipsec-extended-mode.md +++ b/windows/keep-secure/audit-ipsec-extended-mode.md @@ -2,106 +2,41 @@ title: Audit IPsec Extended Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit IPsec Extended Mode + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Extended Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. + IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. -AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation. AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications. + +AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation. +AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4978

During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4979

IPsec Main Mode and Extended Mode security associations were established.

-
-Note   -

This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information.

-
-
-  -

4980

IPsec Main Mode and Extended Mode security associations were established.

-
-Note   -

This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information:

-
-
-  -

4981

IPsec Main Mode and Extended Mode security associations were established.

-
-Note   -

This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information.

-
-
-  -

4982

IPsec Main Mode and Extended Mode security associations were established.

-
-Note   -

This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information.

-
-
-  -

4983

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

-
-Note   -

This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information.

-
-
-  -

4984

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

-
-Note   -

This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.

-
-
-  -
+ +| Event ID | Event message | +| - | - | +| 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. | +| 4979 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information. | +| 4980 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information: | +| 4981 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information. | +| 4982 | IPsec Main Mode and Extended Mode security associations were established.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information. | +| 4983 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information. | +| 4984 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
**Note:** This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-ipsec-main-mode.md b/windows/keep-secure/audit-ipsec-main-mode.md index 2f62f592fd..203307a841 100644 --- a/windows/keep-secure/audit-ipsec-main-mode.md +++ b/windows/keep-secure/audit-ipsec-main-mode.md @@ -2,87 +2,42 @@ title: Audit IPsec Main Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit IPsec Main Mode + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Main Mode**, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. + IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation. Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4646

Security ID: %1

4650

An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.

4651

An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.

4652

An IPsec Main Mode negotiation failed.

-
-Note   -

This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information.

-
-
-  -

4653

An IPsec Main Mode negotiation failed.

-
-Note   -

This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information.

-
-
-  -

4655

An IPsec Main Mode security association ended.

4976

During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

5049

An IPsec Security Association was deleted.

5453

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

+ +| Event ID | Event message | +| - | - | +| 4646 | Security ID: %1 | +| 4650 | An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. | +| 4651 | An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. | +| 4652 | An IPsec Main Mode negotiation failed.
**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information. | +| 4653 | An IPsec Main Mode negotiation failed.
**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. | +| 4655 | An IPsec Main Mode security association ended. | +| 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. | +| 5049 | An IPsec Security Association was deleted. | +| 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-ipsec-quick-mode.md b/windows/keep-secure/audit-ipsec-quick-mode.md index 969ea8f4d6..79de06ad17 100644 --- a/windows/keep-secure/audit-ipsec-quick-mode.md +++ b/windows/keep-secure/audit-ipsec-quick-mode.md @@ -2,49 +2,36 @@ title: Audit IPsec Quick Mode (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit IPsec Quick Mode + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Quick Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. + IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers. AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation. Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4977

During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

5451

An IPsec Quick Mode security association was established.

5452

An IPsec Quick Mode security association ended.

+ +| Event ID | Event message | +|- |- | +| 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.| +| 5451 | An IPsec Quick Mode security association was established.| +| 5452 | An IPsec Quick Mode security association ended.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-kerberos-authentication-service.md b/windows/keep-secure/audit-kerberos-authentication-service.md index 59067e3f7a..85498b7404 100644 --- a/windows/keep-secure/audit-kerberos-authentication-service.md +++ b/windows/keep-secure/audit-kerberos-authentication-service.md @@ -2,48 +2,35 @@ title: Audit Kerberos Authentication Service (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Kerberos Authentication Service + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Authentication Service**, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. + If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts. + Event volume: High on Kerberos Key Distribution Center servers + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4768

A Kerberos authentication ticket (TGT) was requested.

4771

Kerberos preauthentication failed.

4772

A Kerberos authentication ticket request failed.

+ +| Event ID | Event message | +| - | - | +| 4768 | A Kerberos authentication ticket (TGT) was requested. | +| 4771 | Kerberos preauthentication failed. | +| 4772 | A Kerberos authentication ticket request failed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-kerberos-service-ticket-operations.md b/windows/keep-secure/audit-kerberos-service-ticket-operations.md index b174f61378..5f00cf260a 100644 --- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md +++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md @@ -2,46 +2,37 @@ title: Audit Kerberos Service Ticket Operations (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests. ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Kerberos Service Ticket Operations + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Service Ticket Operations**, which determines whether the operating system generates security audit events for Kerberos service ticket requests. + Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity. + Event volume: + - High on a domain controller that is in a Key Distribution Center (KDC) - Low on domain members + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4769

A Kerberos service ticket was requested.

4770

A Kerberos service ticket was renewed.

+ +| Event ID | Event message | +| - | - | +| 4769 | A Kerberos service ticket was requested. | +| 4770 | A Kerberos service ticket was renewed. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-kernel-object.md b/windows/keep-secure/audit-kernel-object.md index 646f5f6d75..783f4c3e18 100644 --- a/windows/keep-secure/audit-kernel-object.md +++ b/windows/keep-secure/audit-kernel-object.md @@ -2,56 +2,40 @@ title: Audit Kernel Object (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Kernel Object + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kernel Object**, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. + Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers. + Typically, kernel objects are given SACLs only if the **AuditBaseObjects** or **AuditBaseDirectories** auditing options are enabled. -**Note**   -The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects. + +> **Note:**  The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects.   Event volume: High if you have enabled one of the Global Object Access Auditing settings + Default setting: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4659

A handle to an object was requested with intent to delete.

4660

An object was deleted.

4661

A handle to an object was requested.

4663

An attempt was made to access an object.

+ +| Event ID | Event message | +| - | - | +| 4659 | A handle to an object was requested with intent to delete. | +| 4660 | An object was deleted. | +| 4661 | A handle to an object was requested. | +| 4663 | An attempt was made to access an object. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-logoff.md b/windows/keep-secure/audit-logoff.md index feac0833b9..05aee8928a 100644 --- a/windows/keep-secure/audit-logoff.md +++ b/windows/keep-secure/audit-logoff.md @@ -2,48 +2,38 @@ title: Audit Logoff (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated. ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Logoff + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logoff**, which determines whether the operating system generates audit events when logon sessions are terminated. + These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to. -**Note**   -There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. + +> **Note: **  There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.   Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4634

An account was logged off.

4647

User initiated logoff.

+ +| Event ID | Event message | +| - | - | +| 4634 | An account was logged off. | +| 4647 | User initiated logoff. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-logon.md b/windows/keep-secure/audit-logon.md index 396d8cc641..fb98f6691c 100644 --- a/windows/keep-secure/audit-logon.md +++ b/windows/keep-secure/audit-logon.md @@ -2,57 +2,44 @@ title: Audit Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer. ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Logon + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logon**, which determines whether the operating system generates audit events when a user attempts to log on to a computer. + These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed. + The following events are recorded: + - Logon success and failure. - Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the Runas command. - Security identifiers (SIDs) are filtered. + Logon events are essential to tracking user activity and detecting potential attacks. + Event volume: Low on a client computer; medium on a domain controller or network server + Default: Success for client computers; success and failure for servers - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4624

An account was successfully logged on.

4625

An account failed to log on.

4648

A logon was attempted using explicit credentials.

4675

SIDs were filtered.

+ +| Event ID | Event message | +| - | - | +| 4624 | An account was successfully logged on. | +| 4625 | An account failed to log on. | +| 4648 | A logon was attempted using explicit credentials. | +| 4675 | SIDs were filtered. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md index c038f872bd..67760b944f 100644 --- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md +++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md @@ -2,98 +2,54 @@ title: Audit MPSSVC Rule-Level Policy Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit MPSSVC Rule-Level Policy Change + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit MPSSVC Rule-Level Policy Change**, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). + The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include: + - Active policies when the Windows Firewall service starts. - Changes to Windows Firewall rules. - Changes to the Windows Firewall exception list. - Changes to Windows Firewall settings. - Rules ignored or not applied by the Windows Firewall service. - Changes to Windows Firewall Group Policy settings. + Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4944

The following policy was active when the Windows Firewall started.

4945

A rule was listed when the Windows Firewall started.

4946

A change has been made to Windows Firewall exception list. A rule was added.

4947

A change has been made to Windows Firewall exception list. A rule was modified.

4948

A change has been made to Windows Firewall exception list. A rule was deleted.

4949

Windows Firewall settings were restored to the default values.

4950

A Windows Firewall setting has changed.

4951

A rule has been ignored because its major version number was not recognized by Windows Firewall.

4952

Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.

4953

A rule has been ignored by Windows Firewall because it could not parse the rule.

4954

Windows Firewall Group Policy settings have changed. The new settings have been applied.

4956

Windows Firewall has changed the active profile.

4957

Windows Firewall did not apply the following rule:

4958

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

+ +| Event ID | Event message | +| - | - | +| 4944 | The following policy was active when the Windows Firewall started. | +| 4945 | A rule was listed when the Windows Firewall started. | +| 4946 | A change has been made to Windows Firewall exception list. A rule was added. | +| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. | +| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. | +| 4949 | Windows Firewall settings were restored to the default values. | +| 4950 | A Windows Firewall setting has changed. | +| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. | +| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. | +| 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. | +| 4954 | Windows Firewall Group Policy settings have changed. The new settings have been applied. | +| 4956 | Windows Firewall has changed the active profile. | +| 4957 | Windows Firewall did not apply the following rule: | +| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-network-policy-server.md b/windows/keep-secure/audit-network-policy-server.md index 1a7b659ed3..5f060ff57e 100644 --- a/windows/keep-secure/audit-network-policy-server.md +++ b/windows/keep-secure/audit-network-policy-server.md @@ -2,71 +2,40 @@ title: Audit Network Policy Server (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Network Policy Server + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Network Policy Server**, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock). + NAP events can be used to help understand the overall health of the network. + Event volume: Medium to high on servers that are running Network Policy Server (NPS); moderate on other servers or on client computers + Default: Success and failure - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

6272

Network Policy Server granted access to a user.

6273

Network Policy Server denied access to a user.

6274

Network Policy Server discarded the request for a user.

6275

Network Policy Server discarded the accounting request for a user.

6276

Network Policy Server quarantined a user.

6277

Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

6278

Network Policy Server granted full access to a user because the host met the defined health policy.

6279

Network Policy Server locked the user account due to repeated failed authentication attempts.

6280

Network Policy Server unlocked the user account.

+ +| Event ID | Event message | +| - | - | +| 6272 | Network Policy Server granted access to a user. | +| 6273 | Network Policy Server denied access to a user. | +| 6274 | Network Policy Server discarded the request for a user. | +| 6275 | Network Policy Server discarded the accounting request for a user. | +| 6276 | Network Policy Server quarantined a user. | +| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. | +| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. | +| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. | +| 6280 | Network Policy Server unlocked the user account. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-non-sensitive-privilege-use.md b/windows/keep-secure/audit-non-sensitive-privilege-use.md index 086e940d66..e1321ebc6a 100644 --- a/windows/keep-secure/audit-non-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md @@ -2,17 +2,22 @@ title: Audit Non-Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Non-Sensitive Privilege Use + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Non-Sensitive Privilege Use**, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. + The following privileges are non-sensitive: + - **Access Credential Manager as a trusted caller** - **Access this computer from the network** - **Add workstations to domain** @@ -43,37 +48,21 @@ The following privileges are non-sensitive: - **Remove computer from docking station** - **Shut down the system** - **Synchronize directory service data** + If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts. + Event volume: Very high + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4672

Special privileges assigned to new logon.

4673

A privileged service was called.

4674

An operation was attempted on a privileged object.

+ +| Event ID | Event message | +| - | - | +| 4672 | Special privileges assigned to new logon. | +| 4673 | A privileged service was called. | +| 4674 | An operation was attempted on a privileged object. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-account-logon-events.md b/windows/keep-secure/audit-other-account-logon-events.md index d924a8af0d..57eaa771fa 100644 --- a/windows/keep-secure/audit-other-account-logon-events.md +++ b/windows/keep-secure/audit-other-account-logon-events.md @@ -2,86 +2,53 @@ title: Audit Other Account Logon Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Account Logon Events + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Other Account Logon Events**, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. + Examples can include the following: + - Remote Desktop session disconnections - New Remote Desktop sessions - Locking and unlocking a workstation - Invoking a screen saver - Dismissing a screen saver - Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice - **Note**   - This condition could be caused by a network misconfiguration. + + > **Note:**  This condition could be caused by a network misconfiguration.   - Access to a wireless network granted to a user or computer account - Access to a wired 802.1x network granted to a user or computer account + Event volume: Varies, depending on system use + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4649

A replay attack was detected.

4778

A session was reconnected to a Window Station.

4779

A session was disconnected from a Window Station.

4800

The workstation was locked.

4801

The workstation was unlocked.

4802

The screen saver was invoked.

4803

The screen saver was dismissed.

5378

The requested credentials delegation was disallowed by policy.

5632

A request was made to authenticate to a wireless network.

5633

A request was made to authenticate to a wired network.

+ +| Event ID | Event message | +| - | - | +| 4649 | A replay attack was detected. | +| 4778 | A session was reconnected to a Window Station. | +| 4779 | A session was disconnected from a Window Station. | +| 4800 | The workstation was locked. | +| 4801 | The workstation was unlocked. | +| 4802 | The screen saver was invoked. | +| 4803 | The screen saver was dismissed. | +| 5378 | The requested credentials delegation was disallowed by policy. | +| 5632 | A request was made to authenticate to a wireless network. | +| 5633 | A request was made to authenticate to a wired network. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-account-management-events.md b/windows/keep-secure/audit-other-account-management-events.md index a5929d83f0..737c91e478 100644 --- a/windows/keep-secure/audit-other-account-management-events.md +++ b/windows/keep-secure/audit-other-account-management-events.md @@ -2,49 +2,38 @@ title: Audit Other Account Management Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events. ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Account Management Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Account Management Events**, which determines whether the operating system generates user account management audit events. + Events can be generated for user account management auditing when: + - The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data. - The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied. - Changes are made to domain policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** or **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**. -**Note**   -These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator. +> **Note:**  These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.   Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent Message Summary

4782

The password hash for an account was accessed.

4793

The Password Policy Checking API was called.

+ +| Event ID | Event message | +| - | - | +| 4782 | The password hash for an account was accessed. | +| 4793 | The Password Policy Checking API was called. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-logonlogoff-events.md b/windows/keep-secure/audit-other-logonlogoff-events.md index d1068bc02c..14b371601d 100644 --- a/windows/keep-secure/audit-other-logonlogoff-events.md +++ b/windows/keep-secure/audit-other-logonlogoff-events.md @@ -2,82 +2,50 @@ title: Audit Other Logon/Logoff Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events. ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Logon/Logoff Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Logon/Logoff Events**, which determines whether Windows generates audit events for other logon or logoff events. + These other logon or logoff events include: + - A Remote Desktop session connects or disconnects. - A workstation is locked or unlocked. - A screen saver is invoked or dismissed. - A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration. - A user is granted access to a wireless network. It can either be a user account or the computer account. - A user is granted access to a wired 802.1x network. It can either be a user account or the computer account. + Logon events are essential to understanding user activity and detecting potential attacks. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4649

A replay attack was detected.

4778

A session was reconnected to a Window Station.

4779

A session was disconnected from a Window Station.

4800

The workstation was locked.

4801

The workstation was unlocked.

4802

The screen saver was invoked.

4803

The screen saver was dismissed.

5378

The requested credentials delegation was disallowed by policy.

5632

A request was made to authenticate to a wireless network.

5633

A request was made to authenticate to a wired network.

+ +| Event ID | Event message | +| - | - | +| 4649 | A replay attack was detected. | +| 4778 | A session was reconnected to a Window Station. | +| 4779 | A session was disconnected from a Window Station. | +| 4800 | The workstation was locked. | +| 4801 | The workstation was unlocked. | +| 4802 | The screen saver was invoked. | +| 4803 | The screen saver was dismissed. | +| 5378 | The requested credentials delegation was disallowed by policy. | +| 5632 | A request was made to authenticate to a wireless network. | +| 5633 | A request was made to authenticate to a wired network. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-object-access-events.md b/windows/keep-secure/audit-other-object-access-events.md index 0a0b4e92c2..71b1ee1965 100644 --- a/windows/keep-secure/audit-other-object-access-events.md +++ b/windows/keep-secure/audit-other-object-access-events.md @@ -2,92 +2,55 @@ title: Audit Other Object Access Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Object Access Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Object Access Events**, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. + For scheduler jobs, the following actions are audited: + - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. + For COM+ objects, the following actions are audited: + - Catalog object added. - Catalog object updated. - Catalog object deleted. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4671

An application attempted to access a blocked ordinal through the TBS.

4691

Indirect access to an object was requested.

4698

A scheduled task was created.

4699

A scheduled task was deleted.

4700

A scheduled task was enabled.

4701

A scheduled task was disabled.

4702

A scheduled task was updated.

5148

The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

5149

The DoS attack has subsided and normal processing is being resumed.

5888

An object in the COM+ Catalog was modified.

5889

An object was deleted from the COM+ Catalog.

5890

An object was added to the COM+ Catalog.

+ +| Event ID | Event message | +| - | - | +| 4671 | An application attempted to access a blocked ordinal through the TBS. | +| 4691 | Indirect access to an object was requested. | +| 4698 | A scheduled task was created. | +| 4699 | A scheduled task was deleted. | +| 4700 | A scheduled task was enabled. | +| 4701 | A scheduled task was disabled. | +| 4702 | A scheduled task was updated. | +| 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. | +| 5149 | The DoS attack has subsided and normal processing is being resumed. | +| 5888 | An object in the COM+ Catalog was modified. | +| 5889 | An object was deleted from the COM+ Catalog. | +| 5890 | An object was added to the COM+ Catalog. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-policy-change-events.md b/windows/keep-secure/audit-other-policy-change-events.md index 297f8250bb..7e2c53404a 100644 --- a/windows/keep-secure/audit-other-policy-change-events.md +++ b/windows/keep-secure/audit-other-policy-change-events.md @@ -2,95 +2,50 @@ title: Audit Other Policy Change Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Policy Change Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Policy Change Events**, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category. + These other activities in the Policy Change category that can be audited include: + - Trusted Platform Module (TPM) configuration changes. - Kernel-mode cryptographic self tests. - Cryptographic provider operations. - Cryptographic context operations or modifications. + Event volume: Low + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4670

Permissions on an object were changed.

4909

The local policy settings for the TBS were changed.

4910

The group policy settings for the TBS were changed.

5063

A cryptographic provider operation was attempted.

5064

A cryptographic context operation was attempted.

5065

A cryptographic context modification was attempted.

5066

A cryptographic function operation was attempted.

5067

A cryptographic function modification was attempted.

5068

A cryptographic function provider operation was attempted.

5069

A cryptographic function property operation was attempted.

5070

A cryptographic function property modification was attempted.

5447

A Windows Filtering Platform filter has been changed.

6144

Security policy in the group policy objects has been applied successfully.

6145

One or more errors occurred while processing security policy in the group policy objects.

+ +| Event ID | Event message | +| - | - | +| 4670 | Permissions on an object were changed. | +| 4909 | The local policy settings for the TBS were changed. | +| 4910 | The group policy settings for the TBS were changed. | +| 5063 | A cryptographic provider operation was attempted. | +| 5064 | A cryptographic context operation was attempted. | +| 5065 | A cryptographic context modification was attempted. | +| 5066 | A cryptographic function operation was attempted. | +| 5067 | A cryptographic function modification was attempted. | +| 5068 | A cryptographic function provider operation was attempted. | +| 5069 | A cryptographic function property operation was attempted. | +| 5070 | A cryptographic function property modification was attempted. | +| 5447 | A Windows Filtering Platform filter has been changed. | +| 6144 | Security policy in the group policy objects has been applied successfully. | +| 6145 | One or more errors occurred while processing security policy in the group policy objects. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-privilege-use-events.md b/windows/keep-secure/audit-other-privilege-use-events.md index 145e348e6e..839251f763 100644 --- a/windows/keep-secure/audit-other-privilege-use-events.md +++ b/windows/keep-secure/audit-other-privilege-use-events.md @@ -2,17 +2,21 @@ title: Audit Other Privilege Use Events (Windows 10) description: This security policy setting is not used. ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other Privilege Use Events + **Applies to** - Windows 10 + This security policy setting is not used. + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-other-system-events.md b/windows/keep-secure/audit-other-system-events.md index 26c8610d85..2b28658209 100644 --- a/windows/keep-secure/audit-other-system-events.md +++ b/windows/keep-secure/audit-other-system-events.md @@ -2,129 +2,59 @@ title: Audit Other System Events (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events. ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Other System Events + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other System Events**, which determines whether the operating system audits various system events. + The system events in this category include: + - Startup and shutdown of the Windows Firewall service and driver. - Security policy processing by the Windows Firewall service. - Cryptography key file and migration operations. -**Important**   -Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats. + +> **Important:**  Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats.   Event volume: Low + Default: Success and failure - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

5024

The Windows Firewall Service has started successfully.

5025

The Windows Firewall Service has been stopped.

5027

The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

5028

The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.

5029

The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.

5030

The Windows Firewall Service failed to start.

5032

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

5033

The Windows Firewall Driver has started successfully.

5034

The Windows Firewall Driver has been stopped.

5035

The Windows Firewall Driver failed to start.

5037

The Windows Firewall Driver detected critical runtime error. Terminating.

5058

Key file operation.

5059

Key migration operation.

6400

BranchCache: Received an incorrectly formatted response while discovering availability of content.

6401

BranchCache: Received invalid data from a peer. Data discarded.

6402

BranchCache: The message to the hosted cache offering it data is incorrectly formatted.

6403

BranchCache: The hosted cache sent an incorrectly formatted response to the client.

6404

BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.

6405

BranchCache: %2 instance(s) of event id %1 occurred.

6406

%1 registered to Windows Firewall to control filtering for the following: %2

6407

1%

6408

Registered product %1 failed and Windows Firewall is now controlling the filtering for %2

+ +| Event ID | Event message | +| - | - | +| 5024 | The Windows Firewall Service has started successfully. | +| 5025 | The Windows Firewall Service has been stopped. | +| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. | +| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. | +| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. | +| 5030 | The Windows Firewall Service failed to start. | +| 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.| +| 5033 | The Windows Firewall Driver has started successfully. | +| 5034 | The Windows Firewall Driver has been stopped. | +| 5035 | The Windows Firewall Driver failed to start. | +| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating.| +| 5058 | Key file operation. | +| 5059 | Key migration operation.| +| 6400 | BranchCache: Received an incorrectly formatted response while discovering availability of content.| +| 6401 | BranchCache: Received invalid data from a peer. Data discarded. | +| 6402 | BranchCache: The message to the hosted cache offering it data is incorrectly formatted.| +| 6403 | BranchCache: The hosted cache sent an incorrectly formatted response to the client. | +| 6404 | BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.| +| 6405 | BranchCache: %2 instance(s) of event id %1 occurred. | +| 6406 | %1 registered to Windows Firewall to control filtering for the following: %2| +| 6407 | 1% | +| 6408 | Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-pnp-activity.md b/windows/keep-secure/audit-pnp-activity.md index b0b235fa4c..aef1c0ae47 100644 --- a/windows/keep-secure/audit-pnp-activity.md +++ b/windows/keep-secure/audit-pnp-activity.md @@ -2,40 +2,32 @@ title: Audit PNP Activity (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device. ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit PNP Activity + **Applies to** - Windows 10 -\[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\] + This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device. + A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a PC a PnP event is triggered. + Event volume: Varies, depending on how the computer is used + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

6416

A new external device was recognized by the system.

+ +| Event ID | Event message | +| - | - | +| 6416 | A new external device was recognized by the system. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-policy.md b/windows/keep-secure/audit-policy.md index 8456383cb7..87cf555f43 100644 --- a/windows/keep-secure/audit-policy.md +++ b/windows/keep-secure/audit-policy.md @@ -2,29 +2,36 @@ title: Audit Policy (Windows 10) description: Provides information about basic audit policies that are available in Windows and links to information about each setting. ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Policy + **Applies to** - Windows 10 + Provides information about basic audit policies that are available in Windows and links to information about each setting. + The security audit policy settings under **Security Settings\\Local Policies\\Audit Policy** provide broad security audit capabilities for client devices and servers that cannot use advanced security audit policy settings. + The basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** are: -[Audit account logon events](basic-audit-account-logon-events.md) -[Audit account management](basic-audit-account-management.md) -[Audit directory service access](basic-audit-directory-service-access.md) -[Audit logon events](basic-audit-logon-events.md) -[Audit object access](basic-audit-object-access.md) -[Audit policy change](basic-audit-policy-change.md) -[Audit privilege use](basic-audit-privilege-use.md) -[Audit process tracking](basic-audit-process-tracking.md) -[Audit system events](basic-audit-system-events.md) +- [Audit account logon events](basic-audit-account-logon-events.md) +- [Audit account management](basic-audit-account-management.md) +- [Audit directory service access](basic-audit-directory-service-access.md) +- [Audit logon events](basic-audit-logon-events.md) +- [Audit object access](basic-audit-object-access.md) +- [Audit policy change](basic-audit-policy-change.md) +- [Audit privilege use](basic-audit-privilege-use.md) +- [Audit process tracking](basic-audit-process-tracking.md) +- [Audit system events](basic-audit-system-events.md) + ## Related topics -[Configure security policy settings](how-to-configure-security-policy-settings.md) -[Security auditing](security-auditing-overview.md) + +- [Configure security policy settings](how-to-configure-security-policy-settings.md) +- [Security auditing](security-auditing-overview.md)     diff --git a/windows/keep-secure/audit-process-creation.md b/windows/keep-secure/audit-process-creation.md index 46977396e4..dbe4b6bc69 100644 --- a/windows/keep-secure/audit-process-creation.md +++ b/windows/keep-secure/audit-process-creation.md @@ -2,44 +2,34 @@ title: Audit Process Creation (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Process Creation + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Creation**, which determines whether the operating system generates audit events when a process is created (starts). + These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process. + Event volume: Low to medium, depending on system usage + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4688

A new process has been created.

4696

A primary token was assigned to a process.

+ +| Event ID | Event message | +| - | - | +| 4688 | A new process has been created.| +| 4696 | A primary token was assigned to a process.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-process-termination.md b/windows/keep-secure/audit-process-termination.md index ed81065dfb..4208a938c3 100644 --- a/windows/keep-secure/audit-process-termination.md +++ b/windows/keep-secure/audit-process-termination.md @@ -2,42 +2,37 @@ title: Audit Process Termination (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process. ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Process Termination + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Termination**, which determines whether the operating system generates audit events when an attempt is made to end a process. + Success audits record successful attempts and Failure audits record unsuccessful attempts. + If you do not configure this policy setting, no audit event is generated when a process ends. + This policy setting can help you track user activity and understand how the computer is used. + Event volume: Varies, depending on how the computer is used + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

4689

A process has exited.

-  + +| Event ID | Event message | +| - | - | +| 4689 | A process has exited. | + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-registry.md b/windows/keep-secure/audit-registry.md index e7b6bdba50..40ea22bf27 100644 --- a/windows/keep-secure/audit-registry.md +++ b/windows/keep-secure/audit-registry.md @@ -2,45 +2,37 @@ title: Audit Registry (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects. ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Registry + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Registry**, which determines whether the operating system generates audit events when users attempt to access registry objects. + Audit events are generated only for objects that have configured system access control lists (SACLs) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. -If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL. + +If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching +SACL. + Event volume: Low to medium, depending on how registry SACLs are configured + Default: Not configured - ---- - - - - - - - - - - - - - - - - -
Event IDEvent message

4657

A registry value was modified.

5039

A registry key was virtualized.

+ +| Event ID | Event message | +| - | - | +| 4657 | A registry value was modified. | +| 5039 | A registry key was virtualized. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-removable-storage.md b/windows/keep-secure/audit-removable-storage.md index d260df3000..1892857f3e 100644 --- a/windows/keep-secure/audit-removable-storage.md +++ b/windows/keep-secure/audit-removable-storage.md @@ -2,18 +2,24 @@ title: Audit Removable Storage (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Removable Storage + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive. + Event volume: Low + Default: Not configured + @@ -117,6 +123,7 @@ Default: Not configured
  ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-rpc-events.md b/windows/keep-secure/audit-rpc-events.md index 1fca2ed810..dfb512694b 100644 --- a/windows/keep-secure/audit-rpc-events.md +++ b/windows/keep-secure/audit-rpc-events.md @@ -2,39 +2,32 @@ title: Audit RPC Events (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit RPC Events + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit RPC Events**, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. + RPC is a technology for creating distributed client/server programs. RPC is an interprocess communication technique that enables client and server software to communicate. For more information, see [What Is RPC?](http://technet.microsoft.com/library/cc787851.aspx). + Event volume: High on RPC servers + Default: Not configured - ---- - - - - - - - - - - - - -
Event IDEvent message

5712

A Remote Procedure Call (RPC) was attempted.

+ +| Event ID | Event message | +| - | - | +| 5712 | A Remote Procedure Call (RPC) was attempted. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-sam.md b/windows/keep-secure/audit-sam.md index 47d6014e77..c682e87a89 100644 --- a/windows/keep-secure/audit-sam.md +++ b/windows/keep-secure/audit-sam.md @@ -2,66 +2,52 @@ title: Audit SAM (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit SAM + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit SAM**, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. + The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer. + SAM objects include the following: + - SAM\_ALIAS: A local group - SAM\_GROUP: A group that is not a local group - SAM\_USER: A user account - SAM\_DOMAIN: A domain - SAM\_SERVER: A computer account + If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts. -**Note**   -Only the SACL for SAM\_SERVER can be modified. + +> **Note:**  Only the SACL for SAM\_SERVER can be modified.   Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events. + Event volume: High on domain controllers -**Note**   -For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698). + +> **Note:**  For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).   Default setting: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4659

A handle to an object was requested with intent to delete.

4660

An object was deleted.

4661

A handle to an object was requested.

4663

An attempt was made to access an object.

+ +| Event ID | Event message | +| - | - | +| 4659 | A handle to an object was requested with intent to delete.| +| 4660 | An object was deleted. | +| 4661 | A handle to an object was requested.| +| 4663 | An attempt was made to access an object.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-security-group-management.md b/windows/keep-secure/audit-security-group-management.md index e4ca2e798d..65d91ba967 100644 --- a/windows/keep-secure/audit-security-group-management.md +++ b/windows/keep-secure/audit-security-group-management.md @@ -2,103 +2,52 @@ title: Audit Security Group Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed. ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Security Group Management + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit Security Group Management**, which determines whether the operating system generates audit events when specific security group management tasks are performed. + Tasks for security group management include: + - A security group is created, changed, or deleted. - A member is added to or removed from a security group. - A group's type is changed. Security groups can be used for access control permissions and also as distribution lists. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4727

A security-enabled global group was created.

4728

A member was added to a security-enabled global group.

4729

A member was removed from a security-enabled global group.

4730

A security-enabled global group was deleted.

4731

A security-enabled local group was created.

4732

A member was added to a security-enabled local group.

4733

A member was removed from a security-enabled local group.

4734

A security-enabled local group was deleted.

4735

A security-enabled local group was changed.

4737

A security-enabled global group was changed.

4754

A security-enabled universal group was created.

4755

A security-enabled universal group was changed.

4756

A member was added to a security-enabled universal group.

4757

A member was removed from a security-enabled universal group.

4758

A security-enabled universal group was deleted.

4764

A group's type was changed.

-  + +| Event ID | Event message | +| - | - | +| 4727 | A security-enabled global group was created. | +| 4728 | A member was added to a security-enabled global group. | +| 4729 | A member was removed from a security-enabled global group. | +| 4730 | A security-enabled global group was deleted. | +| 4731 | A security-enabled local group was created. | +| 4732 | A member was added to a security-enabled local group.| +| 4733 | A member was removed from a security-enabled local group.| +| 4734 | A security-enabled local group was deleted. | +| 4735 | A security-enabled local group was changed. | +| 4737 | A security-enabled global group was changed. | +| 4754 | A security-enabled universal group was created.| +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group.| +| 4757 | A member was removed from a security-enabled universal group.| +| 4758 | A security-enabled universal group was deleted. | +| 4764 | A group's type was changed. | + ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-security-state-change.md b/windows/keep-secure/audit-security-state-change.md index 916b17b447..efda133f49 100644 --- a/windows/keep-secure/audit-security-state-change.md +++ b/windows/keep-secure/audit-security-state-change.md @@ -2,65 +2,44 @@ title: Audit Security State Change (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Security State Change + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security State Change**, which determines whether Windows generates audit events for changes in the security state of a system. + Changes in the security state of the operating system include: + - System startup and shutdown. - Change of system time. - System recovery from **CrashOnAuditFail**. This event is logged after a system reboots following **CrashOnAuditFail**. - **Important**   - Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**. + + > **Important:**  Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**.   System startup and shutdown events are important for understanding system usage. + Event volume: Low + Default: Success - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent Message SummaryMinimum Requirement

4608

Windows is starting up.

Windows Vista, Windows Server 2008

4609

Windows is shutting down.

Windows Vista, Windows Server 2008

4616

The system time was changed.

Windows Vista, Windows Server 2008

4621

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Windows Vista, Windows Server 2008

+ +| Event ID | Event message summary | Minimum requirement | +| - | - | - | +| 4608 | Windows is starting up. | Windows Vista, Windows Server 2008 | +| 4609 | Windows is shutting down. | Windows Vista, Windows Server 2008 | +| 4616 | The system time was changed.| Windows Vista, Windows Server 2008 | +| 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.| Windows Vista, Windows Server 2008 |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-security-system-extension.md b/windows/keep-secure/audit-security-system-extension.md index 2144df19fb..e605195736 100644 --- a/windows/keep-secure/audit-security-system-extension.md +++ b/windows/keep-secure/audit-security-system-extension.md @@ -2,62 +2,43 @@ title: Audit Security System Extension (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions. ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Security System Extension + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security System Extension**, which determines whether the operating system generates audit events related to security system extensions. + Changes to security system extensions in the operating system include the following activities: - A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM. - A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. -**Important**   -Attempts to install or load security system extensions or services are critical system events that could indicate a security breach. + +> **Important:**  Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.   Event volume: Low + These events are expected to appear more on a domain controller than on client computers or member servers. + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4610

An authentication package has been loaded by the Local Security Authority.

4611

A trusted logon process has been registered with the Local Security Authority.

4614

A notification package has been loaded by the Security Account Manager.

4622

A security package has been loaded by the Local Security Authority.

4697

A service was installed in the system.

+ +| Event ID | Event message | +| - | - | +| 4610 | An authentication package has been loaded by the Local Security Authority. | +| 4611 | A trusted logon process has been registered with the Local Security Authority.| +| 4614 | A notification package has been loaded by the Security Account Manager. | +| 4622 | A security package has been loaded by the Local Security Authority. | +| 4697 | A service was installed in the system. |   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-sensitive-privilege-use.md b/windows/keep-secure/audit-sensitive-privilege-use.md index 5b79f7bf21..2c7cd5a902 100644 --- a/windows/keep-secure/audit-sensitive-privilege-use.md +++ b/windows/keep-secure/audit-sensitive-privilege-use.md @@ -2,63 +2,51 @@ title: Audit Sensitive Privilege Use (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Sensitive Privilege Use + **Applies to** - Windows 10 + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Sensitive Privilege Use**, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. + Actions that can be audited include: - A privileged service is called. - One of the following privileges is called: - **Act as part of the operating system** - **Back up files and directories** - **Create a token object** - **Debug programs** - **Enable computer and user accounts to be trusted for delegation** - **Generate security audits** - **Impersonate a client after authentication** - **Load and unload device drivers** - **Manage auditing and security log** - **Modify firmware environment values** - **Replace a process-level token** - **Restore files and directories** - **Take ownership of files or other objects** + - **Act as part of the operating system** + - **Back up files and directories** + - **Create a token object** + - **Debug programs** + - **Enable computer and user accounts to be trusted for delegation** + - **Generate security audits** + - **Impersonate a client after authentication** + - **Load and unload device drivers** + - **Manage auditing and security log** + - **Modify firmware environment values** + - **Replace a process-level token** + - **Restore files and directories** + - **Take ownership of files or other objects** + If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts. + Event volume: High + Default: Not configured - ---- - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4672

Special privileges assigned to new logon.

4673

A privileged service was called.

4674

An operation was attempted on a privileged object.

+ +| Event ID | Event message | +| - | - | +| 4672 | Special privileges assigned to new logon.| +| 4673 | A privileged service was called. | +| 4674 | An operation was attempted on a privileged object.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 6d797a0b65..5ce9aeecf7 100644 --- a/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/keep-secure/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -2,18 +2,24 @@ title: Audit Shut down system immediately if unable to log security audits (Windows 10) description: Describes the best practices, location, values, management practices, and security considerations for the Audit Shut down system immediately if unable to log security audits security policy setting. ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit: Shut down system immediately if unable to log security audits + **Applies to** - Windows 10 + Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. + ## Reference + The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it is unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message in the case of a failure of the auditing system. Enabling this policy setting stops the system if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**. + With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry cannot be overwritten, the following Stop message appears: @@ -28,72 +34,67 @@ With **Audit: Shut down system immediately if unable to log security audits** se
  To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired. + If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident. + ### Possible values + - Enabled - Disabled - Not defined + ### Best practices + - Depending on your security audit requirements, you can enable the **Audit: Shut down system immediately if unable to log security audits** setting to ensure that security auditing information is captured for review. However, enabling this setting will increase the number of events logged. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + ### Default values + The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Disabled

DC Effective Default Settings

Disabled

Member Server Effective Default Settings

Disabled

Client Computer Effective Default Settings

Disabled

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not defined +| Default Domain Controler Policy | Not defined +| Stand-Alone Server Default Settings | Disabled +| DC Effective Default Settings | Disabled +| Member Server Effective Default Settings | Disabled +| Client Computer Effective Default Settings | Disabled   ## Policy management + This section describes features and tools that are available to help you manage this policy. The administrative burden of enabling this policy setting can be very high, especially if you also set the **Retention method for security log** to **Do not overwrite events (clear log manually)**. This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial-of-service threat, because a server can be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security log. Additionally, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system will guarantee that the file system's integrity will be maintained during a sudden system shutdown, it cannot guarantee that every data file for every application will still be in a usable form when the system is restarted. + ### Restart requirement + None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. + ### Group Policy + Modifying this setting may affect compatibility with clients, services, and applications. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + If the computer is unable to record events to the security event log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of security event log events to purposely force a shutdown. + ### Countermeasure + Enable the **Audit: Shut down system immediately if unable to log security audits** setting to ensure that security auditing information is captured for review. + ### Potential impact + If you enable this policy setting, the administrative burden can be significant, especially if you also configure the **Retention method for the Security log** to **Do not overwrite events** (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security event log. Also, because the shutdown is abrupt, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system maintains its integrity when this type of computer shutdown occurs, there is no guarantee that every data file for every application will still be in a usable form when the device restarts. + ## Related topics -[Security Options](security-options.md) + +- [Security Options](security-options.md)     diff --git a/windows/keep-secure/audit-special-logon.md b/windows/keep-secure/audit-special-logon.md index 5a3e24b4b7..439cf91d3d 100644 --- a/windows/keep-secure/audit-special-logon.md +++ b/windows/keep-secure/audit-special-logon.md @@ -2,43 +2,38 @@ title: Audit Special Logon (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit Special Logon + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Special Logon**, which determines whether the operating system generates audit events under special sign on (or log on) circumstances. + This security policy setting determines whether the operating system generates audit events when: + - A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/p/?linkid=120183). + Users holding special privileges can potentially make changes to the system. We recommend that you track their activity. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - -
Event IDEvent message

4964

Special groups have been assigned to a new logon.

+ +| Event ID | Event message | +| - | - | +| 4964 | Special groups have been assigned to a new logon.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-system-integrity.md b/windows/keep-secure/audit-system-integrity.md index afe5957ade..dfc2666ebf 100644 --- a/windows/keep-secure/audit-system-integrity.md +++ b/windows/keep-secure/audit-system-integrity.md @@ -2,88 +2,51 @@ title: Audit System Integrity (Windows 10) description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem. ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit System Integrity + **Applies to** - Windows 10 - Windows 10 Mobile + This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit System Integrity**, which determines whether the operating system audits events that violate the integrity of the security subsystem. + Activities that violate the integrity of the security subsystem include the following: + - Audited events are lost due to a failure of the auditing system. - A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space. - A remote procedure call (RPC) integrity violation is detected. - A code integrity violation with an invalid hash value of an executable file is detected. - Cryptographic tasks are performed. -**Important**   -Violations of security subsystem integrity are critical and could indicate a potential security attack. + +> **Important:**  Violations of security subsystem integrity are critical and could indicate a potential security attack.   Event volume: Low + Default: Success and failure - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4612

Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

4615

Invalid use of LPC port.

4618

A monitored security event pattern has occurred.

4816

RPC detected an integrity violation while decrypting an incoming message.

5038

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

5056

A cryptographic self-test was performed.

5057

A cryptographic primitive operation failed.

5060

Verification operation failed.

5061

Cryptographic operation.

5062

A kernel-mode cryptographic self-test was performed.

6281

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

+ +| Event ID | Event message | +| - | - | +| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. | +| 4615 | Invalid use of LPC port. | +| 4618 | A monitored security event pattern has occurred.| +| 4816 | RPC detected an integrity violation while decrypting an incoming message.| +| 5038 | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.| +| 5056 | A cryptographic self-test was performed. | +| 5057 | A cryptographic primitive operation failed.| +| 5060 | Verification operation failed. | +| 5061 | Cryptographic operation. | +| 5062 | A kernel-mode cryptographic self-test was performed.| +| 6281 | Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-user-account-management.md b/windows/keep-secure/audit-user-account-management.md index 1a863efc9a..1f05f3085b 100644 --- a/windows/keep-secure/audit-user-account-management.md +++ b/windows/keep-secure/audit-user-account-management.md @@ -2,106 +2,56 @@ title: Audit User Account Management (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed. ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit User Account Management + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit User Account Management**, which determines whether the operating system generates audit events when specific user account management tasks are performed. + Tasks that are audited for user account management include: + - A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked. - A user account password is set or changed. - Security identifier (SID) history is added to a user account. - The Directory Services Restore Mode password is set. - Permissions are changed on accounts that are members of administrator groups. - Credential Manager credentials are backed up or restored. + This policy setting is essential for tracking events that involve provisioning and managing user accounts. + Event volume: Low + Default: Success - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Event IDEvent message

4720

A user account was created.

4722

A user account was enabled.

4723

An attempt was made to change an account's password.

4724

An attempt was made to reset an account's password.

4725

A user account was disabled.

4726

A user account was deleted.

4738

A user account was changed.

4740

A user account was locked out.

4765

SID History was added to an account.

4766

An attempt to add SID History to an account failed.

4767

A user account was unlocked.

4780

The ACL was set on accounts which are members of administrators groups.

4781

The name of an account was changed:

4794

An attempt was made to set the Directory Services Restore Mode.

5376

Credential Manager credentials were backed up.

5377

Credential Manager credentials were restored from a backup.

+ +| Event ID | Event message | +| - | - | +| 4720 | A user account was created. | +| 4722 | A user account was enabled. | +| 4723 | An attempt was made to change an account's password.| +| 4724 | An attempt was made to reset an account's password. | +| 4725 | A user account was disabled. | +| 4726 | A user account was deleted. | +| 4738 | A user account was changed. | +| 4740 | A user account was locked out.| +| 4765 | SID History was added to an account.| +| 4766 | An attempt to add SID History to an account failed.| +| 4767 | A user account was unlocked. | +| 4780 | The ACL was set on accounts which are members of administrators groups.| +| 4781 | The name of an account was changed: | +| 4794 | An attempt was made to set the Directory Services Restore Mode.| +| 5376 | Credential Manager credentials were backed up. | +| 5377 | Credential Manager credentials were restored from a backup.|   ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/audit-user-device-claims.md b/windows/keep-secure/audit-user-device-claims.md index 29bc724e09..254bfb2c7d 100644 --- a/windows/keep-secure/audit-user-device-claims.md +++ b/windows/keep-secure/audit-user-device-claims.md @@ -2,18 +2,24 @@ title: Audit User/Device Claims (Windows 10) description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Audit User/Device Claims + **Applies to** - Windows 10 + This topic for the IT professional describes the advanced security audit policy setting, **Audit User/Device Claims**, which enables you to audit security events that are generated by user and device claims. + Event volume: + Default: Not configured + @@ -52,6 +58,7 @@ Default: Not configured
  ## Related topics -[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + +- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)     diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md index 6e95c6fea2..2cddb14842 100644 --- a/windows/keep-secure/back-up-files-and-directories.md +++ b/windows/keep-secure/back-up-files-and-directories.md @@ -2,108 +2,109 @@ title: Back up files and directories (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Back up files and directories + **Applies to** - Windows 10 + Describes the best practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting. + ## Reference + This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply. + This user right is similar to granting the following permissions to the user or group you have selected on all files and folders on the system: + - Traverse Folder/Execute File - List Folder/Read Data - Read Attributes - Read Extended Attributes - Read Permissions + Default on workstations and servers: + - Administrators - Backup Operators + Default on domain controllers: + - Administrators - Backup Operators - Server Operators + Constant: SeBackupPrivilege + ### Possible values + - User-defined list of accounts - Not Defined + ### Best practices + 1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. 2. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. + ### Location + Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment + ### Default values + By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right. + The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server type or GPODefault value

Default Domain Policy

Not Defined

Default Domain Controller Policy

Administrators

-

Backup Operators

-

Server Operators

Stand-Alone Server Default Settings

Administrators

-

Backup Operators

Domain Controller Effective Default Settings

Administrators

-

Backup Operators

-

Server Operators

Member Server Effective Default Settings

Administrators

-

Backup Operators

Client Computer Effective Default Settings

Administrators

-

Backup Operators

+ +| Server type or GPO | Default value | +| - | - | +| Default Domain Policy | Not Defined | +| Default Domain Controller Policy | Administrators
Backup Operators
Server Operators| +| Stand-Alone Server Default Settings | Administrators
Backup Operators| +| Domain Controller Effective Default Settings | Administrators
Backup Operators
Server Operators| +| Member Server Effective Default Settings | Administrators
Backup Operators| +| Client Computer Effective Default Settings | Administrators
Backup Operators|   ## Policy management + A restart of the device is not required for this policy setting to be effective. + Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. + ### Group Policy + Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: + 1. Local policy settings 2. Site policy settings 3. Domain policy settings 4. OU policy settings + When a local setting is greyed out, it indicates that a GPO currently controls that setting. + ## Security considerations + This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + ### Vulnerability + Users who can back up data from a device could take the backup media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set. + ### Countermeasure + Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. + ### Potential impact + Changes in the membership of the groups that have the **Back up files and directories** user right could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that authorized backup administrators can still perform backup operations. + ## Related topics -[User Rights Assignment](user-rights-assignment.md) + +- [User Rights Assignment](user-rights-assignment.md)     diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md index 4d05da9992..5f6f426691 100644 --- a/windows/plan/chromebook-migration-guide.md +++ b/windows/plan/chromebook-migration-guide.md @@ -2,45 +2,60 @@ title: Chromebook migration guide (Windows 10) description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -ms.pagetype: edu; devices -keywords: ["migrate", "automate", "device"] +keywords: migrate, automate, device ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library +ms.pagetype: edu; devices author: craigash + --- # Chromebook migration guide + **Applies to** - Windows 10 -In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. -## Plan Chromebook migration -Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. -In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. -## Plan for app migration or replacement -App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. -**Identify the apps currently in use on Chromebook devices** -Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). -**Note**   -The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. -<<<<<<< HEAD -  -======= ->>>>>>> master +In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. + +## Plan Chromebook migration + +Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. + +In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. + +## Plan for app migration or replacement + +App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. + +**Identify the apps currently in use on Chromebook devices** + +Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). + +> **Note**  The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. + You can divide the apps into the following categories: + - **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio. - **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use). + Record the following information about each app in your app portfolio: + - App name - App type (such as offline app, online app, web app, and so on) - App publisher or developer - App version currently in use - App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) + Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. + ### + **Select Google Apps replacements** + Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device. + Table 1. Google App replacements + | If you use this Google app on a Chromebook | Use this app on a Windows device | |--------------------------------------------|--------------------------------------| | Google Docs | Word 2016 or Word Online | @@ -52,25 +67,45 @@ Table 1. Google App replacements | Google Drive | Microsoft OneDrive for Business |   It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. + **Find the same or similar apps in the Windows Store** + In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. + In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. + Record the Windows app that replaces the Chromebook app in your app portfolio. + ### + **Perform app compatibility testing for web apps** + The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. + Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. + ## Plan for migration of user and device settings + Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. + However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. + In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. +At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the +case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. + **Identify Google Admin Console settings to migrate** + You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. + ![figure 1](images/chromebook-fig1-googleadmin.png) + Figure 1. Google Admin Console + Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. + Table 2. Settings in the Device Management node in the Google Admin Console + @@ -119,7 +154,9 @@ Table 2. Settings in the Device Management node in the Google Admin Console
  Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. + Table 3. Settings in the Security node in the Google Admin Console + @@ -157,12 +194,17 @@ Table 3. Settings in the Security node in the Google Admin Console
  **Identify locally-configured settings to migrate** + In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). + ![figure 2](images/fig2-locallyconfig.png) + Figure 2. Locally-configured settings on Chromebook + Table 4. Locally-configured settings -| Section | Settings | -|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + +| Section | Settings | +| - | - | | Internet connections | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings. | | Appearances | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the user’s wallpaper to maintain similar user experience. | | Search | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device. | @@ -184,91 +226,149 @@ Table 4. Locally-configured settings   Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration. Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration. + **Prioritize settings to migrate** + After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. + ## Plan for email migration + Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252). + **Identify the list of user mailboxes to migrate** + In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. + Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. + Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](http://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. + **Identify companion devices that access Google Apps Gmail** + In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. + After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. + In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690254). **Identify the optimal timing for the migration** + Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend. + Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016. + ## Plan for cloud storage migration + Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. + In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. + **Identify cloud storage services currently in use** + Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: - Name of the cloud storage service - Cloud storage service vendor - Associated licensing costs or fees - Approximate storage currently in use per user + Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. + **Optimize cloud storage services migration plan** + Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements. + Consider the following to help optimize your cloud storage services migration plan: + - **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. - **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. - **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. + Record your optimization changes in your cloud storage services migration plan. + ## Plan for cloud services migration + Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. + In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. + ### + **Identify cloud services currently in use** + You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: - Cloud service name - Cloud service provider - Number of users that use the cloud service + **Select cloud services to migrate** + One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. + Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: - **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. - **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity. - **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services. - **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices). Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide. + **Prioritize cloud services** + After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. + Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate. + ### + **Select cloud services migration strategy** + When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. + Consider the following when you create your cloud services migration strategy: + - **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses. - **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. - **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. - **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. - **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. - **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. + ## Plan for Windows device deployment + You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. + In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. + ### + **Select a Windows device deployment strategy** + What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies. + For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: + - **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. - **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. - **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. - **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. - **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. + If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. + Record the combination of Windows device deployment strategies that you selected. + ### + **Plan for AD DS and Azure AD services** + The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. + In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD. + Table 5. Select on-premises AD DS, Azure AD, or hybrid + @@ -325,11 +425,15 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
  ### + **Plan device, user, and app management** + You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan. + Table 6. Device, user, and app management products and technologies + @@ -437,34 +541,61 @@ Table 6. Device, user, and app management products and technologies
  You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. + Record the device, user, and app management products and technologies that you selected. + ### + **Plan network infrastructure remediation** + In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices. + Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary: + - **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. + However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. + - **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. + If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. + - **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices. + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. + - **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. + However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. + For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: + - [Chromebook vs. Windows Notebook Network Traffic Analysis](http://go.microsoft.com/fwlink/p/?LinkId=690255) - [Hidden Cost of Chromebook Deployments](http://go.microsoft.com/fwlink/p/?LinkId=690256) - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](http://go.microsoft.com/fwlink/p/?LinkId=690257) + - **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. + If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. + At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. + ## Perform Chromebook migration + Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. + In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. + You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. + ## Perform network infrastructure remediation + The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. + It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. + Table 7. Network infrastructure products and technologies and deployment resources + @@ -495,10 +626,14 @@ Table 7. Network infrastructure products and technologies and deployment resourc
  If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section. + ## Perform AD DS and Azure AD services deployment or remediation + It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. + Table 8. AD DS, Azure AD and deployment resources + @@ -531,9 +666,13 @@ Table 8. AD DS, Azure AD and deployment resources   If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps. ## Prepare device, user, and app management systems + In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. + Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. + Table 9. Management systems and deployment resources +
@@ -587,10 +726,15 @@ Table 9. Management systems and deployment resources
  If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. + ## Perform app migration or replacement + In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. + In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. + Table 10. Management systems and app deployment resources + @@ -629,60 +773,81 @@ Table 10. Management systems and app deployment resources
  If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. + ## Perform migration of user and device settings + In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. + Perform the user and device setting migration by using the following steps: + 1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune). 2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings. 3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings. 4. Verify that all higher-priority user and device settings have been configured in your management system. + If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section. + ## Perform email migration + In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices. + Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690252). + Alternatively, if you want to migrate to Office 365 from: - **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server: - [Cutover Exchange Migration and Single Sign-On](http://go.microsoft.com/fwlink/p/?LinkId=690266) - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690267) - [Step-By-Step: Migrating from Exchange 2007 to Office 365](http://go.microsoft.com/fwlink/p/?LinkId=690268) - **Another on-premises or cloud-based email service.** Follow the guidance from that vendor. + ## Perform cloud storage migration + In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. + Manually migrate the cloud storage migration by using the following steps: + 1. Install both Google Drive app and OneDrive for Business or OneDrive app on a device. 2. Sign in as the user in the Google Drive app. 3. Sign in as the user in the OneDrive for Business or OneDrive app. 4. Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage. 5. Optionally uninstall the Google Drive app. + There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors. + ## Perform cloud services migration -<<<<<<< HEAD + In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. -======= - -In the [Plan for cloud services migration](#plan-cloud-services) section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. - ->>>>>>> master Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected. + There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors. + ## Perform Windows device deployment + In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices. + For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. -In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources: + +In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy +Windows 10 images to the devices, see the following resources: + - [Windows Imaging and Configuration Designer](http://go.microsoft.com/fwlink/p/?LinkId=733911) - [Build and apply a provisioning package](http://go.microsoft.com/fwlink/p/?LinkId=733918) - [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](http://go.microsoft.com/fwlink/p/?LinkId=690324) - [Step-By-Step: Installing Windows 8.1 From A USB Key](http://go.microsoft.com/fwlink/p/?LinkId=690265) - [Operating System Deployment in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=733916) + In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment: + - Enroll the device with your management system. - Ensure that Windows Defender is enabled and configured to receive updates. - Ensure that Windows Update is enabled and configured to receive updates. - Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016). + After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices. + ## Related topics -[Try it out: Windows 10 deployment (for education)](http://go.microsoft.com/fwlink/p/?LinkId=623254) -[Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255) +- [Try it out: Windows 10 deployment (for education)](http://go.microsoft.com/fwlink/p/?LinkId=623254) +- [Try it out: Windows 10 in the classroom](http://go.microsoft.com/fwlink/p/?LinkId=623255)     From e0269383f5a64c1590f3608845de597f122a52e0 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 19 May 2016 15:02:49 -0700 Subject: [PATCH 05/16] fixing errors --- devices/surface-hub/TOC.md | 2 +- .../i-am-done-finishing-your-surface-hub-meeting.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index ea7471374a..57c833cdd0 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -20,7 +20,7 @@ #### [Accessibility](accessibility-surface-hub.md) #### [Change the Surface Hub device account](change-surface-hub-device-account.md) #### [Device reset](device-reset-suface-hub.md) -#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your -surface-hub-meeting.md) +#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md) #### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) #### [Manage settings with a local admin account](manage-settings-with-local-admin-account-surface-hub.md) #### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md index 4e46440aa0..d724b7651b 100644 --- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md @@ -1,6 +1,6 @@ --- title: I'm done - ending a Surface Hub meeting (Surface Hub) -description: To end a Surface Hub meeting, tap I'm Done. Surface Hub cleans up the spplication state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. +description: To end a Surface Hub meeting, tap I'm Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. keywords: ["I"m Done", "end Surface Hub meeting", "finish Surface Hub meeting", "clean up Surface Hub meeting"] author: TrudyHa --- @@ -75,13 +75,13 @@ Accessibility features and apps are returned to default settings when **I'm Done The clipboard is cleared to remove data that was copied to the clipboard during the session. ## Frequently asked questions -**What happens if I forget to tap **I'm Done** at the end of a meeting, and someone else uses the Surface Hub later?**
+**What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**
When you don't tap **I"m Done** at the end of your meeting, Surface Hub enters a Resume state. This is similar to leaving content on a whiteboard in a meeting room, and forgetting to erase the whiteboard. When you return to the meeting room, that content will still be on the whiteboard unless someone erarses it. With Surface Hub, meeting content is still available if an attendee doesn't tap **I'm Done**. However, Surface Hub removes all meeting data during daily maintenance. Any meeting that wasn't ended with **I'm Done** will be cleaned up during maintenance. **Are documents recoverable?**
Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. 3rd-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. -**Do the clean-up actions from **I'm Done** comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
+**Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
No. Currently, the clean-up actions from **I'm Done** do not comply with this standard. \ No newline at end of file From 5e41c41448e98ad6209f7b0b63a66227fa6c79e5 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 19 May 2016 15:34:22 -0700 Subject: [PATCH 06/16] fixing YAML block --- .../i-am-done-finishing-your-surface-hub-meeting.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md index d724b7651b..c12785567d 100644 --- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md @@ -1,7 +1,7 @@ --- -title: I'm done - ending a Surface Hub meeting (Surface Hub) -description: To end a Surface Hub meeting, tap I'm Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. -keywords: ["I"m Done", "end Surface Hub meeting", "finish Surface Hub meeting", "clean up Surface Hub meeting"] +title: 'I'm done - ending a Surface Hub meeting (Surface Hub)' +description: 'To end a Surface Hub meeting, tap I'm Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.' +keywords: 'I"m Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting' author: TrudyHa --- From 159fb993f4ee60f6b4ef07f575d1597df06feeb1 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 19 May 2016 16:04:08 -0700 Subject: [PATCH 07/16] fixing YAML block --- .../i-am-done-finishing-your-surface-hub-meeting.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md index c12785567d..02819a1963 100644 --- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md @@ -1,7 +1,7 @@ --- -title: 'I'm done - ending a Surface Hub meeting (Surface Hub)' -description: 'To end a Surface Hub meeting, tap I'm Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting.' -keywords: 'I"m Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting' +title: I am done - ending a Surface Hub meeting +description: To end a Surface Hub meeting, tap I am Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. +keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting author: TrudyHa --- From 15e9cedb168240e5ed9bbc745d444d37e9ac364c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 19 May 2016 16:18:36 -0700 Subject: [PATCH 08/16] fixing spacing issues --- ...advanced-security-audit-policy-settings.md | 48 +- ...ackup-tpm-recovery-information-to-ad-ds.md | 90 +- .../basic-audit-account-logon-events.md | 14 +- .../basic-audit-account-management.md | 262 +--- .../basic-audit-directory-service-access.md | 19 +- .../keep-secure/basic-audit-logon-events.md | 41 +- .../keep-secure/basic-audit-object-access.md | 257 +--- .../keep-secure/basic-audit-policy-change.md | 160 +-- .../keep-secure/basic-audit-privilege-use.md | 53 +- .../basic-audit-process-tracking.md | 91 +- .../keep-secure/basic-audit-system-events.md | 84 +- .../basic-security-audit-policies.md | 47 +- .../basic-security-audit-policy-settings.md | 71 +- .../keep-secure/bcd-settings-and-bitlocker.md | 1119 +++-------------- .../keep-secure/bitlocker-basic-deployment.md | 197 ++- 15 files changed, 760 insertions(+), 1793 deletions(-) diff --git a/windows/keep-secure/advanced-security-audit-policy-settings.md b/windows/keep-secure/advanced-security-audit-policy-settings.md index 5f82176445..5b5faf0b14 100644 --- a/windows/keep-secure/advanced-security-audit-policy-settings.md +++ b/windows/keep-secure/advanced-security-audit-policy-settings.md @@ -2,52 +2,74 @@ title: Advanced security audit policy settings (Windows 10) description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Advanced security audit policy settings + **Applies to** - Windows 10 + This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. + The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: + - A group administrator has modified settings or data on servers that contain finance information. - An employee within a defined group has accessed an important file. - The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access. + You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy. + These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories: + **Account Logon** + Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. This category includes the following subcategories: + - [Audit Credential Validation](audit-credential-validation.md) - [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) - [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md) - [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) + **Account Management** + The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories: + - [Audit Application Group Management](audit-application-group-management.md) - [Audit Computer Account Management](audit-computer-account-management.md) - [Audit Distribution Group Management](audit-distribution-group-management.md) - [Audit Other Account Management Events](audit-other-account-management-events.md) - [Audit Security Group Management](audit-security-group-management.md) - [Audit User Account Management](audit-user-account-management.md) + **Detailed Tracking** + Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories: + - [Audit DPAPI Activity](audit-dpapi-activity.md) - [Audit PNP activity](audit-pnp-activity.md) - [Audit Process Creation](audit-process-creation.md) - [Audit Process Termination](audit-process-termination.md) - [Audit RPC Events](audit-rpc-events.md) + **DS Access** + DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories: + - [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md) - [Audit Directory Service Access](audit-directory-service-access.md) - [Audit Directory Service Changes](audit-directory-service-changes.md) - [Audit Directory Service Replication](audit-directory-service-replication.md) + **Logon/Logoff** + Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories: + - [Audit Account Lockout](audit-account-lockout.md) - [Audit User/Device Claims](audit-user-device-claims.md) - [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md) @@ -59,10 +81,15 @@ Logon/Logoff security policy settings and audit events allow you to track attemp - [Audit Network Policy Server](audit-network-policy-server.md) - [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) - [Audit Special Logon](audit-special-logon.md) + **Object Access** + Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses. + Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess). + This category includes the following subcategories: + - [Audit Application Generated](audit-application-generated.md) - [Audit Certification Services](audit-certification-services.md) - [Audit Detailed File Share](audit-detailed-file-share.md) @@ -77,35 +104,46 @@ This category includes the following subcategories: - [Audit Removable Storage](audit-removable-storage.md) - [Audit SAM](audit-sam.md) - [Audit Central Access Policy Staging](audit-central-access-policy-staging.md) + **Policy Change** + Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. This category includes the following subcategories: + - [Audit Audit Policy Change](audit-audit-policy-change.md) - [Audit Authentication Policy Change](audit-authentication-policy-change.md) - [Audit Authorization Policy Change](audit-authorization-policy-change.md) - [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md) - [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md) - [Audit Other Policy Change Events](audit-other-policy-change-events.md) + **Privilege Use** + Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories: + - [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md) - [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) - [Audit Other Privilege Use Events](audit-other-privilege-use-events.md) + **System** + System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. This category includes the following subcategories: + - [Audit IPsec Driver](audit-ipsec-driver.md) - [Audit Other System Events](audit-other-system-events.md) - [Audit Security State Change](audit-security-state-change.md) - [Audit Security System Extension](audit-security-system-extension.md) - [Audit System Integrity](audit-system-integrity.md) + **Global Object Access** + Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type. Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect. + Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access. -**Note**   -If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy. + +> **Note:**  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object +Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.   This category includes the following subcategories: - [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md) - [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) -  -  diff --git a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md index dfc256208f..5f46d91a0d 100644 --- a/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md @@ -2,90 +2,128 @@ title: Backup the TPM recovery Information to AD DS (Windows 10) description: This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer. ms.assetid: 62bcec80-96a1-464e-8b3f-d177a7565ac5 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # Backup the TPM recovery Information to AD DS + **Applies to** - Windows 10 + This topic for the IT professional describes how to back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS) so that you can use AD DS to administer the TPM from a remote computer. + ## About administering TPM remotely + Backing up the TPM owner information for a computer allows administrators in a domain to remotely configure the TPM security hardware on the local computer. For example, administrators might want to reset the TPM to the manufacturer’s defaults when they decommission or repurpose computers, without having to be present at the computer. + You can use AD DS to store TPM owner information for use in recovery situations where the TPM owner has forgotten the password or where you must take control of the TPM. There is only one TPM owner password per computer; therefore, the hash of the TPM owner password can be stored as an attribute of the computer object in AD DS. The attribute has the common name (CN) of **ms-TPM-OwnerInformation**. -**Note**   -The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored. + +> **Note:**  The TPM owner authorization value is stored in AD DS, and it is present in a TPM owner password file as a SHA-1 hash of the TPM owner password, which is base 64–encoded. The actual owner password is not stored.   Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment. + In this topic: + 1. [Check status of prerequisites](#bkmk-prereqs) 2. [Set permissions to back up password information](#bkmk-setperms) 3. [Configure Group Policy to back up TPM recovery information in AD DS](#bkmk-configuregp) 4. [Use AD DS to recover TPM information](#bkmk-useit) 5. [Sample scripts](#bkmk-adds-tpm-scripts) + ## Check status of prerequisites + Before you begin your backup, ensure that the following prerequisites are met: + 1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema. - **Tip**   - For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md). + + > **Tip:**  For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).   2. You have domain administrator rights in the target forest, or you are using an account that has been granted appropriate permissions to extend the schema for the target forest. Members of the Enterprise Admins or Schema Admins groups are examples of accounts that have the appropriate permissions. + ## Set permissions to back up password information + This procedure uses the sample script [Add-TPMSelfWriteACE.vbs](#bkmk-add-tpmselfwriteace) to add an access control entry (ACE) so that backing up TPM recovery information is possible. A client computer cannot back up TPM owner information until this ACE is added. + This script is run on the domain controller that you will use to administer the TPM recovery information, and it operates under the following assumptions: + - You have domain administrator credentials to set permissions for the top-level domain object. - Your target domain is the same as the domain for the user account that is running the script. For example, running the script as TESTDOMAIN\\admin will extend permissions for TESTDOMAIN. - **Note**   - You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example: + + > **Note:**  You might need to modify the sample script if you want to set permissions for multiple domains, but you do not have domain administrator accounts for each of those domains. Find the variable **strPathToDomain** in the script, and modify it for your target domain, for example: `LDAP://DC=testdomain,DC=nttest,DC=microsoft,DC=com`   - Your domain is configured so that permissions are inherited from the top-level domain object to targeted computer objects. - Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute. + + Permissions will not take effect if any container in the hierarchy does not allow inherited permissions. By default, permissions inheritance is set in AD DS. If you are not sure whether your configuration differs from this default, you can continue with the setup steps to set the permissions. + You can then verify your configuration as described later in this topic. Or you can click the **Effective Permissions** button while viewing the properties of a computer object, then check that **Self** is approved to write the **msTPM-OwnerInformation** attribute. + **To add an ACE to allow TPM recovery information backup** + 1. Open the sample script **Add-TPMSelfWriteACE.vbs**. + The script contains a permission extension, and you must modify the value of **strPathToDomain** by using your domain name. + 2. Save your modifications to the script. 3. Type the following at a command prompt, and then press ENTER: + **cscript Add-TPMSelfWriteACE.vbs** + This script adds a single ACE to the top-level domain object. The ACE is an inheritable permission that allows the computer (SELF) to write to the **ms-TPM-OwnerInformation** attribute for computer objects in the domain. Complete the following procedure to check that the correct permissions are set and to remove TPM and BitLocker ACEs from the top-level domain, if necessary. + **Manage ACEs configured on TPM schema objects** + 1. Open the sample script **List-ACEs.vbs**. 2. Modify **List-ACEs.vbs**. + You must modify: - Value of **strPathToDomain**: Use your domain name. - Filter options: The script sets a filter to address BitLocker and TPM schema objects, so you must modify **If IsFilterActive ()** if you want to list or remove other schema objects. + 3. Save your modifications to the script. 4. Type the following at a command prompt, and then press ENTER: + **cscript List-ACEs.vbs** + With this script you can optionally remove ACEs from BitLocker and TPM schema objects on the top-level domain. + ## Configure Group Policy to back up TPM recovery information in AD DS + Use these procedures to configure the [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#bkmk-tpmgp-addsbu) policy setting on a local computer. In a production environment, an efficient way to do this is to create or edit a Group Policy Object (GPO) that can target client computers in the domain. + **To enable local policy setting to back up TPM recovery information to AD DS** + 1. Sign in to a domain-joined computer by using a domain account that is a member of the local Administrators group. 2. Open the Local Group Policy Editor (gpedit.msc), and in the console tree, navigate to **Computer Configuration\\Administrative Templates\\System**. 3. Click **Trusted Platform Module Services**. 4. Double-click **Turn on TPM backup to Active Directory Domain Services**. 5. Click **Enabled**, and then click **OK**. -**Important**   -When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds. +> **Important:**  When this setting is enabled, the TPM owner password cannot be set or changed unless the computer is connected to the domain and AD DS backup of the TPM recovery information succeeds.   ## Use AD DS to recover TPM information + When you need to recover the TPM owner information from AD DS and use it to manage the TPM, you need to read the **ms-TPM-OwnerInformation** object from AD DS, and then manually create a TPM owner password backup file that can be supplied when TPM owner credentials are required. + **To obtain TPM owner backup information from AD DS and create a password file** + 1. Sign in to a domain controller by using domain administrator credentials. 2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer. 3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step. 4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**. + The expected output is a string that is the hash of the password that you created earlier. - **Note**   - If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute. + > **Note:**  If you receive the error message, "Active Directory: The directory property cannot be found in the cache," verify that you are using a domain administrator account, which is required to read the **ms-TPM-OwnerInformation** attribute. + The only exception to this requirement is that if users are the Creator Owner of computer objects that they join to the domain, they can possibly read the TPM owner information for their computer objects.   5. Open Notepad or another text editor, and copy the following code sample into the file, and replace *TpmOwnerPasswordHash* with the string that you recorded in the previous step. + ``` syntax UNNz* zgW*o3C#D+;-pktS+hg0q+atNwhR-q*a{TqEvO}#rVkLvKkFw9c4{e&tDy&wJuDo87 zr;5rEt0hvI*Q8vn6k76y-8G$iJP1=-wy-ikX%^Q4%i_VZ`pBgXbv=pjTgnu8X7pI{ zDCG$9*8MYL2u9Fgm^n301~v?~IgUGab*fwu&TJ&kpei#L%W3Li8giPwng(qXtq(^0 z2z-)E5@iw|Et6_#Sy97)bf_fFV<(`p4po*_){EhbG3EJr?y4Be ztPAn-+QrU>;?0_nyaSarqX7dn*Al{)v6}jCSOBy zBP{dg{;IxCC#zSTb+Y$!Xm?EzmGDe2ry>g4Xh7!?#Z~^IqGhE&D>>W)Mxab zm#kJ_a9&tmgs$a`vFFfaYqB{{^$m$`DeX@SBIG17TW?nQDTpcrnl~PjF&Q((gDV$n znhV{_9tIHZsgv6u7GyWH@LA z${4NqR=C>O+XM#~%{0g6HL^6MZDjGe8ELCH?QFU>U(atscd~X6cD=DunTB*7Jo6@c zZ-a|5OBvDVd6I?X!oGb?{40z?TY?!yas9=eA_m^Gm!Q|2lxdoCI&4W)hnDc$wG^$q z*Uz)~4h~Q9ezrpT{nj5;rEwi{h;r*0JlUA(Zp5~%{5+j3K|kZ;97W1VrH}eUOde6FaXF%jcREy3W*dcQe^V~arfZKc^MC4gKAT{EJsFjil;!Kk__SuQn&0Go zXgslLg=~M>hT^h4BmNP2$lJj?p>y5ha$UE&{{`FvPOs+Cw>@z=;d@V*RTyl~Y)`Lh z)v<29@ak;zHhVb6%jTL`zwPwA!u(j6&*tV|@4WG{f9QX>+r(V=bE0~i7;Rs6r@E-@ zQ0UOV6*?DQ7F`dW7u0@VTe@8Hx9V}vy_sHc4oC z*jP$g9ss;303aX;0G>Yn@nZmRWd?u~0|4Mj1pqAjpZfh000{qww3x7}$I4l{rJ@QL zeei>ci5^;ow^Dw+*+S*M2}Kr1Jhu^E7_o$*;bbW<0FNQU&Dn)|2~=nm?^x~@pSQ_tE=!_%O|A@Or>LL6f{`c*qVdRRpfAXE8d7+*sE-0Ca#Arcgm;nryPneAt=2! zd?m}+qjg3AbdWFrDU8DM89M@sHBHV$(=~@cV^yc+ePnK-z91Ay0~~dF5V5)|tSjIh$-sm*T=?u2 zYs&VfPndM!VKXf67S`J2m;M}FDS4u!=MwjD$|1mb+zO8qf>K9Y{c~W{f3X0mj^b%y z41*vMme{i{R1XM1YNk8@Q*BbSqlC_~x*M7D>-xn)Gs~{*i$$E)$CqyB>pdE4EP5l4zy_?8s>%XK zJAPV^UT4q!?r#ZUQ7n=E9uu;zp{HR7>!I+o9j+U1MSE1@6wuK3InV1VUc7B|3w5cd zSZK{8Fg@qIq2+-X{vcq}0Rg9xUUmTu?wzdrvyI11Q9NHi@k$0W)92L%t6Ri+d zDnd06s|`=s*A?_7G+~{$*#BgUI~BBC91G7*$$FM-ZExpwC_ld6a0vEN9*e-tcwwKP z=PG0WeSO4|H)?(1On;Vx7k9=%T=t=@Dw&nLd48>fH1UuV=h!RBF*w~nyhydQ+&{eB zFFjUQ5jko~me`kc8Uv;dr3J z&?>-#tuGAhs$a)vcQQ`OVjP0qpb#*w>hIV%XWMCjD9M!Uzfk1O_ zDqEMPyJY?(D}xo^t5X6u-NG-=^PjK&)=xoJjNa(KA*jn2owR+y0TA(2zLrwT3W93!s%!joA_l$%e_fc5bt}$^Ax{E0@$F>D%4sJ zWXYQr2dk9jm<2`88b5ml^LhXvMLp(Ok73h!Ywei#)%Hz5EB1`y^1A3m@=*0{y>Z$u z`HsxHxFo7xbZw0|b(b-xAFXV zXJngfTV59>1-I$t_nNVht{t+&S0Afp{r)b*NIz)>OKAL$N#p+55TCb_@Gpj6b(J(c z%8HP2cmnQS@8=dd@J1(1tPvs_R(cmYf9MokXyvJEJLp;0-axo7D7R>ReXF#_y0Dxw zI350cmj1>WP%>@227x96wY5`*mr>*?w<)n3JOOeWqi}2PYCfTxLr28NU!d;!B&Qzi z<%M)BFHrC~9I$ktY|;4y&=lN5_gURI`}*H%+@VrX+?MYb4kyPv^gx zM5`iWBEr5%Dwe)I%8LCN^Y2QQXP-==GETHa%@TbG$rso*eD>7CKhkjH<*B0l zgq&Majgh<_MVH;2?E-H>YUV3NEy0+Wm=Ub8D-I2q2>nBK>E!e}i;i!@%Q+$2OCt9D z-#IdN+K+nsdZ~$7`JxaVY&0RWVBms#1BRy!=vA~5l}lX+$9Od)!@qjt@))&wF84U) zqQFmLu0T31)r=p1Z$Me}Lxu`CYuCg=&!$<{W=$@3rM7;>vf0ayX)C}r%!t!2HepI9 zcunRvMd-sb$vLZ+$xmFInOC$@@ytST(M65L6!jI1=iR?NxA3NJzN3z6JnrBleA^)3tP3L5oQ_8?((X`}N8Q z-<#0HrOC0((=#eQaP@N~vha3Y!};gIhNgWd*L7a;`T%1#Iv_k@VI6zth<}Gh+*6J6J7Nc1Q%NR;Toox^>rVu2$QXKYeWnJxF znMoqk_M30SvK8MbREK4v8r2K%nlGKKHd;$oR(o<8kMw|L#xiwK8Tqx@wpLGt$r{TC z{Hp4@)%Em{gdAPcZvQ@s7Lv_P2t4h`VG-*jPSjty*0d)d%^k6>aT1#%143@q9VUMH zQC|pyUc_skPs&Qh-%0%Z82^&oA2*6v!*K+c(wfv_Kih(nD@AP{TN0M93Lwm(y1tB= zsjR9?e$=s!Y^;n781~4L+~Q-PJnY{cfAIn3?%wZIGeMb3ANDh8)!dkQvE0bq!>zJT zFo0*gq;-i-NFx5~Ypt^_zUy1$bW6fHw65LX->3L0Y>4oz9DaP64fV7ik5B)8@Esih z-&d8DC<0&Wg&W?in(u%2_aL$C!9SgPlh>cOWW|mZARyGnx-81U43Y%;JP5XC^Z8mA ze~8R<#0v!9(saTXR``q3XuJ?YSwwU(d*27dDV#(Bah${5T_+l%D%#(owD$|Tkb;%V z=dX8h3J%TOu(fzx&9K|dK^(#8TFMsQ1Tq<~u!&T}7$9>CasWgpgFm$Jb4 z0di53K;wH6G#X^BLbV<2iw-rdz0!gk;f1I@4LV?x8M1=BWpRoj0WFctalSvTf9CAI zohk%0A_q*EQQ+PMd;+%4d9kK&WVzlxbQ-uOSIca6S}fV+XW7S}xl6w$9eB>_vCDhc zhWpa*96K8Zee|Fj6Re4UEbKy2zK1G5`Uq@Fs(7w7xWvlAYt=QY!4S+|<}x<|QONT# z`R9E)qcm3OS%(s{{s3VM1M4@ zd(SF{Y5}r0TEe!X_2XJ#q7q~1WCHHf_umCr2%jJV4F+UQ%lW%^=dM2iq1v}}g5RJ} zw%ZjO=sOXCi_vi}Kn$K?nc@reC-^{-T$KNh#d+ZW3t0Z+Y_q&|68mun{k;uayBu;G z{*XyqI9|>4&lR9ai-e)UMQ9p{2b&P~E9{egFON(4q7_nNnHv@sUxT~kq|`$(1xbyP zfSOsj88PSwdj?mis-HK_n#%H zZ5ABjyLM4yT2T!HUq0^S&%e2`665V{G;PR27o!haadBdDYz|nK$99`nU#rOT{;hZpy`;wjYUb^>$f<)$c5Ea^8y>=7kr<=Mw;~W~!;J6lqfK}C$qMWXo zM4QPAsGix&yf4h(TP(qI^!Mm}Y5*(7zHAjdkZe=-V(U~|cGhfi({R_Y!04zZ&vFls z?2d?eTfVGaRNa`>t2x?M^_rJ&4v){e)D0}xy zxB5Onml(>g*LvwGdcpM3;QO6&9#`)QK62dD`701Pz72$}K35fWyng!l#@27NJydJM z6Be7P9)Z*rSn_3YY<`-{1QdNPFR4-{n*8_+i{F{A(DsrwmaJGN;k%xVwC4Db0*nVV z%!I$7j7wqKiw2$fZL_zS4wAOcvK-7UNi5jSj6I5&2>sIb+)q(?0aEq}CzU%a_M+kD z^|nd74fG~B?S!R>`|=c32vUXdcO%$)%YS!3g7vc}zs6KG28JY08OL(31vPtwZEQ8J^ce5-+V!t-`q5Vqe_Tx;cph zUeF9XWZKFoeHL3;Y%p>qseLu6XwE>TxaS?_>QBx}lA$^HJyj_NS%SKIU#kNdNEs}K zlxkH(5=zvC63PT~OgNuHp5ub1$X+nY^Z?R$YW{K=ax{?CH}24j5$$rTkp!`PZG=fR z*My0-oa?eA+fB$4#uS%PS{d3C8QERax0AgFBVZ@rYrIpD6BJNKK~X6}E;G|mvtfr5 z4W{lJt|GU|)Yd>BhiuVdj2s6k(w*)(v;r+UNIeHN$9=Pse&ZFt&z6TzeN@!4w(s;!6z zyIwz_MU9V{YrT(4h3*^v=GWmg_%&X~ewcdKh;6Y*gJ-45pv;hgY=10eJ#k-nSWo*4 zQer=;a@ReR4WGj-Il2l}>BAS@JE|^%i&%|a)opQZ$@_#EcBWJmw7tph3I~sBlCpGt z-8-p-J$i@NgWN;M5+H3b!Tdi26{YVRomPAancvsT&9$Ys&DC>4Qr_-FOE2Dn$1RU5 zX}}}6W}P|Hpvu6(Vym}x`b*x+>E^RZTY>!~y5u2mDQPA7ck4|Sv)#j`)T5J=vCLnl zCB&FseGjtUY)$;fTv+@&X@u?7rk76jnZKDAzuCAzqwH`-jvJ%%M4g_lF4=sOvJ2`* zs~&7HS;0q2F?8Xs=%sAJ>|_4i$70|N7~9gsjwc^6Z{Y~(zjQq;xl9zV#=hxfb=9jx zCmKD4N6ruj8Zfg>@);-pK4X}vC|P?wd;D(A63%^W&c=oe3y>3HuV8R!yXPBtw_W_e zc!3{G#=K-?luaaTtbCey$rb8>;6(TYeEQB1+v!*`O)+vK6eDWW7h{ck!V3u=t9+)yG~-F*H7Fal3F?)f*`QE9bN2w{HQj- z&M_R`MkEA2sETj741za>J&y=vtS$!+@0?&CIq~wgV}~4{9huyE5b(<&A)LgUfvM+U zlq_sy^R#dv7(;@CT_F%@Q)?t3zq&Po(Y7HCM7=5%nu*z7x7mjXGN`#Wj_aWHY;?T7 z(gk=^snxWn&-#Lk%VXX9HDp`B`V?YFwC|6#diyL*@fCdVGco-9$cHc{u=!Y5wf0t3 zz2bk$K~|nO`98lm+=%Aw4ddjRJavB51cCQ#cz9b^h*R+r(S=td@T zE{4Z>-&Y_*VGyF^i~b}!svaUtc|Vp~jq?>GaiM?(wXfo7*899%p4&cWiDHTR#W!A{ zBm;>@0dlK@_`2ef6u@v?MD_@aiu#0thFWRW?X>3-xcN?2ujl3be*Y^s>f5;5PmJ5X zw3iRal#$sCQ0A>8r0VyQ{8{TmkS=iDrUlTawxC<+JdTAP$ve|e=gb!X%R8|V*SE#O+rpfd_ zO+w|hwN%0LcTYj`CY((O!6LU<78`neTTlST3&=vbRIgR39;CrPLEk0?xA!mcyCC1> zy)8rN*$G~8#$*ebEHl^-DDeE3oN0|+$Ua^$(0%TZv^d?Vj2cm=}> zECJ!V9C|dTTnPj;E8efQq)b1HZf_J?jJdLLEhgIY>lZuXV9@Bd@i3~YQGy@=nVl}h zyA*UpPiQlY06if;8VI2atjKBa^;orXRY3WnBRJa$aO9}D3M&H}?QeeutccSt17aWm zL7A(y2#qJ8gDgbXjQk{sI<^TpU$OF^rBJK>dwUr0^YFnUjUstkdH?%nuvM^A^=oM7 z4N~OE%JW})TwCh=+8{(!Y*iseV=Pr6bm1Ue1dRftxsq@QQjU!!BT+=$AaE^(Mh&qB zN{}upUYH9i3eAieHgrgu=0ofiZgeZxQy1Rn)HeYE4?gqB8nesA`o$GCXC%o&dHDsX5H^{falgV?+7vC4WK(LP%_@rZoJjiW-{DCNX^_Gd(>HgP;-WnP;V~ zUe3>e;ExAY&OXANzlRPecJ$Ek>9VPbi1W(gu}J@1E>_DZm*G*NTS(6p9#9yJBb(Dg zb0ejslu&o0r=&datn4uvX5j?J70}m}s-W)~p9^%n-LmOf(+#Gl-?ILs7&rdS2;a~z zLlXsDYOb^GrVWQvR^Qz9xNmEWPIjsp_lFy9$z=ufe=(ucYqv>Bf&l;@5g>+$Uw25U zH6Da`{nxn7Sz3_H89+|G7G+;BBwIR{YGov(7$XTIR5iULs2n!0pxI`v8E2a|>w04X z7KSC|+UD3zmX5vY8AxW&NnSq-^|ECv*OlEaQkUEN$i}PkLRGqO&11M2e~j+lJXPCS z4}huBD;@-=3el08yDEiCFC@Q{AZQ<-I=12~Z-PR?VpmLgk($-ZcJQ4W8(jL3{QW=d zen!3t0qG3ucIbu==+0$HkUESh2tu}SsHYzX^)aLg!*lyrh0jeo$|FgsrFcl$m<_>9 z=)488m+#{1l2V*U+6ojh_@lOw#@>s6e$;6`xT*V^R>~Lf4Dp&q&)#t?eksFPuTn z%h+`S^m<;Q-f5mDj;(ihHd*q!vXhq=UqNYv`Zab#=F@TH){}U;#O*~{5K?n+oK+$Q zepd~vLc1E+wyQ&eaq6H`F?nP9h*eE5wFD)?#nmI2)%2TQYk@9U+Ad#aac3l5I3{oU zp|^Oc#h=Dbwbw3xI@`2+Z!< z=Z%F?BM9w-LsGDVQQchSZ=HM{PE*cZ8LqI65Eh1yS0JarO^Puz3_d0

-V@r)eYU^9L!D$XjhGuxu7`dnTg@@KYD@All+y|#E%NjSs!VGA&wHtZaHlqKgZDG#Yinj z%+Y;)eL26$A4RbmYzgh#XBqI^rfvLSf*SO=%y%e>{`!=gt*1VH#q{I#dCjYnqBtU1 zw|uU-Hr2hw!rW|qCDpv5`~5-%Ikd0cW`?RUaMPqNqZwmcm z!WGxstn7^M`{~9@@yycP?3fd}_eaU-N9rFZbV_(xGaMpy&okTOPg|pGrdUSCpgnS3 z_6*OXh5eRpz8Vt#Lx>U;l4hNE^6r`Gr83f&F8CJzH`0KmC1-&0Yc%4mMd(TJzVp(L)~^p4l&Ze z`dpl8xWC0b#UFPyh$i=0ySfS@NB8F8i0%l)eF&0@gzxk_;hi|{LR~L9;W0Ea6b~>_ zjLB{GPda`%caL)hN#vb11O^fUJAXrN@oOk#1*hAquL3HObbo5i>*E|VV=G3vIWFG< zaLQyrWLuuK{U$i!U25=N*LE>;l>e&Z-*^3fiyD7BD;~h{cY%s{zu_>xW-Q6ZKo$sA zD-Cl1x~??zcM+k)4Qg=0ExGAj%lX#dxpHeC0c7AKy4t38!YCgI(Czkn@!cch{f3H| z!S3L?^8{g&arSG+ax%SpD<>^IPqJRqy!KiH!r|;ZbhE>epWo^#VMAL2*8ZpgPfUxa z4}Z|zhMLduNxl1>NWUv{3f(CYy(bqoi|2I$lGn>Nb(@>1;WSznb+n0G6Mva+qUPaD z0MGQe@R$v`b3%mKD85N+--Ma-R{IoknFIm~cnD3Zsi2EBXnc&B+`co>!n0*KD zoKcq-ulZ%D_jz#m#CvQJG99=mozjBi2i;m#U&|m+P;f)V){ECaNZW-7_$CTB?yPdn zbnic(WVkh-&CKK)7uQTfL(+#P4}Vn-(#yOjs2ZrU`WFh@?O&}#6-SJGPvliNIoWr= z+{>(4+Nf){%(;MOh+28pf&(ZN^UEr?Mr5aq{#-`=Xn|AF)s?qbdAl`aQ4(K^xT~t1 z_x6eq<8Bla6BmO~rkmsC^{9I2)+ii`;XgD#;4{KUl`e7g6xuVjQITf%?Ey$fCIuzM z$QU}pt6IOsdL*MXoM;RTizA7#8^1||H#^N~Et5QpZSq@-*29j3)i_auncSo+$w;-Z zuYQEBQ8H2FyWW2jbA1!buMXuwoo{u|kV^FI4D8@d!~7D>@gYWzHooa{x8n6cG-KTt zaz~uMh0rg?zA~HYi(LE82bHZ;4`ly32yD=e0ngC#2#d(ZH(4qki}ySlm} z$!D67@rTtC7whudF8B4B3$+T%PF(D?EAa7hv^Ub+X!Jcqwp&ASER5&RYq)6-JDR$W zTLe8mR*>eaq`~KpNV1Y1zgguIcY~*8RAN!5$Bnf&EH29h(2q_<#ry;W#P;wy0>c(A zqLqlWx&>pxkk%MI{d|c~vzFWM=c~b{Sg1vDPZP zU1a%?s~ewZa>9IGzkj@x8}G9OB@KS2gx}@A89fQh&fXwO3u13%zs^~+T%CXBicLOT zvooFPRwDZb+2CZ=mUh(DI_sfj@jFk*_HBXHak+ZsGR@|CS%Ld9kM0~ZYvy#Ov0I$Z zu$>dsbn-p_bKfuM#1W0xF%q&}aO}TdB>-s(5rdW&O)sXX1fimCwD7lDdN+ zjq_{O%ecYsN+b)Q+rHaR2g&C79^)k91?lZ`k4cI!gsyFSAmea5)yi#-q)qO5fv6a6;$UIdUpXkP$>|C8h}0pk=bmRqGQM!w`hI|FuT8=sp&E)##Av z@3FpTr#*<1l%w0_cyFN1fTs{il6>PIp=HHt@&2y8>3e|hWYaO!%2Jly(<4L*|M_$N zGdwA&r;_8q-OyvZmY--Od*OjkdUT_-RpbG$fxR;5h8_(irIgt>hniJ zq8#3RC;~l^%FFnN+qDmNA68En=js(FPXO3V({s!~4SCm|dIU2z7KAT|4YxJ)lz2<0 z6o)C1-HJd=&w65DLLM*_RJ`GDP=MuEwec^TQXQrxB}0b%>d2B5e!Ym2OxyHIT9!ad z&~pOWT(+vI=D_38x&lf);*efxL%<7>sSPM|J3Kn`0=9yJ z!QaX5JXrt%O-Hlz;H!D<>SX_}(X!B6Mj+n&6W-;AF8ViNHEspbgyK9kDsZv|=ej$! zoTLY%R)bV$B}l5A9N=Wa1?_I6>kg<>*=Fk18@}#CTuN6ng87D3Z?+%ufElDQ!`(Nk zOeLfIf+vWH$=H6n$)v@RlXROuvS+Ihse8@fw?dxKer@3MMF|u(=xgz#iO-{2tee#M z25yQnq7ZV8mKzT}eH7yTM=z5;jjOwJhViBZ^}+4f`={{=G4pV3pTS{J^?#nlDMffoGi z2O%5RH(_Oo!@OY+1JF45^^@mX%??6NIrzFGNodD(7Y5k+>npE)`g_*v1vs18ym=N- zec7KhuZLXJGXE1a;>5qT9sP1YN>*n6!#RL_0=QYOjXbP?B!(%w+3*gj`kpy@2%wAt z4gs`|7(x_?jfylFGIOZ8BK%iJrZ@p@*D1gV_b)~2biZb<#j-)?;bBO_3mXZ8{F>`j zdH&CoBQHYl*OsLk6y={3m2dHd9Dh6C#Yc^OJPy>6(jAB>=14@BSJj~iNed$dM18)~ z?U%0jM63eAorVL{>77gJrJ)N+GgysWr%^|LuL+f0(`R#^Os>LKFOSU9p5dIbpk_>u*;IHVUdbDM zc{X+1-ua|!rjh>Oto^0>XQou7;i)P=yQD@efmta8bLnAX2bJUu&$q@Ae)2Qp?3xwh z4t=MfF2ltYymj-5{4o{4DB&~XW12~mWn$pd;6&!3b5ph_#O{I-pstZx=_6n>Xb%yQhPJ-z#EsdE;nvy-6}fJ-y^VE5VL3V~Vgn+6M=Z zwGXPQeOwk}gp1j~-~5ru_&8+?tDlrxaVkHu`P-bL2f>UL4p8^w_;!*3E=MHFAWBkH zK+oUx1ZOvbwiRptiS21xfM{}Fm z#jGKzaCSh|2Q^8+=$u3Nq2HE3bi-FmRJ1QdGG6FddeY8ynAfxsqsR@i__qF9K#!f{ zu~-mosUohd#&D4gJ?B0q2UfMHxKKQ$*VMs8xdm28$!sOc-fr(#VXK06QnD`kg#g*Z zHV35)*|jn$k?B0o`AR`+dH1v+>*%y`h?oD;!q%vFF$h+p{Ts;_$c|t9&Rm4DDjV>X z<@*HA%^7SJ#`>!pwlGL)bH=7Z0nbVtJsXes01^@syd`(;?BXo1!GmU6OM@{}`v${Z zT?%sg3D0Bfr~9(r@R1WsU;7kH6*FhQ18>_JxgmZ_^n*vemX(j=$b&vl2A*dPj_*%e}DW z&^ZLI6!qWLq4_R(FautXzy=y|DVKGbkg;=o^!kcVJ z9cs+;)^{bW(Qz(id-LwktwnXI?hQHCumC^stETbX*xDKaQC?en)w%0p(n(pT+c*Db zc~mrJ+}fIM z4hWd`gJGg9EWC;KW2?bE7xsllW>#BWYdHwH)z`1>ltBTV zf&vg8^pciq_@*7J5l1R`%TYaIhQst3|CE~89dXD-wyA|+2stX2hb0Y+dEY_A(G4C> zGp*bmskxYgsYIOtg$D%~;!hH>XI!gH&@HBhaY(P-`*xBt{-DteTp%Q+!;%>*4I8XxAmwO)_EoPh*V4H zV^W%~^>MC};Qbw(s}XsB$6B0Z?B$Q9pL$&!s+uP!?N5BcgJh}cVaDCifvM#yxIoYS zcpYO{S|PyDs6ic6Q=L`yjtDSB7sjD)$TJ;CH>N;vAX-?O8&9zkDK?y_MwjU{SoHtY zOdk7Bru82*!Tt}PhW8reGygZV{+IaACjSR*{-5~2`v0%^Z~lJ`o!)!I@_xX<>c8tk zd`&-xq}S-#zyM)*vf1~umhS;c%MNxPd)i1xBj?bu z7c+a+W*B|2h)-6n=>RYd<|@}zzD*`$X0Bwc%G|P5>WVQOmy@T}m)YE-YtUgc7Os^O ze*hw$I|QD&&BG*aB8l=BPdIq4FC?p<+v}tp+_ON(YhIQ@6)z*-X82wfcHY zjJ0B4rytdTqN;=M)5=k1?|(>yVOtgb$N1L--6!SJUD)UmJOyrHEp=^=|Y=2t^i?V+{>AOB#p1Z&n|zORL7`uY*H0cNX?3;DHnPU~=7OhWO!J zNtMlj1F`DrblE>EYwcNoj(2{U6En|Yv0Ky5SmgcmZ$6Idj)o18D4IE)3j$}p{|<%% zf^kD!W>w|{{}sCZl($Of+|04;5jQPLEJ?lX8lES74q&R_(KC|2)}r`+^kFbfER%#A zFw_%w)Bv=6E>$dpqAy>xYQ>MytKM}e%XStE%QpN9e2vn}n}gMW%%6AoiqDLnuTf64ai*O6`SBBq1-8;x=k200Dzo4&1~)3?ecuRdN+tDE^0N9K&VizkYzrjb8j0!DW+)Q+HZR$d=@*?EkVD{)2f z?9rhD{8*y$OZ<6MQvdKn-a+S^zd#EliN<5&dL6)hT}xa-;6nmPO%UNoAOvDLSht<9 zA#3dxcM6~(kiZsyaMK*H1GcZBL>7husMvSv2P&j`FmP)nB#3`(hij01Aq-_vHOKGH z9yP@#$w3ei3!$vYLnYaQjcO4gTbK&ad-!J_S#A+=D&>#AI}sO@yD?IOb!_?&4L=w4YOFD||jB484*9`>@HVtgIfYpqNbPj_x% zpwQh(g+H9?8rC3M-H2FQ$5!6AS=~WvwSAsKe6RV4g2@>FRedOi$GR-%g`)F1ELM2E ziD_P@jTu`}C4JJ1o&LzXAAihKoXZ&(3|x3(4jWtsxa6S!!F z=vPt@iBU1DkQ33(E%Ca$+Z-)5p6$?PCzXT1n};s}k=6r)gQnkfSw-{a;7^x=P!J~@ za7RB#X-lXa?2N=-RH(~Nq(V{hr;oYT8FPIb{9`2~&D!RlvgByI?_QOjtpRm{bt?ov zLjRisd0?PXYo)pD!Ouiy#<-lbsarR!=`1PQxO#ilp5eCS3TM;DQ9Zw=D>_wyi|lUs zuLaz@<+N#Vw9-`0P`0i*1~_pZeo zJh?A-F68~`o$|W;67|guqSI|O=KR$?p&{F$LB)2E7wW;^95YGFSYw`2=>}>InKR|9 z8XAHN1aN+Ccfkl$5ZG+K8BbwjLj*`vHI&c*0HkrS>dV2z31sgv8^Nck!ch&(0QK^Z zn!u6t`A9m6FDihC!+Blb&%!n;FPNJXHGd+oSTpP0;qw?kRV@*WvB788s5>-&y-M{I$x3PWxTht33zcP{RyudgOk*3p5A+4cA8N>`0Z!5rGn^;L%i9gAh1&IF@K z$?8aC_~sjMk40V4h@I%k`CTGJ#|obA#0Bv(7)kv93jRO;2#b!UD`w~9gl?EB88IB9 zHq{b|itbk~9a~z`&?TAdYNe}xtB9#MqbnsoSI8?797EmT7ry?jZMXBtN(3^cgOj~ zfZ!`zB;37wO>M2F)7?Xtz`{)BY>tmgb8}2>ZLOmQ_Fb)h8H~rc4Bh*e*u<$}+kdld zY_e(I{}w23*p9?k3#gQAP9^Srp3jK}15jWm+=n4*GfvO&5s=B*h7X(m{p(Z*oig$G z($tn)t^%Bp(ITa#q0L`4eT<(TR7F}r3oJkJV%=k;R6vC^y9#>{%*>83f4^2X$-=xO zR`3Ch-XEz1JhZPA0Z#na>xU8$f1k}<_nlasHkzy#FILt`b8|I|Ie_OC9&1qb3IuT6 z?lXJK%wF2OQ7wMeuI8N{0sOMT`KyDt9^|Uq^oFlzZd8Y_E5WaE!cpIi7x2S22)HfN zt!Jf`!+%Z#FOC8oI==O){B4%Lz%rcRUClX?!LRf7y&1JRd@pL2tMK+!(mmZ;Z0Aqc z79T{;Aa*yszka%4EF`&V<}v!XX}LT<`D(`Mi> z7h9E3dkuXjT6U+8->j|qow0`v^Dv@0*OeaB@pN4~>7|_Kj2XP1e}3r^Hi-_7>32Q! zJOcu;kUdkr*a7)FMndO@{5;od1J{XBJhoYkKZw@4t(k-g#sfX$;}3mb)O257ibTFT zYzh7L^v`vhT||wKj}K5aQ(Nl1v(dZXni z3(EE2ZI3nG_b5E`X^&@v@!)vS@f$9}bS7nWx?L#;u5sM}038bpqhzMf>>@&kZ+A+T zqd6&hxO8ZUzc^vdx;Q5$%4W&9_hsNUBOfBblYj_9ymT^`5oJjLc@+f*$Bwt+;RVe_ z->WPbG_t3^VSIkXVc#Gaod3S<7SW^lT22Le_aa0x_k9#y>CK})nKXfS_R4NY*GiLn z_t|WD;koK}Eof`y&KaBIUp>&AIIJ}iJ+-TkEgbgXtCUTNnLx_ohOl&x{Z_^JPKwI) zu@X^5NEkS1xub|ao{0SS_m{t|8C+Ces@_gN*f{ilvX^mKvru?#F2&3aJeqE-j%-J` z`RqEKOw7W>esM#(M0NZa?)$^0)mW9ic+E?dBG{SMTab4RDiq06q!zsTk*Z$&;kotp z#36F~Nvs+&chL$RK3KW%i78R8T8X->4Xwdy|3y$H&tr4^mkM>_<><@%=r(-+OFhlr z+aKCsk;)gfC;#lMqdEA(6L+%@2i`JQL1Zw}Nh58rvM#rBr7|@~8?yP6LzHsfl&YO* zzGt^vmPDaqsefZWvU=sm-^n?jzvk+U(#7hXOffR0ik5fX*^kw#XhexSY-aGs_0%GC z38fq>l?oT5CgVtx7E}qtd+;1#ek&8J<(%g~hiP{X-Lc!5x?=Q-=Bc|7I|oPp{SYKq z9;!#90={%`JA~!%En4D*qw~ScnK09wF8AfvhX`m&T1?mNfVmip z)#Uek_W`HC0hpf5zem4oYkN$<>F}*h@2JhoBTt#!rk4e>oZd1q!bqe*OquC??$UEJ zHM9ow_+e`4>Cmnrbu*;8_aZu5I#heN>nj`_AQ!`iyG$YCrG`GAuKQmFQqhlQzfG`p zvmY$UGLA-IYBk@p5K$RvWFw$5nW?I`>aA*-6ErMZGE?2Vvcat~ z`kOT4QFC37yf(9yE>EsXXEMw&q;~73fw||EN$iGdZXUneW^Y~ra)y7tx=;4tQ`wN} zh`J+T8{>UO`L5fL1e_~|ZrZR%9)eF_b%hR(+qd)ALZ%uEXTWP4Xat7+c#UF4EGLee zHHQnH42}(qzW!JF+Sk7~{t~9))VMX0OwTL-ZuGl0(R^8hB4yA?^LGu5-ioMjgcVCn zn49xHr|?xSh`_nte1P4$wC59p^xfESj>Z-Icd4s&wATMR9wN&AU54s+z0jsS8ZBge zpC8fze{1RuAj@^2-zq1F^N_+|A}MwecAnRlBjzvF0(YUyJMghCp4jSYH?~9R=ELC| zHdonu@6S{QTGHrR{Nq_W^O4_R4!kqnj_bve1>lQ2Aq*^xBvZ8@<+rODjxmQr4Z|t5 zn+I7yh4!KSZfD*)z~@32K-Bg`cjB&ia_mO{@~N&mk5gDW=h|yq=5jB;ilp*6eK(v6 zYv2{R+8|Wt$w5SiuHPrGP@ixZyCVYPcnCK)|Iq}k$>XBhTG07>6ZgmSPpvjCOoinD z^-Pki{!XPxUal@fCS=j0`!_c3o85v?{ToL*K_7O_=^00w5`*OlUfvR%!7d2qX~!z&ES{4_P`*_T?! zeMWz{tHzdT0fA+6jW&mzB&cFX*I}(M41t1|L46IaXn6uaE!(1JF_|+$W|oYpAKTY zT$g-K|ND*oQ5uq@tso5E8B^kD?IzQzsOmg&*8^X$2-{^o2UdTTs7m=e#t^;`<>D>5 zABjkj+|#FJNSUnZZaikrzR>k=^jo9nq2cWXEpz%9{bmkV!q~UeV4oH-n!0l0it29yd{NV`p!Hd9fiS3ey+wri|Tl{a+pVEh(tQ5cU1iIz;gaj2CC)2abw_jEU z8PH~Gc~gHwx%?Z{SZCpXAg#GGbmNm|?ciYHNJp`?v`exx zKH@KzUa)XVWZV`8CMNmjTO!vq zzFL=!pL1I))JR5ieIFHbx3-G#o!VGmO`Te2QHOEfU@KKs$m){0K_}al{4(+1*?^h# z*M={4c2iJH;rN7+s4yK^o9SuX#;7TYVp+ulBL z!16b4+LYjzHgsi1A%Rk+__2fs_ju$6OFQjY9f$)(IXCWTp_9jqQNW!x8Y&=4&zhd` zNa!&kVa&hz{+Uzj6yNE`U=;iv{vQquKTPV{#lYuIM?K2>Y0wR=PCP34$y9sBmFVr{ z?gue3sYOn<3}K6*#RLr6V6jIQOO5ouEat*~9_zGsOz8c}SISU(7U@7eS;rTuZ@aI= zO$iAY(nVi!;yF0zOisS*YUg$<_Ou7+jNGLj)}lbuc&)kpxl^~|1fXfgKk~zX;IJD z7^G46!k7tH+CD3W_pOakgBH|>k%G!vhxBE-%;fxdJL;#kR12aI2yCnu=&f{ykqVg@BJ96ew>*SjHDt`9VhLbN5H+oiRk|;U z<~)x@Iuv{7aH&?59W>8Yrc_8D>gwn!tz(tVBnOO5%A`J#d%PC&rQRCnS69cVV1p;$ zZ@bY4an=!xJy~k}&Ku2%Gh!a=Lf8c_#8rg@$B#R{{f8x{?#fj1a_H|z_oh>Xa}~fh z+Ds8zU~sOl$^nl{mI3b<&q=z@_i2c&J0Up#O>=P2SyBe^of&?5@35FS@Al*Lo@HNe z?_)Kw2&mT}hKzmhmGK%`-93npfuMgsh}oyVbr=oMnpl5-2G5S#KPhe=ZAc(?`>Vq& zV8uTw1I;b?LH~wZIi`RoKC>yK4B>oik%3ZQwa#b=vdeU z{36Yxe-IU7kSYD{^|a-il6%b<35NvUH;*cK0;fo$ebe?t3%4{`{jxWW%9gywaugQP z?T+uF#)zx$o_?N;Z0WN=jb z_mKpjIj9J~>W-MAKh-B zu%n)W&B&q(=^(cpf|(2GqAZZWOG89$PUnj?`fUyyaRP&%IA|(j7DEa%#9sXk>R`i* z{@0{+^8J?%ETjPXPBfIw-LqAWZBSz5q;;q=BNLM}W7M>EcT00~^ASHue+5C#EEMoJ zoOYcNDyR&e=C@n{J%io)>};cX@?M)B!2fdUdVQ{|*ZCm&CBwK*Ex@AkamCd-_u!=V}A0 zX?GX$4`;DiZ*K@af(<7S8B=TE-c*EKHSlWfME&Oo^($OW$D~!u_Fs#q z@%gS;y%i$$T_P9|E<^aaW4YRNrGJD`o|tN1-e>Fy$W6>17Q&WPa@4S3xhNNtU|3d~8?e;>JsdU}J>>y3BUkn*7>NTpC=vbcR|_GdP*`InUogAb zWu?{LCP6b3W{~dMCqQxIP=h(dQRQs#yNy)$`1rUBhpQ9HX7A|eIHOg6erMv5uuARW zj{KrwADO$Ly(jIknOSdN;Kf}|$gSi#8o^|AQ6V!b3xZbxbP!YTmT*iL&hzDC2|%A+N+g{sjj)hu2^suVP1r?zUQvBp?K5jbs^rN zMeWVWd(l|?oIJcBdVMedw)di6a^gZY4{=Ym_MZ%{a(E2WDqNsn!@j6i{-5t^tEwiC zYlg=-bOJ-OJ7`{2C|*RlNim%oS|1-O;q(0acb^twV$Ol4S6khy_`kY}v3vF;{P;&D zcvxz=)g))V6oak@lce6yrPT2&eqZ&8;AtsG>I7uiYe%e)j*R5(GM&zTXF9Iq?x!&F zrCY2?9Gz|UYUJXjJq|Qa6#pwG;d$v~9A`3gVJq?%HzHfQ+uwf-PclxGfa&V2Yq>OP z>_Xqr7KZj=epG)gasBHLAIl%;!oox-$r1V_0C_0?1Nji~GTJAf7;Fp^l%@RB+#pQUo|3Xo@pyQ(Bj9^3E zy43IUI4SXYy1V&VyBt}lI{06oZ%t^R^4s#t)`b!KZ~c=94s=u1X-P7BSejgx z`_+6bG{vBTB4m}k`$5iHKr_z=GAOY`jQ%^>a{xR2fcgXQVf^Fmj^?PlNx<5+%Fk=FyC0eJJDYo}H*>@P=!Xfw{{(7s2jt8Z%Yfx> zUq1ug&Fvr)V9f^<#>Cy2?HP)RB^#)r-j&WykG8N@d&Z9 zfbzGR)opv*;I?MGz&f2}vu`OZCBl+Ed)vAs+ZPvsf*s|ywj99cEA47NuT7;<&}^x! zg@aVn)5Kify4B3xtE+rVI2tK6F=e1I*+>#vuJ_T|1q+-J)exusTt>HS@**b>otzME zowH-9!}2Jm$V$`L;XmY;*H>9@(Xhr+S?B5uNjy4swA^;vt))IL_NWya3ySk}wS|{5 z?K%PPlM5c0{tfvZ7Oqn9XAf9!|I2AE@&;&8d>$?pQ3Pke?S_I)NWyIYf{7aUbHk?e5`&D-nJQh>R?!Qt!@AG&{p$3=2_Kq z4(DwUekLcwVl+JoqV)a;kgQ5ouq8S6tETxb^&}TJk`8%-(;cAdtr9kF^EH8lKn6Oi zNVN8@`SaJ`;O=4L1Za`FHsx`YQ!ICB;})pa(N6376o~>a@P)-pg47d(>9BJ4}`xPWxWeiC<|qs)zi@R zuUpS%Amp`2_`W)GN5T_E~Ag$2YLe;}7cfNS-|W&C5lQ z;pHo#Avv|ZO-9J;unh8Qd5sYVG3{=1I1A6weyR6iiQhE*QD?c#^3%L(<_G~PH=FT@ zlz4vB12i>>_pt(7=qTitc(*oKKi+M6@5?XA**OY?4H zITPzg@Hi73v2Bjushb{*3k$5!=ay~^lg+=5&+!FiJj@&H&5rkmgK_me789ohGnhj6 zuI_(7%X!BF^VRBYA=reAoY2!jlCYmdIy9ycf~?P0>kunByo`*e%q-~+@RS)p^_)1>d!dU>}X^kr=7O5KseqcS9pl=s2{HlC9{nX&!d z68*lNZp)RVxN{nUStH?Aqz+MhQ4o7;6{5udQ`dE4UG2+%|5nU(o8>ho{9qW%&dJWs z?hM%T(Q&^XsULW^{Zld+a1JbP{tVn%kk0k1?;m~()}|);ubb~{>@&@XBh%WwN{@NS zOj(*j4rp($`P2sy=>BrNx90}N0ouRtyT3ZTP9>L+dAhiCCc*={hq!#aynPE$3H6Dcfe+r9ed8?Wcpgo_=Tfq=MO zS8-lW8Y+Z(_W?El-X&j-%)b$PdICXNV)GSFybans<~tE!*5;jxth!g$?CR=zLreqn zdvOq8jR8a$_<0awChbr^OgBDGzc8Fo76(0nG^y=u-C&&ddx`rU(0kz`I<9o=M(!I< z0F#hd2EbMw9atjO)TrJ6x*efiPD+G_=Xp^Ww3p?%hTLDPi2fnQm30J~+ru6y-!xd$me@2f!sS#J#@E$32KtiBa9_WYiZC5s0L>8YHt=~YMdl+)k55)h>l$vm zFnPhcEQ~2?i^MhSqx)x|wPV9DlInDmQgCN^(TjjGaru@ASwyAAfWrG$psv}4sYfjC zfvbjyCGmIY+0-`>es4QfqKq4ED~ic&|kN)nXfo7_-LS5(|al1x}k2gpH>*8L17a&L1s zZ*?fU2{|T(@#?J6+S}7t-8Fw>klKtoiNET)n~>{-W6ix@;$s?{kj?S(0M^I9B3+T+ znXk2SEXj~vjRG{U#mSc3U5SIG_Hxr?;8v9dJ>B%)O~&^WxurM*x7B{D70M*L=yks zIyJ?=^4A1U+9bKJPt2=*pfx2nSOD;^eeLhCoN@E>#=_X#@7XYuWUoJ>#t*P zCg_Dq?*X14$-f=M5ZK$aV~FXYqf&+}FIjQB{)s6#lX$ebuG2o?IF%NY$^B;kU@L|o z%iGEtiy<~r9>y)*OTbJUg5l3{7#Wg4T62gYh7f6p_wI4|P!y7o{d3>Y&_V-4ETUFB z{Wv56p5MX}OALWvb=kY@9)p@Z3i-P??|9a z!bGUAudgha;&q0$dp7fiQ}-CGZ`vftU)}Su&!h41`_Jw&U1g|S=Oz|*JCeZHFdB#C z7VxHcgR*Te!de}EMQiU>9M*i1Tz!KwhZ z4WniZADnJ1q62w;2sQorbnUku1)~fAjL{Zo4R`dR)jDlKdQ~<{^?6izaFE67!=no^ zm3eu+##$pNKmeNc0^swy{B(7_TOFW6I~%`8)_gv-UV%7o81lNp26lpm-yejT;|F(K zc)QWxcR2!2N0Cis6(O3^^@fn3A)_}?gKOV@9NeL zB}FV~F%vcLXt&1%VTj07JI%&DHn?p`rPo01DmO%-i~h#V{;SgoD7HpFAnDb^3{Oz7 zRr4hObe+iCJM{hJkd?T$F8^-7F};MH32*@Al5Kgv&X;-Ltb!LE3=J!$@pU*a4lK5E zELjD=l}QxrM=3nH-K-0be4XFXNaOA=DDM+g(Mc;`*uHct6OgEy`52p~84LxWs$$mn zbs6?{di|3eOUHYb=ej&wkS|>zB#fYkFm;K0NsH2K@q0<7#};@r!))<05VK=H@OwEpSk2xv7`)yKb*U-2_DlH$3r3nHc@qjC?-_#*2ZiAk zdWk!K@$$laU*2UfJFHs1t9@??8RIrb!02ksCQRnr109>spJfqQ^8gW^&5pAyyxP;U z{dz$EMX2M`Sy0t5IV;MJjvPK(n~!{6_IEavB3nvzn;8o5-GW+0RJ|UqNi5;-%{b;n z8xbAU9v3mycTdQpOk5*nKVNTr!xK&Lno2{rP$KQDx)@INurNVpabdNzf>~E5)z#BS z`hcMKj0?^i&G3K&`VWu0ls7${vbjwAcbt}yyxp^#tp-&IPDGhuO^t>&PUfBIphP0{ zY8Ks#ExrJ5Ebh7kCH%RCZ)kzqbH2G+?EYXT=CY-(bE!Q3!bl>U9^Z)&{#M~JY*%-YQ9m;*;d5zT!9jyo<9 z3bh{w*)R~f^l*Wyh4QMj9fVMbyV9kdY%aN;aj@X^Cml$hBIJcn1yYyJb|H3D>#98l zQdW61Whu@RX*3Ew@Ja6Ln_+-Z51Odz`~_^(`C--=>p~d}%=Aa*8|y*z!p9+bh<7;% z;O0UhmTEX|Hn5h96+eMr6+()}lSUvDk}s?_VKVn(KD;bDz<>#ZQ=3o&)< zK~@2PovBSm>0K!!Q^5IVN&+-_i)XBf8Q1S#?Z zA?L+%-~T!LJ)o>#5D|iNLhG@_I`Dq1?tbS3dW60WxkJFrM=p3p;MkX_p9nX zrjO5)zBJ#cCb8z^+&v*QunxD;qo3gl6J}75I3hxZ^8VN>ImbeE9ijHkisIujR7hPJ z3kHERL7d1Z41!D`W@I{KY8RO1;KU>#Wc3TKHy4jNS#-;Fi%hKOUwEzuFfY9+#IczD zrQjv~bA;y9(gydfacCx`99@|wk3BDI67*x>Cfz^5=6gGDXZo3(RmE;)K9otUXOnsC zu1*XWzEHn*y4-D!CiW;~H64N;btkZ6{Z~_qgVshAVoB0u1`c z+WAf2GxqlIe6>$2^ZN3ap01-gR`C{_1FP)t+wFGZcf;EncMlO?N|la&&7%Fn1~24Y zJAJt*f?iT~w{JMM@h*^f*WO)l1;Yr0*;=vr-9>E+ZVlsA2nZUy{7ADm%;j{ys|+3H z&WrRJL#PRZx3mAWr{|H!za1VOudV<;`Izy}ox9NH#50w0#rb*liJN;uYLZ}LfrBGu z-D}HqV|wKTem*d>hO>Ojy>=_6s4~kEA>L@cpgd4CzuqpVmSM>Ee2p8U760LNMpOSb zc0$6BZY4hWBU_N1xX2gHRD?9nJ;R-a>I!e~J|k%VOM=3gSeA(ogb2I1K{lJbzMsED}CH^pbtXig=O^iOSmV-^&zpN0wE05KsRjx350)z4;@`f`i30GNSOEQ zcyVw;tx9vr=AT5fUK-|n9rf3iOd7?LCc>7Qspg1nL@%bD*?+uFDm&U`% z;p8#2kFZL~D^dI&LlSzQq43!I%huf7ToaDjqI;;rVp6XI{2a*3$H&LR!T)t=xU-=3 za_B7GJZ~k8Z{KdC-!k4IAj7dZV8aa(H=Q1xk`^rRjd=Ru)r|0VM<3Nq44@c(m?qN6 zZXc?<_#R%XNh@2p*-Dna$8$xzwAY0BDVX$qOp;iCO@j=0`15NHewIXHhHzB-vydoy z|2!9LZJ+z!{r!RlTI3*uHq$|6+ElC|dDUU+2UZDT@*sf*qnm;d3|$bx6mJ1A`8Mrb zc;O+2kgz-B-w$2!v~i~BpY|>w%$c0frr1>nm*8jmw-A{Hv4XW~=TCqa0Fc8JOB}JG ziVPH}&b6*nhJ?hlbsFTuY|j+`nk9?J5Cid8$$1ik`xaE@8C7kp85)IsKV11rmU%gS z1I-U-uq37RjefW+jNEW!(FfxP?P)89f5`-BZbm$K(<1Q!6a4Y3_WoBC)Ec>O)c&&3|nH!RU_U^|Flkehv<_u5(KYaQ(Ta%$9K26q7 z+b&;#&eK-AP>^b9U@cZnVo^eruzs(yJ z^Svi25zTdWx9ed7DE*Fi=Ja9##gHWHghoSevup$794|v7uV~fX?otdkRBdNkr8sN% zKm$jUaH+Ku(Nz={xjad^g{;GOqf;{SLg#+UPp>vqIUR(Ds?Y??bF)=O$)|=X+crQ1 z?IXOQxa!-#zcp-_$j~h2FZY@{cQ=a9PYVq653H|qi!ii;+sT$`{s!{T&hE_HtDf$D zFR`_TU4_*_$U*hQn`M1uU>BacatNhn>25es2rstq%?ma3NgpR=EKv2|q+LU7k}(=^6l? zH|BJOKG}0A*tL;?%zz&$zdgSkMD%$ywRwXb9L^Sk(P2>Q3&#pRRPw$BTg&T46_yD= z^wZpjPzLtGr89`SG01oFLcddT-0JPQAFT>>!m{QUaKyGg9+dqY_2iyUCqG5y!And; zKfKuLlrc8$vpsQmeFjgWzZS^ocS$C9_L7ij-x6AVn$KHxtge9SQIb{N$~NBO zUaSX!X$!%s>*F4s3iC8i*Za<0tu9eyJeds&G>JN0%L$bpX@JQ;K{fhB3^ZshCe3n< z>GLma{|ZEgtU1!Ew5I8iB>hjm7bZv;$zd$)(-Wc{uP~j5`zc*Ka5$gwC>&fg#Ja3M z2n>n%gLUR(ai1r@)viQdyAS|cx)r7^Xk4~A(Xxc6Le=)r;S5ua^Acjn>4m*q?=xtj zn1lpKfD8izg7lP%F`z}BSV_?Py?`{Fjv>`gTo6s?hn#F^LqmZC#eP&wegZ~s@Arf% zjj=ES7`U^wWdq-zg>|Za{M0hg5SD402o%I945%VQ zLWP7)m!1chW_w#WAw*M06l{>NcdO&GX;ORV-TNtfo3>9NU)pK3J&9|{mRkXA+?9um zOQr|kjjLlXN$d8w?<3i=+%HN^Z5|Mm7b>;hVI=!cx3#82locH)_gU;(4*l$4ahR1xg#>`C~9 z&_M_O-}cOLO<=;du6K2?(Bep)=xEs3oQD%iGk80I&4Xg-^6@FUz#FRTf2yjA_NbV( zl2V)9?`XiM*q9gvKT0SJSL*AT=zC3~q(LyE4gOH;HcCns zXcI3VKj!5hA=>7eZJ3*7o3lNzpV$P2*{`D#KX|gKVcvZlsD|^^)7v|=? zJPuU3ohiR$z+5oCTjzq>sb>BIkZt`4=VqszBT{txVgEH#&d);2- zVsheTXFo6>VxfP&aO^(dnV%LZ2pFn&sPo;G0`LX*Gt$2kk2DcI&JPclbp`VT^;+Nx z2?@<$9zP{?qN8739q-SXHb^IKCa1{cf1>^YhVdH6AyUvDd5|e7U75MG1=9OQ1$<6%y)UEDJ(@_G)%P8s~SJ6?aJ0-0TU zWC3)3PVYw6Cx11?wQS7AgYR+zlR%5M&kgW7An5Wrj{ViwA6ZM3z{?qa+<>!V>2cm=_F2IJ8@qRQ2e7T zXsj7HAV7=UQyk1Bb#cDW69=KtAe*ao4EF!sn6UKKb)u&>FW>L0+U>u*ygZ|!^cGo~ z<=WZVDOwt~nig|%leM{zP<5AhY*Mr zD})7F48-NOin-Vi&(??xgK#U|DF+4zc^vwjt)hLcv`p<3Vnps^0I{!iAz>t2+uY-> z?-ue`f9s*gXeM>o3me`m-vkfC!}I+5F58Q{P4pW*+G~d9w9Nrxn%bi^Us10INU>g8 zASFG(E{}K8+{Mf50Ze6GXOWX0n~fLXrQ4tYU84r^g3vKg!_ZCdrEB#n2Id{ISz6~6 z{My-h&YD0lYCM;-K6dT3USQQ@uUH=(9BhTd3o5QA?r+4ERtgE9B5J1VuK_hJ(vFe| z$HlL4fn1iq*V%5(K&8FW`>g#ev_ge=^Zw`b()>Pve~kZfPz1^~)+_rsJ5vMEV?81} z4YNK%V-6eb{LLBirI2Dqr18VMF2K=S-i}kvYT&TC?Jp-U0n+rrBO15#o(=)hcmNG@pOVPDJggOGZ<5~wp*09hN{TiPYj&(;)j#L z>AwZmc{ZBVpAE0%Y5{*e?`DtdeL{liq!P&d$gIC)w;D_`l9B1_KT8$*mKj^2^9WM0 zavLOAt#$MwtZK{8bzclgNLD*My}o%W)|`39+|1Kn+<>^00tkwj%7P12uu-u^Jk$RxW zR)dy`G)7W0jlpgU0qba0X=ABCzG+aWjg|%qOgin&$AIaoCCImKKrXykxAfWuyZabOY5lcK=>@6L;u()@2 z+$g<(DF_;5v#pL3;Ox`h&{Nd2<#I0ynD(??G96aG8GL1jaK3tWO+&wfyiXQu@)lnw z)nsky$j}Y5w4x;`W)?=e^8DBARZq!Qix^cV$N*17`LLBDaiqf8RuYssNYGtPxvOkxlhg+G|NN1J z$W*_S(UH%pPbOtSj<|-oo!iB@^3(HC^JQZc|949l$-lzr(IZRquDKK+KQnbQRcyWu zE(jV&OLRSPSHR#tec_;($v;4CF*lu?+N+=PWQs^jHO%rY(ZFtNy`Oji70xfZV?|3O z!M*ZeX_lTe%Tv(Qp2Uq;9i5(~@nmBQ=!Q8`R4onNMWtHNge zvs5D8l7&lotH7cqSX}jZKk<+%fVoDJLe*BD7KkO5ijYt+ytfW2j@(j8JZjnPw$%^s zqL(cEtAq=5@^&1{slE9vG-$u1!w+Xq%u+erjeU$13)97eu7Yd+Dp@#lhZ|^ph$;4s zT^AN?DO;j;y_J&1c~O}4L;Mr@o@|ixSJkh|fmaCu!U710)rWT*IoeT}uTK$&C@Wyr zc$v+Nc2vCRVTDWqSw`Hpmw+sXjrp97sJ#%3r0$Kbm;|U^w9dy@KYa|b%*iehqg(@D z1_)e|@i~OW++!#`+vS9$OZs_IG|RC0Eb@wt>~74#d*YXT3c-lnTBbB(e1=4NWJ&ut zS*0Wq$ag_)-Ay(xL}Cc0zO6s&Yt1~l$U{I!_o0)oj#F=)GKRk zFr2P=!;%*t9Zx0}SsY-AMYQ^6t^BI#YJ#wCIo)=`lTr+XQVPgJ7~NaPx_h4x$wLy@ zCbD0i9VtS(dpfQQn*R;IP9cyVmb&>5gBE4=osM|P_r_uBx|4pYcZ6UxPH)!sfhEKc z5{*{UDT&zq$jGT)yB|ucL9QOR7nI~77~U*>igQ_D2+KE#i`i+Wgk20FW9Bz`z{RN> zB;Z7uy2S51h(?B=;aSVh2R-bF6 z7K0J^etZPEC@uqF`?6ULv5LWtyg76d4b70Y?z`0JE+zmcR?#U|+Lc&Q$D{?if^w1& z2o+O;AqIRX?$oyF;NipPk^CvX0TH(gAf$}*gR_}~64aW0KlO`ecA>V9Ipj)WcA$fLWePqggK$~5 zQ{+QG02qikIC8NG$U%-H*z&xZp+zckZjw-fp%P43kZOMv-%nXkazvr`FKA$=9kz*& z{~FdDWao9d)J^S`5F&7>*D~21D?B_QQRBrL+CP&i1mt>o?tZaCAlCyhSb_cukmvgE zp2I~5I_(Mwum+k{MVFR(>g#R6TLs@`Q2_=x)JJEZ!@7>&?Pzd#KnRN-_xdQ^$)+l> zb~k*UO*^F~n&s6#m=XZZN7dM0wILi8{KtMh4=RCyBskj#!da>N&KIkIcC?n)O|2sI z)M0j6dZtea*e$qa1zZL|N|sRLy{-zuC3Ks=qY(JO!WLfY(op%#5|45>h51zH#N zHy;YRJ@{kv_L@sgD}9DL*u0ijGXr=Kp*#MY@m@Nn5P38?!W^pF1<>lyjx`2fuKy+j ziyMbZdd^h5yepIKq7PT<5H=9ImDP&r?qU~!#{F}(Vg?6bL&l47=B`i>L^7F5tDhtm zkWmUC?(G}v&%7!T@o0Z_d%y7cRu%MPH<}i9!l;jfwBI`1yVY<5690#S<(-@CZuf=h zkL&RyR?H;ZbcO2wV{jN&)6IP@3*|IvpNexK5Cq9mMX|R_2{=Rus(~jv|EZr*^PT2R zr0jFgbDQ!fkw24i6qY~;vl0KFsNCxpS7mSdG)99@xY1+o3mS)TAsFtW**c7I zGR%}A23xJSN?MXTuS{PX9&&zQlcQ#6+NU2d3CvK5FU<2+8rG7b^IOzn8~Sx zxg{9U<|kqVn)yr~r8aI?OOO{yJCqQ}z1hBAiJh?sn>6V7{j>fIku8rO8osoqV2Fu% z*6DQnlsSCIi5|*Q+Ik)0tD_kD2W)&BUD)^sE86+mCBhh>CyPKXkw}FbEiYs!nG2bW zJ6VxZ7acCk>;z<{Eapd((NRNRuUz+8ge<2z`_1{4j!M%RF)kwIXhSpv_?d877ALx0 zeTu#~L89pi0+1|~+UK^^b-ZXiIyWMJmzTkT)zGibG3OdTyD_7O>JZ37>`AM&(>Ss;Dvd)H3BPFS`=tFd=GL=t*R;eFlHRTy&)o2p6Qp*kKAM5L-C@Nm+ z8HAV(J}3IMV~J8FfhH;P7!~{zMP_2_ZugVIRJ)aX6V)zRk0;*wQuqgV{s;x$r=kOO z_0GCB-@dtVfOZ0Vmn`=wXJ}a#a2{9D10|JPZyQcH;Q;-#p1rW^KKRAwsK5oq&KgR? zh{PGY^iH6Yzm1EX-DY7~GPfJFM>Mmho~&$PmBfATZT}6MZ?#uLchzngld`C7Qdp|u zx-LdA+d9S9M^4B3u_maVqG&w$E&ZAkm&p>Jpui!0XnJoYme=fC%7VvZvZRob7-i88 zHyEn9;T{6~Z5HRTL^c+0Vq==Yeu0HEm*yWrhesb5{eK*w8DJ&e=$|<0J|5IJ3;+D$ zXbuYWJM* zuF@JOpn$>PwEUXybpWE>&ucBzuJn$Ne;)5DmN(seyh>98K9hHmX`YjgGwQa~1}EQl z=kKfg86=OvB1#9KprE*s^}+S`!uCKzL-Q*~_eU2g`IpwLdY#!au-*A2m0{NNx{R$* zl!QXI2Q|&msSD+F^N+-7RT-hr?VN`N$W=vXkR1*X(@@ckmj~y)@7IGe8B8&x#4&{EoBb1b+OX2L?$J{wS zqksi+_4zsPABm?=pQHEVa|Nahmo2v!tL`XUW33Id04X0y@jItnL4Q9#haS^(BHG_W z_kk^Z$veLfnv`?PNc8LTC*}>AnT99NW*-zQK(hk@MCZlBr}&Sp3cpzGDq>&<|1vP| zvYyWQML&c;izzvvHK-vb+(Iu(`Rcd;7Ml+xcu15->eJY&(h@nTITU=Z$5Z8&Ak+$F$E8J`#U4#rU zM+8f8viZ2*vj!>pUR>ZZ7||C*3Qt?>y_4r8>wGeMMn?{&t$pQ1{iH3J-g4`X8mlgv zI;wz7%=$A~JU?P%#rrW0!pQruTzR~*Tr(EtzY;_<>RG3{A`3{T*&S=Hoo)_c04D?T znLoQ6SFoW>(l<@`;*Rrf$o8e0C!U!4Is>-7^y>=5y`IE^oZ4*&nvwj?$jK#sFVu&y zcB4!86>2!xN$7lt(=ss;LBK@nfb5IYqM*Zs5{0vh9xnVP`~E@(9@%*e^WHGTBA)NOFc@C#ztjY7^-vr>?FCtGOvp`{pFQN~=QmZ%0J)ao%&15%B;@Dn zWi@S)GfQ474jqZDjC3Qek`zJk_Z|?AHd7b47_;8?wb2&$>>##0(&M-)4Nmv*O`usR z2b#3(M_O1ZnI264`R@aBo)El4MJQ%ReJq7cuSvH${wvzC{Cx8Yo;Hqti^E+}`KIJn zIAG&P@DIQHQosxM)l6l27W)3;gN%+HE_O4cpbb-On6Q4|i}|65u6LsInUsgeL=o23 z-xQ=ik63%VnypkVEsfDB_}k{DrWN1&95Hed$R;e73Z=z`g@tOFUQVU4IcNWx>hjL= zOwBC$4`sUL#Gf1^DpeAU?p_y)yQ2@q20mu#N^4%=7!u^o1m#P-H$!Z;Kr{J(Ne@TXyiMDajyXN4 zE&U+Jm*$a=4_tRlDyea-~G)aQ)_ZvTPxJsDQWwW8&8A}j39BedZJ zomIVT)fOu37fafk8yHfh!kFjfz3qq6^R>#nWA3$IOwv^M(;n>ODg8S*K6k!i3>gK1 zwf>0Lvsy|Ne|t$ju#=Cx@3jOHQ;{z0iM57!qsSu}1xpIBf>A}B!21;b8a-?K2F)_IX6RYj}uiK;5!`wZPA3*ZaMM5#2m5^>L<#!GxH2htMvonVX zU(4F@#l_U&D1Xb=KIFr`RVUy5)%`uXll7eSc>i56&C)g-0BSw8m>nPMl2q)qb$nMH zJfk(}6_{+CqYKQsmuBv!dtOTaDW!$s@!WZHssabVHxXxGzP$y+0(2&;tW1D)dYYl}7Sal`x5Sc5JNRA&y#&-hB&O*L>yEHCRQ`Q~ zoBTxq-JEX4OJ}DPfmbD_l-(4@HwT${-8Yvz2a2lo^^tt-RT75o1SNNa(?|0kRK;hK zkIWjQ8kxojVa^4czYR&5&Ghx9M=Gen<-h%3Y`q0k96|FhI*SHRfDjxK2=4BZ;O;IV z1h?Ss79hC$;<~smmf-I0?hxDpyv=vt`QPup`{tZIXU}ZUOiyojbyfYUewC6Pjd3>` zBf9@}pyqQZ-hH&LV6K7*EK>rKoBNu}l-g9->+a9p0i{REQ=kv3Ie$XO{!1OnV69DG z)0Si%c*KB4=X1_;KmeM*i;Ig;dN7B4abes-%Ch@fJtm%6VnVRpeBaY*B(+r*%?9Fu6&k2V-0%G16`sL8$$(_x9a3QT;d!1~M%MaVVLS=xFz zE8G0yoYohUf_An&X;va0m*O129=VrjKTJ;EYPQnmQ$$>Du^}>QHqD-m$Ldni*i*BQ z0LyH99)g2=w!Z;Z1dpz2VTy)ST9m%iwoHZXFfL{&nn;;Cy&9cP0t}|)Q$i)P;g5T~ z*(|8~`G_`_$a3)R))Y^jVTE9=zR*&>vI^N@prCW1_JOmagiekzK2q10L-s*tJ zC=;IRCA^RA1XkAxuAd(Jk*NMISV1?t}Wii z#wL^678z(I!Nq;fiytZfJO(h_);8AHH^*p+%BJOVCiqf^sKXFl5&%Y;FD-=h5gQQ* z={jvwz1i$RBY)W(&3reFG6bN7xXboeIqz!~*(Bdampgm{syX%?l$EQ|*YOM-by^8& z>^SXjBf>iK5@k=NlijPhlbNwhrhwr(%T`W${?|PGt=jh!=r|9?qE9$*J^lT!{B#UT z#`pP9F0d*y1en~SB`WfFuBl%~eR;S#P-jlCXn856|CrapH6;(lB+N-?ska_O1l+jB z;y~<3Gu}#=_tl95W+BJ!AF2h~zdZGdt;E%OT)BzLkeH3YeG#;1ur)1CNT1C^21Yzf zL`qI5HYa}RYm)zBlsT6FGen=lS-c4p7L zQj*6f(V2v>tkVv{q%J^zx5BXb@w}Y6%Uxm3aMjnswJDKQ$;D>Fe@|Pt!k~??Ss`x% zZhTAqiLUtg33kHc`fz4HNFa@BT6l*rT)S;|*2TqH%v!e6LPElh4`%f{n@6;w4Nck} zr+NONl}~u#&($bNeu&QCMq&|pxREGpgmcTxqT{H8tLn5POumhn*3uN-bZUX?OxzmM z;u~bXet~yAm@FWS3^6IolI(lGsBXm_yXoW@%C*K{ViTGz%g45Nv7m39l)2{FcDFp} z&%jt~D9#oNLjzuh;GEMq8>_1CtLmz>pZK^iEb*r;waOHX-yj2HletOi@a%v*gpkv2 z7QwIC#1V~N7jt}SaIrFwq6?gyuI`CtMiEjnz7d|?o)Y~04bDG2;Gev4tC@j6#dGIs7=vIclzUS4v8|Njl+4@HR367>%Q`7CVdBS5$ z;e;xToa{N25LMg?hI;o{!lLQ^6BhSBOYT3$_~NcIgAdEBGoi8AU_GG4MFtR)_k;*; zBVMoHym@oJKeKS=?AVKxIS{tEd2*7ek+Etw{`yRG2;}DJY1fj5^5wEn+^X=3*qP($ z_n`lZH(Y6>aVhg1&o9fOa$&qTZzhOea~+Yrd1L==2L0_=%Dra7d~`hXTGS7>8l@Q2 zzr<&_Z{Dz~Y@&KYXZ&r1!2s^lR3~qY{(&W^n9CrAUhZ_XE|3&B?0UM{Z^e&+oUr zTXogOu9L=zNQ0W|A_wWxHsyuZ?XyPxb-bGNQV$hjwO*1VZn!u&#`;qp)~?AZ9_*5Ih+bTg?pvvo1X`E{4bns{YkbTk;qU3P@+bjAS{Pr48A zmNFRnz#rm_tZxYf+?H_Qu+Nc~ii{vX3#F`>{Ib3j&KiXA;l*{E0s8d9Pr!+#3H5*; zEU9fMs83v_HVHu2nHL@e`N`SP11xrLUz)Tux(NJYzH} zecI5F)+Kc#h#v1w(fVBj=apR%sV-a1N}xc!N*Q8Ifz2{lG|-}m?Fs~2NdO@alp8Jx zPhLx9hDi0fg&63Z-uZx5AGs?QD(bi(_BcSvr-}#6zaYqrPCg8bi zfe1WggaR?QO*U4l((Z76H9`5SC#%V@NQ8AXgDulW#Lc(0K z)|Za%cBIn{@_gFUYM3*|?MJ7x)oV46bD>Rc?)D>4L7}(g$?9<9bS6M&X&spaR~WwD z`p%BJ&ai;oPtlv66Lw@hNI~QAW~59>>mi}P%tIwUVzA@i^>r=-gL+~~!_)GPa_^Aj z!gpO>hF#-k#BX_%=n7q4EUsBjr)^X@wJgH;HGc)2ypz=0U2?u* zgB)C}FSA5nlb#wFIIryeZ26|$&bZf|Nph2AP*}gXibb;1GFhLQtl4%`J63T#JKM%+ zsEYke8Aw{@OL9Vdr}?Cq3D3-wGJap=U5L)e1#_J$`O4q)^ejAaPjTeHFyRNbe}24w zpZ^vc*Xag@FrJgP=@npf2%0OVn7^p2yDH`U=x$+= zy^KDaBJj{G0A|hHS^XzDz*!5&GKy0kJTuacv zdB&2kc6McWJJH>W*X0=5<;&US0J*QX0Wk(q?Q~9`0~*tq6kE+~N5{5SLoUo#;NqIC zUmOd0uqnG&w6+%Gs;%5-gDUiK!p?K@kA~7gM{>o8h(sfLunIjFwU_3HUF*Tf|CY#S ze&#dq7Bldf!ua_Bf}Cq8s7sWI2BZzD3YS~}BJnJOdWAEB^|I_n&NpLSnE;2~QvLew zMcC2}Bz@*(ls`%B+uSw2OO2Q-RlW+5MkT-3a(r=lL}zikF_!c4vc>N~ zcw+%x*|d?%_QU)A`p`F$OSWIfQ&>-qv{wd42m@JdH?7D%1Q#`WyMH-Wy%+qgWBPmi z8H!>o>HQH=Vw)Hf_`PGkL&%v7>im-`^HKL2r+5ZXqEC>Uv8vY_Vgq1g#096+aeY(f z1rC@XfGH0SfKex0L^R_63H$VG3euT_L2Zt)bM)Hv4AR+u{M(7hqb1lnC%exEJ9n95dH=lAc13Z78S~rp;7AE*X3~L^H z`>3L=xHbGlo{aeRJ9pKX6s@=7nj)!SY6HQqpCDq0l-#o}D^ivVVR*C&sy(|`J{`ZO9OwMhbv$WsUYX6jJ!F!-#Scm^-)|D4Zozaq^&|lw5 zBi+FnG{sd-`~~+$9LgEzQ$#?_g<5sXD5;2}`b~9@_+nZ;!eEmg#Hy?GqE|p~>?FRKk1FFft6Qn}@<`v$M2R zZK}7duQ`X=IEBi;FdZf2$)IV)V=1);jgI55bG{3gxi*)QD)V{9>;(ote`0!gc$`D{ z@F}{~vVQ+;;bI^%W!7L-x{+DHbBu(y3Cr&fyCkP`#)GrNClky5W**;{SYXg_wFN(Y zPuS92RHxj>(e<;1O#gjROQXz`t)9o#s_(RtpCF+_-HPk8eDIZ4q5lOZ0;>3bRH*-! zcd*p9|7EOrMKb;H_3pT_5xuY6olbWU<39fexy_m`<+o)Wf(8}RKA%<=CF1$Ec2N(N z%z#td+PvMK?U>f=M|(OthJW~uX}F9q!Z`cYZWxb=8c$10Eo&r0TpSzf8%j@+>a9F9 zJ^6<;$wDrCT0C3Zyf3S8QT#^Y+m3CB+G49}8o41SC*DbtAU9vfwzjsXxQMg;SZVm3 zvV3)zlY%PA`HFb(Jju$5x8JV+|rl;+V zU-F`Tq^-zcF9O0k>!VE13BWYcA>MSALAI^IdWUI6W+)(FRCwSi;A4_ItDB{{*Wpmc z=w~dwtZDXBcbS`&5mnb7kQ6@&%h_h_y94GnNfH1|(>|I>lo*#bRkY*>S63<-do8|ZMT)Zs`#p_CLZ;S6{3Rfd@;W@K5Nl3`la#pf_@T$mI zsd!hmEQY@00rtDdUn}k0XG{$KY@S+eP9JJcq_bHE;JMwb#@3mCdR#ZzEREhnwX-2O z+SpJ=XUJr;KF(No6?O*It!`ede`Md2H^BTdv%_#7A^V87oHT6By4inpU!foy5Qw1= z%{c8-T{9@dU}^aZkjEJl7%HX!z-IBjmt1~7%}nI4K;MZ3ctIj*Y1_6afIiwN;CEH6 zORoxe|HQe(R$1Z#{3>`KIqUi0iDZylo2V5 zg>T9#)ub(9A*-rbV3tVz7$UfLD*WAj_Wf3x$qqot+xNF|HBLInL}%IxR@b)4)u}S* zcaM*k_>O0kjwku*3czAHuGZynN~cfx_U+bKH>=%B3;jgh|R(bC4 ztI#C9f=`EAD#&`50YO(6Y}(q+xfY2A!o+Q^X9n`%>Uee_x&h*c+_rlIH(qR@KE|B* zX|Zbn;Q?c<&5h)`LfS-JJalKHzR9q>{7Q^%h1bXy!UcCqga@ErL(<^Kanxl1Kirf? zQ0H5RwE+-$sy!kQwQ(eXC!!+#*_(n&5fK>hYOIOV1aJv>8}Krg|FQwRyw>_4LAnls zMczMlMa49*GCT&DA{qvzpz>@|K3u{5{RP%QJV;FpJ?8O>o|f_qj@Cy;L>3z3=;zql z#mA!^^bMB6GnG7z<+fuFa|L%;#ihtPImF)XyOoCPvhBA_&_>>9U0n0DNANxFSOlmP z@o4sKJG-Fw7h4PIH-NY}D+oWa+kLko=QPmc)`HLG08fHexfYm@Lp6ciJW(N6ywY#R z2k>`KOECP;h+x$mTg%H4{Az0I&`ENsd1xguG$H07Vo({pPPmwEb3X~ zhP^lp($!o3RQV<+uB%50jK&Thl4;iQkp=VFLOz>}_RD>TvcQSEhz-2Py-`&3pT2Z$ zD?QUsBfFiQOC_!CpAT~Gxxw;hFQvXxQ=SVaCd$|E?l_-_d|kX-ZX;S<{7>!wLHg;5 z5|En4#%%nBi!<5ytP|^#6J3&U0Y%w#n7hU4 zEYZQv%&(Od?}ht>7cVPO&%2-^_FzU_6{15-AUc7s6AV^Qc#rGmHc_{xgl7sKW3 zyErbAMWFnoCe*jOdv@f?@oZe2d!-U8`FOSqj0>!uo}Okg+&5{RF`Wp894+?ewn05R z-o68t7kLL(+PtsbRwkiD%PUJJg8;eZk(lf44bZvU1cfq34HqF(!<50{>6UuZ?%v*B zq4lKJ=@Iu-RgrIJTbrBPmJ9Q?j9b{XKzC11TXHpUf#zV?;g)6)HJM?CGPb5+M?GV$ zWo>;N_k6PxTuE<0P1VjQIWSZ-HVN8KpJf_y$IH$?%KqKk({oTmzjZ&gJ(t+)Api{i z-fjvSUabEKO4z3C?eV>13sY2G8*~~1Qr1@L`^LAk6V*?&3TXGsi4u@6j2tF|{pb4eJ6CW9Xba;SgA zThZ_M6UPy-36xYskldz9GsS=}=Hf=&F5kxM(c}-`g{j=qnczK+V%6;0luKvg&L8trz~#X?US^e5{YOvuRQKE#PP6YKiX%pjA#gvbxqT!oPMV z?J(09TXXpYv@^Q^e%rQZ2D3mf!KyFLZCx}GnMiifP8wl5pci^A82>q1iIB!HS)x4* z<;`#yh&%0$jI@=_YZBG>-4y#ClBc+-E>Z#`JH}kRI^ZjbBqf9<$PNZ`9=gwlRITKvD>tV~MD2}c zrZ*T5jJDlV5W+e0_rKK515)@#5B+ZxazAH_j zEl>Ha^4{pmrdx_7`PIX-FFy@08!r&U7HBG_`x{QAc|6y^9tHHLqOP!_4I`A+6a)wz{I61`#|+U#6K(3WlK~beEnC zKO-V!$KrWk1sjL9LDzZo5PEj4mLb9zd?`v6Hr6gL+Os|{jXw)aB#vb<$&+P(Vw1NF zu(4%(>e4d^U({tVV%t3H_jHyES&iSJn@>WozI)3KbrbQf zjk%!lU_0*Y0ibBnrGa=4r0yOAx98UKo~9mth4z{{+_Y)z;k#cZ2LnsVE{u2=&XRCv z(}Nys5Pq_E?;7{|4^;idJvTQ$Y072rL)eEbw=IEUHS;ePzDK9}j9Mjn7$VE&x^jBU zFs`Rveo?x3P>hB~xxvhR`(i@u+Z0q~?emUIEw?d4Hm~Kvc^t>yAY0w!Sbxn`_ z$G+`u_6AF0Z3cb47*P=sQU@(nMtc@G(9xez=!~i2^cQI8guQ)Np`=Tm{Ev2;#j2Ca zhit-z0urpaTTELExrj)Z>*BC-fQQ$6Hv$iqV+;d<+T~!l;(wyu|0iP@<{I?|y~}>y zH6MeH3Fqv5h5>1_`t7*88|0{HXhZ6MeU2_ayVm-0O0F4+X=%+rUF9~oT(>8Fm}<8t z!TxSL^<%|e{qvNeA-k!emX=le4FLDx9uge9&~!jJRFb)bg~ktcT8w=+{;fGu$K#?% zG<1@s(si$@iX|PB-Ki`ai`avQVR)ezr}Nk#6IO=Ent!DCu}V38Z0zjp@8;({umvnP zCs@Dgvf_}~$;sfw*vN?S*aJwJE-==b=Y2el*guzp-+8Gu@cw%YIeNUmpPAZXBG}*F z-~WDFkKWnjt_wmKCIr?`dt;-b7+r+R)l7x$ot*F+FMX~LovryF?(gdxE3Q{owOU(f z46xT{ZH`jfZKxia=c9yi1sXnot{s)!t0Ncrt9X(hf~w zfO_mhaX*Sak@s)A^~vQTupEqP`fCM`XHys`u$4^n&TIKDAH3zU`~qlOYBr9mk_ ze(d0FE%AU179mSSlX^3iWW0t2Lv&1Ch0dADP?~slWmRx#3%{(d9Mi9)$>~BlNFCRr zQrb^vPsf)HBH!3syHtV{hAInjN@QB;yaE=QF9#b|ypS-`9JjL#l}zqcjDatf2}dm& zR)gq_z;{BeR(I6_hzSzdRM0kuIL-CU>Jro$Cr!_sKm-EjI3C-JD_H#&uTwsJ1nRrz z;rzh<_e*eL;3QVyG9<&y-4yU!+_6IifF6%}4A6A-c#Tsw$&next#a)5#@AYksU?`4_{^Is5=~U0+plLM`i^t7d_s<+*zwt9@bN@%N#Zb z@PVO^qmEOG7HR&X(Wh)HO9<}!y-#c&Dezv><*mqK@DGD)^ek#2q}TS9caNuGgn&D@ z&W%OU<9yIv5x~?laB>e^shcPR*v#UdX+%dY+S!UCst*~j2x(r{W~`=({iH)hM)2$; zCHvYI8bRfjn)~yUT@aghf1r1JBd$(PaxpOyoYx>NE<3fh3g^7Ematvt$oDK2Hl6U} zRm$u@NIfF~;K7;mR{KEkY^nBO+i!z$u2OVLx=+&Cz>}va>&;sKGB$9C#lE(4yuY6U z;}BL`NWand(LFxco@9MqcjcFGEk_Mdvj1Cs{-3DL{}zz{Uj+9bcJx08?tjO4{uj9Wf4Wfq zaWnj15uyLp`ah5TFI?*X+xq_oj>Z4a*8ec&|LMv9PwRhysQ>pX6*EV|D5UCjKD~lb zO=t(8ckMV>z$hjBUiwz``_yBveSw$J6SQQe1Kg%pD&bOPujWbSR~Q@c=T}z3S6b%7 zSBhVKm|Ss&n)&zwv!|B=kAJf;TyGzJPRNdoPKTG-uT$9_$KD?*espMVZD>fMlnx-T zQh{YdyuaFGV`n$^da@(LAX5L&3FLZq zIypPB!v;*V<%pF2)<=LvH$TL(4`L-z`c+t2D!Kcvl`^6PTZRMV`{`_;z$X{stS zFSP|BV0MDi(mDFVQTIYv;TdzA%?XGhm;}S;HiRqyT#|pL2)Q5l(s?B`(q!lhB2-0_ zAw6Aw`Yq(~B_W+P({FKDvdAUdTaz)Nq(eZB{rZH>;_5XrW3^a}$JcXz%@6)!*E^LA z6wvpz8jYOECHoi2l3a#nl1#@t^0D*aVAz1M588Q%ntcb~O(Y2!S0GsPwmo;h=2N0X zBn*~Q(v&aRIec-wWkQI|t7xwEp5fJ=4n`Z&AD~M`0-j^gctv9de}|eeYuBf8jH@0U zH4p{-f-|~-ICB48a*DRJm7o^MdO6-7`YR1(l1H0d!`vNh`%G!?X_zT+mpz*a2c}f5sqC8zL=ym=s)J!l) zPJ-qep$vpP(IN6Dn6={LzHX$9=na?6SXqJnH;7ONEPLTRFJQrl;Uf5zN|VTITDq%+!q5l zkFFR!Wq1+}dwDs8r^@7R#4x*H;5V!ASllKZs6r3SrNWuqeK)H8j4P8}OuzP1Emo~O z?#i)#3sAXpxCZ~AojJM5(mU=+l$n0{OphcU%MsF$^F+zPRIJ$>eFMdXQ)u9M(!`8!$FOYt%#UWIV@w zj-o12X4D6L^lM{6K5(4s8~6T6gn@t<7@s~FiQ8nVNz;9tNxaZ0)u;e@*Mill7vYNE zA}$dUVD9pZoFF_ErP7GPj61DumV6zXkEi#6?%G5}2cyT%*0$YBA;7Z9!=Fg$dMsyCmhq>H}~e0=Z}e$nfa`e;SvC zW;_>O)EG`b{oA;I&aI8adq3>g=&NIkn$O4xN|wP|7>fcc7534On~x3s#3|ECPbm$2eHX^ukEYjMnswE zjzQ)K2Tzzg_XO7m6+|LF!ID;_>-FH!J*{+A9nmlq7nCd)Pv)T&mIZps6f=KYkqH7& z80zIdvw@23N~0A93Q%3qs44W5LJ*KJXjDeF({%Wod5)&NuggOxl@Kuea{Wd*s+^ph zcfE0fq`Y2Wa(CQt*swZVJ78pLYR(8Ja!x;B^c$PGMv{blCNWCt&p$Uec&#lLb(13L zqOdKqTB~(a-@ecM=gU_bWjOQv&8Lg7ty=y*>XkN*N<~Kx8%RKTv*-GqE>a+3{-@ul z=^Tl^j$8A!?xr5ZU>X3`oPjCX`0G1?5A#=t7uQ&p_zaP9u-YLX9Wdk}abZDlad!(k zN|Yrg<1QDJW3udfdbmgFmJ_t708K!Fu~h3?(>}{msiW>04El={g@^4L4S9b%LBTm* zuHTRS5F6_t*9Vr^ufXi-nA*_8!@PSBIg3d2R|b1iWXqMd>DJq6cDeG@zf7(!QUf<7 zsE(;Du5CmRGDl{^FPzQsTvBw5;{)U=q)2ZY}U;D zUP>D&MPmtR@m)I9CTaJ2c2*fZTB)61#lhA0J6?r3ccr^(+2G9v5~5$KnY&k9%ON?{}`Jf3Pti^)5=u8+ES6{+JR*OU2`V6EwW zKv6;y?F)C(HekAdJ2u0E4d|yAJaJ`HQ_~mTJOGI3p+sqsE4kMcTwpgxNH5G$MGgPZ z;cJ8k_-lEWbc}hnSi3B13yJ-g= zMj7z$ONuf~=DZK`Nn{@LkV5@a1ld;<1;(q0^!_zUQQnuE9kO)MDA?TV=ojC2EtpiA zMJo4MmC${Hlk=z&C#Qx8Y)1cJ$}M}>h+N{vxiKc&bC-6U>EJXHmkf8p}gXwVN<{q zc3@2(F?u6X>Slw~J!;=DTfl*kNzU=jVY5|yESwJHH(7O(hj*2+tgTBv3ykx6geyvN zSHcpZkG-P5^Vf@=*Yb!MTUcE%k4QIB-ln$=FZ}G;tqNPCFMKUhqK?WdzE`8=6rd)g zefTG)`KzflR)|*A)8)Tz_%{E96S2(4PE;7L(MD^T?8c4v_+DigQKy{>uSZ6l)}b_O zJJx^F*wq7vAr3?;6iv|hOTi-mF?6&m`6iD8N7vSJw9PUxw_>GhajH(7A5{n0EKc7} zs-!Dvbnrf2jY4ID<+Ts3RK0zPa0Kla@ALCNU;tfo;~n+LfogH#i<`>=Ar<~SFYfkX zvAW;r)$ME2_QdF0)7A4gn#6+}oQl1?|DJ>r^35&s(hPV1K(wrH72w>li2IqpPplc; zPfn7{$86N6n2eL)vZ9L|dZFvVf4gYjePb%KgWLCm!sGg46({FszWvBCJd}&`eUF1o z#;r*HR*|ax(}^T#sB?s3+AvwVbSA|N_DALj|E~0y{R|Q{KCipJx?;q&fO7e=;J?{r zbo1O$OPuYjc+$ba&I$Q&IQ3Hk@`0%DD2KJ4!$h%?Og~nqc>6mKZ*s4lLAB0=lXZ5A z_TLu$Y6{~E1dgFucpbO%NSmdQ$kVg@O#5=8+i^iC7tWqjCJVI)vyuGTvoxYiNFkl` z-a5&V&m>mnvbVJ%d&?CpJ==R})G@H=Hj7L8NG^S1wf#)~;WkZ(di-MMhQK(kR-B_= zg=x<%It@qA*LH7rY!)Lui_vbf_3{fpzts@fC=^V8JHx*2FwP;EoOqu-`i5`v75XAm{#2_en5`2D{F~ZX@yh04 z<=I_aFR4+FL_0PHpA-M!-j+oVjfcr)>R@pPDrhxp2y6?1K_qYEMmL)q$xOS-Xz628 z8eg%OK$v2s)h78$5?DjINxZTX zbk!tSgB?(4VZMa7GKo4m^yP0$rBMOD(XX>q9g5WsBrM|r)aCRgYWrNyw-&i_?s`nQ ztSRV?f8Jmsll5Mi^LUXhwAf@rZxJzFrWt~j{} zMLcScW!#5XGK@F_-E1llpz@v~^k+Lqxvz(lrYfw03{+>qcI1ak5;>j5kE3r6>Yw)* zaZ3`W`?oF0Ujd);UP}dG*BCW8zugxzz4)u}^pY$|x#o-Ca)7RMI;A|Ct^nPEFc%e4VV^*S+ zKe--A`kxp6q=btI&|##;Xe6s&M?4Kd z?NJF!pahxAHE=~2Vsm%n2K3HyflCha9XLgSNJvqSnshf?sgFrr3SFvL38*j$l>8Z4 zg*LfFn>g(gjYceGWWmVHL}9!`iIUtFKAW_^SRs|)2Q2}cEId&l#xl4`BL^-3jIT#Q zMVml7jbW&o48aRa#8>sPqQfwOj2&*7{P1r2w`thHbmx=D-WIS(za(SWjK7F3(+=y2=dKh>&^?y**j&p zW**h_vO$d}C*BpjpRvkqdPnr-l%HL5?f3820W3Tv+@1mEvv#J33-to`A^2AT?|f+A zx&B*D;r{A=&lmix=~lB8yS@G!!($k%+igq|3dzwOD~l7b(Td@yHG?7yohU|+5}%iu z4IMS9i`zUg&wh^cdWf2KTnDgDqctTb02D*XNI2@;Is>C6kqMqP*#~%6dWS3*3+MoVhF_pX{Z`xTqAc7M zUOP(s)bkRc&{?#{l2ng1L; z%`3+g%pcRnhF(*3ONgT{J(TeIs(K1*&h55o3L+LSvyVd!k7qJ+saXw9VIY_MNo${N zD}A8|1%n{Zz{tOQ)R*Y4i8BwXWt)l7iNCeOaz(jx`qvrf1}lQZ zjaI3ZWEGJ4a@45Laj|$v7n}RcXb~qt!EBedM)fcNvy9~wPYZ<9Rh>KLvQ z6C?C=-F-t*%V*ot1ct!0md%-@SbarS=4FAay0ODCM|HE~Bk+pd+N9I?ngXpMJsdE!TFP&S+0lC zU|u0Apj6R)r)76S^9;)>CG_vs@(tI>oi5oK0Wll@`PO!;v$sb^qn4Aa9o9(*Uzzd` ztJ1^nYu*rsrpfjdxyClT27Pm_4*;OuTmW5pHo1bg`) zL@9(8@BoTP-o(7MfH-;3Gr6IHJ1!u;;d{51eZF=EjV8k4z1>g}lc9z$VtrKfN$`DY z3@DS_%6?non|x>YuG-{jxREt8S5x4%FVowiGopRAQ`N^K&m#Q4Tv$3NK+H6r&*0eW zDvV>uND}}c?(IfuwK6A9&RLj;=hR+1aqNhTzih6&(K%z(M1EIczh84GexE$q2rU$o z7g+UN>OpB=bgK}1^>j}7APE9eK+#OAKCgSS|={+b;<8CA?AzpgmJ$wxSY0+5BLQ=GQ`e9^Cl*lw({?M+N;{m~{gahsXH%QNw(E}kkLQk0h#FbDVEcV;=vpQ~u*seL=WeGKTHS zubxcUQ4tXW^B|W5$@fbY2=POVzIE=0n}P(`aUmGIFx~9+!`PU|s{o}LQhb8%a-7~r z745s&1tHI-b4H5+sT*=snFC+h%>j`TTvSeNVY2WK_{3ag&&gT&GC8^U=!7LIB{bxI zU{(UT05!U4%E(`)>@~Z;abp|9_o-^_2TE9`y+jEp?;|-=~A;%VDi?wf|msSoO^oH(5U4P=B>j zRjIE+pZ~FLA9^885+RXS%M)~WorSUr`W36+5`+|V9r<{0f9@aH3mH_~uhC|3ksmCt zJ_*gBo1U3r6cQS*((X$UH*Rq`XxmlU=!<|)!!$HdyRonvE)EnHY-_i-?yef~H1#-e zS@}5i^$qT?*^OQ6lU?j;25khV?x*Q?aSAiQF4WB+{0@moIPAGo3A$}v$o>Bc7?oW!WgkF_la#7XQv{~=5-?T z%HB9t;3-Ck!vg`oSUE7$T0Q(D#RjHl?wbM&Aw8xSdJ>TNG{)4}8OxE9)aQJMpqX-T zRf&RKqbts8ir|THt#{~dBL_lrTsLFrzah+HhoNKz#q@LdDf1!M1gl&g)8U?%HV-3( z5Vr3e^;u1qI(348U%3K!KZZve}1N_++|?ex!^%Q4eYlGlxjCH-p7q&#^L41EUm4b#uC zDfN6n5KL~KaH0A)f2Q&98!oKw!2He6k$#kK<3E&R&u*E{a8oN_Ci+})y(}Les&t?~ zvZ}*3A&kEc20D$%J0A^W0`aRo~-lN{_DLZtoIx>Ep$0?R$okqa}o&u zvSR(ORYm@j%ykBa0!*-P0YJ(0deT3;{aL#zTRW&-s-y1f?uq zFTuB$=!N1k_ETX`9fpSyJ}2<>%#x?p{q5p)PU|XU{%zxQ$4zkwFWa|HTIp#1+tZ#P z!oLy+RTrK4K&ABF;1KM%yg|3MJ>z*!z3@#d*t~Br-6b~IZlDuj@i9X$hr800d=qrt z-$wuQCOX2(-YHi1NpXpciNK}dx_aUG<0lLpfKq#odsxfMpQ9eGxCECED`H82Pc9n- z#ui#+HJLr7gs0YRsV>vjCWWAg!uzGUo~LV``qFN*is=1D)vgw-2*kix3wuC5GYLqm z;ro=XOmCK+N&repy|&pvlh$piP_U`CUizSkDPnV2zMvZM8#9~O90OpU4H74vBAXcb zK+z2JAKsdzDpEQ7tT|lm&YSKfjjd*j5>Al|H{0%Kma#G+ff?G{O;(4|f-xl)H!Z7; z)~6khJe7LFbTunGQaGkw6&d3DHonH8o{mH+#q4w$~s(4}cjw zs*HF4b~!)H%6(GPx0-jpi8@$e-~mJmGYuQQZ<)mUBNE|~b(`Aja$((Y6as#^G+a2_ z*`_Y96j_d&O=k*iN3-n=)oF{8n3g^CP0dH)?vYD&1{u?H1<^qwm*&z_v6{NhSMRi6$(chkk#YX+rscR7Pg(8$vfKRh}z!1WPAtFm?Yy`r?CzHUvg=O zTO%W^^kcG4Ki$a(6JZproF)6iHHnf2v2vuiiM5Zm{48sRFHlc=q|hQ8m=r+*jH6Ga z*vK9Q$aEZ;olkj_oovm3x2O`K%58&~5Ftb3FQZ5%rTuOLg^XQZaz5u-=6!X~(bjkZ zJncN+v2d`^VS3b4-w<+)b>Qmd=FuiqWcZrfw;0vuEG{B>uB?NitgE1J)z>0UOag9w zoygIvytPN^vNx`;QkCkTU=_8XZBvDM4sB^ZP0zbGPZb%GmCe@u`a;(0r_lmtx{P6P zG%l z(I2fyK@B!1`HU8b9%}|X5Z?VJYe;XFI333t4#?B!Nt8=VP5DenkYsaE>w5R-59LR{ z8#j_)terK)qmesav)H%#y*lehm6O6@|7qE&eyF+2s4$zkm4VS@H4sPFdF=pR+j3!= zhQAG$c*+Bj`9{!#m$&KpfsUV>!|ONtK~Cnxrm-XT@cIap3N`Z9dgGQM>Er_o0|lT{7b|-=~pp1ECr}1r?TjHdn<|{ffq<_(DS^d(Y6v zn)mHuRX9-J!pL}*do*~9_7n-)b$Gqk#OyE&asZJ$xU9gUbExE;BVnP2kC$$Nv5}b^ z@;U+G_d`_FnQO;4ABB7{^N~c>dVz8sbYXXDR#w*YU$s}cjabNB{)DtH-~W!S^d!KT zFhS$_;*}c|SnVaNvvp2?z!V=fsDe}P>#tY1X7GHZWR2N~nCCg*-0JK|?Z>r%x5%O5 zZc)!HkDV*s-Q7Kz$9^E({Y70(Z;uOx4*O5dQlAbu>}NEaoeX^T48DHdTlmma`i!%UQWugb&Lz6%s7yIskRnHu9ym ztBO|hp#`*dwQi*Hk)jZl9|RR$vlTA#3vX)gbFR|uZGYUt3o_iRA~sUIAwooC+y~|*ABjp|6$nSDX&5a04U%t zu-aj^Vd^210%vV%KL6G?ShsiPX>j!85DMD~qUoBS@~h63@K90G>si>${ zTe1y4JW_#Sn`vB3$VljklpO5vdfa_T%NjvHI5vH#!F$lJ33poI zzEVdnROnzHDt{YKRz_NKFPEZe)NJeh8RsZezoQk;txM`8Cjdy^$58xDT1l{KoG1eS zUX?rQ2c*ANCE!;K1=$1TS>{ZKu75%axP z_o^UZyq>=|YeZ)d0pBB`-gx21>Cg=Eo{(yhd}i##eDRm%a(!l-qL9pBTheLv(l8W^ zPN(kG&x`4JnEM_&C*!_Poz+j;#GLz>JQ-ZztKDIv6*eoHw4A5$c}78}JK59Zq&0nx z;y%7uq!dh0E#C0;%fm*XP={pIdHqNiw1UFFV(#l4tGJ^I^E|CfPlTwiDy#XkziD$#|0prLrLm&7dALO?ewlLdgMLXuouCW+%-EGypshq14WiX+&%Z6E{- z5E3LfAvnR^Ex5Zw2<|#K10ex|yUXD2?j*t88Qk67Gn);PTfa}JYNPT<%B6Uv_x?e}n}m}FKalpx_qy(gZlPrrQ{vwVA=Xs;vxB~ueu zYyJf_k)LYVP$gk4NLJ}~68S$p<}YXCydni^{pQ~i(`4fNri1}t$^37G{CK%jblBtc zXuz)A_H#y8TuR;DO~GDhon3CP3e;o=M^^3k1ZPzZTOKVA!Pm;-hjYNXY?V4FpoDO zU1lF(v)LtGg9;vGvC|GM)f8l7g=^xinh06uFI&?Y}dCo4mQf4o-AOEgf? zKlEoPKeuU?2zYz@czpYxawN6^O{u)xdj1zx&-;SX$Hg5auUd>Gy_u_x zHfi40RmzK{P)rB|ixWEP1)E7>7p01iDn^lp&d=dFKH0gRtPOPH(Y=d6&MXtB05v*X ze}&(VIA!z+kx5>s3TDb9lez`2`hmgpd^PVBatq5IJK=4@@j0|bjnRnhy6-^LvY*?? zHIDffzn{4-WYFIcV4(R1{RB&VDv{%3?;eRC-MP5)E}%NvX{AwmDppjC3`{F zq%!u^+!-gdZcj12Usf0~=0t<*Yh6I_YS8mM8LSlDPfHzdd(v3Mga4gQDL9M=v)I^+ zA4sf>wpJHUeIDl-+oSZUdygKeRW&FX@Zarr?Oddn%`-NtEQ~z`f!6}P<-7@LSiSF%@rz1!-= zU3q;O70CeJOh=g{ictCq;ql(UPD>*@aWkLx#OXUo_T>aTwIF2Ft;%`{G&-rn0Ypu3 zwMc67T--h8M-Wr#kH$Tox20uY{>`>?^%jKKuXy(b#)Sl8S?310QM=l&4Z)^c+Fap7 zp#}$NKM1xPS0X`1?FZ~R*DL~StL$qQV<&A>&hNaI$v zlWTGbLQbrp#go^Pb>XCCt?k(jW%RIHu)u92FM>^jV7%ZccAf_|sAlSnY9vnRfo2+Z zZu;I_eS3_)#Ia)hW9W(M-B)8-`+pZ&#c5>Ek{hqwqGW17uW{PGxKohlQ|yRkKm?-j zAlhSj?J)vDw$EDn9qVzqtJg`4?f+)p-wX{b5XAv3tX7C4kS}2mT7HS2s@HsA|G__J zQ~OM{EdAEIy~bxYQ?(zR?-lJZA1nPp2JAm{Y?>;5yRWqx zfIa-ryq{Ybl%741NT#Le;!$70uQ5dz6;%|OtTXw(N6sx~@>P)ufb4vX>FZ!rv7mva zv5AILEJ(qj-xQ^@Ota)9gw|2ri{S^X;wi@?g!u`nrZ)tD&&6T7PGoqoZR9XPOkPCb)r<)UCdO zsI^(cMkVVR(C`_{oXJl*;8~vwc^ASX`NFyNSC;4^|R5z>hOs zelU-eXGkSGH=efQxwXWK9`H;wT_hP)8^*7@d^$QI8+)5YKR~m8mGWI6uwt}i1#M~z zsler=>3V%HIsJ7-<4h%*)XMNN7LTV}bqt-({!aUDRjm>3oEN+fhQRgtdM++pOAWz* zN#wWGyWvOS82nyiPnYE9{I$xc6`i>S`%`HYaf1)LLKdA*ffrS`-MJCzJ9I$?`9^=C=VT#dH90g0^BE1K%ZA;3+O8{v+Y zJ9n-4%X{tYX2sr)^55&Bv2D%ejUJ{RFNKby;#a0Ay{Y#Pmja)&3n3DLZ?rs~oDq9m zB8l4g_7*$jLm#< zGh7gAT3N->zOt5?NlRMF8_tDn#_daKo{R^n5K@)35fjhT9(#Tlz515o7FxC!p4h25 z*oIJG0QR(K^bJD8K@Sk$p+4=@&{Ucl#Ch@zo7YqF4OdS*N}X!E=^3Oh01-9cn;C=J zlE*om9-px(<2znyA_b^ee`CR*9O6PxE<2v7`5=c|pEUw+gW?rptJAtfYiafo=HK6~0BWq`trK9?rO zhvv%^`IDsCSr0qON0h%ObDb?6lh0`@ zh0vCd?bj&G1|wVyEd3%rO;@2ll?H3u6{Q}O{kH~=$2}$Ut?Y1v)pb5%9f3B9zs=-h zMmkCuyi=_Y_AD11W@hY2)+lKC8=t&Ge80**1!^Y+x=wpM@Uy(MJkL!hOP>V%`FV-8Fl1ByUhbe7L~^W&%Wk@;k$NaG{W-e02{ zY2E%Hs9mAra&+gNelKILjpX5w7x@ltKy@YI?)B|Hr=00>eTl}z(~_nkv>wIDx>d!) zWtXPS=>RM~9^{l~^hI-J$0!b7`63b-(T$Xm2l!N+F{s zEYPPquLI|1=sevG_H!Q+mXv6FQA>|MCFb$a($;+!5lmy6&TCIk($b4bVOkCF_`r#s z8W7;=!|%#)fCQfTF&6pMRV^LV?rdk8!0+YYAu_m=wJlOLiVj_#BTM4H3l3>++RrS% zsl+-Os=JFN)y#15akkTo`k}s%XFs?Hz>2A}642lPrwl`;+Ow-|Wb1!TcZko6+b)w9 zT{utU!-uoZPX~&G<+clRuHkl?D`oW{HZL@^0GYF^<}nmehUwp$KT4xnDSv#0CBPA6 zM6BASZwaDQ-)#HxzOg1T^tK+1Jm>7TecB=WK%_!7QgquY@9b2=&5$xTksMZhK2Y3) z9uQB+y$hbDmmL?dws~%37cF5Y-?P_UQ+m*W_F<|JGZpe zF%KJuM>IMhv5w@2$R=(a*zS@^hMtSl(GLEb$dmu8Z$&BaU!9Vpluz%hi)&Uw(~k5n zxpi_MOHijwcFe4hZW~eP=urtfsE}(02g1FH!!6{pD;p1G5zTO&>(Ys4V*)GGsADW> z^hsJOE9K_7-a7X_r7$%Ao3gIO9-U*)Md23?Y)_vX>4B0WuA3vbi*3#FXPpV?) z;F+$I_fCH!!eFfzC7es{!LMK`?V-QnF6#dXA5sb87&o6NEM+o`9q?ePthrz|Re^-; z6QEhMsl*NIr#HzZ$dUEE=zZ>IWaPxSw$ss3(HYn3KMx^_?wXjCiTp$6geoH>G*5T0 zWMs8(la(X;DIUKYa`Dx}40UT`4ep(h>(&n4aR2ax6)X>8%vwA^Urf+Zo=YJ~=XUDG z`CZ8Xc28c`)XVip>iOLP>KJc}b zNHdh7R@+V#=e-msZL#RwwFO})aBJ}J54^1XGAhsP?}J|Av(=||peqqL>Wi12&i#`CdogakiWR;LEBD4On zeKODDa|vCd(`BJ*%rSJQ|1^HVXU~AU$h$iTzp~Wwimf2%rV%Us37O4 z+^)}Jqp`YyOMH~9J?fkNxNWabP>%4{x5#s~GRivZi2p-(q`lb}TR~2?zs<9@8>`oA zJD+}(O?0*=G8)|!2nXz0@yck0HB|qD2(v|DiZ%1ORZq4qxw1%Pdq3&^2U3jI!EBs zfd_o8PNk`|`TN^@`lip)v+Xurm%oF+#D^C6iWMyWxVFLQlZf2lDzo3eqpWS`o5s;d zmj;enk7jEfLgAkSKOW6PLXoSL@)kX$Qk}L;8U^2L*pwNt*Ek0yrauwK@jzE-TI>{) zPTl}|#6HJ6hEFApOOow`<io*n5z5RX&%IVc82?#aYLawup7bp0FDZkTKbR+HK z5k(}=wJ+ox3u=J&gnUdSPxu9vfB9W;K}SB!2wlQ>&dstnyS|jPr)or8Pa%%xAa(uV zt#A8)WhLp;>?X;-KGmHi80IFQ5QcKRNqTHf;qJN9Hk_^d(3ZT~W}oOVf5|Cu;(B4D z67NX~b-3*@j!oOLPe6xg8|o)3R*b_NH+;4#L3`_4wm%$MiL^hQ{Mg! z`-h$S2up^*zWggf3xxL{SwD5>XTVMWGcmDU{T!v~OZ!?^H#Ibe<)xoJruycAYVK@l z@n1_DnjZ#dyp;4DG_iJ=o=#m<`<_9=maydS85pCz4WF&_KP*gn{HYryHiVF1rrt4Y@a2bA6Ob5hNY-? zrZ%)y-T~O%nz&8uFje=Bg?fvQXNA0Ku#WiF)mEGBt(~1+1Y_Gb2u?q&2uyB;r7B(Q zsdnRf3w7UX{o}#J$fec7;`H$FbhqW|HCJ{ZhUcdE&JOSSot<5|YZ>p6yIL7Mpz`R{ z>mX~+#nq6Hfwkc)gE!42ubx^Bb}7tBO-(JSdx%=Wc^dLr<<;gr85A(D1eV^b3k4=4r9C+nZnoGmo#d)yiR+Qe~U zOE$8mIKV07>zw!-LSn0exWVTKmR~3l7?CKb(Mo3v*Vc;0tZJs1oC=1HB4*+H|eVq>_D%aatMFasX5LhG2uGzsZhke;Kga zru*=*%o;yEW>^Ulr3*fqH2gFllm~!;3I+6Fxt0e9qqF_25>_1|uNbRNfQ%k<^aEd` zyAq^Yj7yHH{pD@%YvAso3E{QkkWP(r+S$M=##BNgA{q|>cs%^@3?r<`c^E_?Oo8~M z)gS=EcP_#9w}-JzT$Kt#8D6h(DO+#W;r-4>_C?k@Jr_eye4W283^Hh#d+W&~0edC1 zK7kCS=`$uL{_9nEA#9%kpqSC+n6>un!m<%(MZQECdiy=u0?dC);}&XM_`7wHlBRe4 zt!p}0zZn2XF~X6Lqpx@8a~s%Nj?6HcZWxFC0Hv)`e4cL(1KArFcd24ON)q^K?oE&Z zC0Ew$gVVo0Et2j8>(74RG*@hYi2*}uB0+teMzf>&I_m^&gI~;~^|BHZ0ATTkGe|eG zGuJnja8^f;F>!Euy%L`t9vN1%)zGO)w@jo9|Ce8<XeKlB98$G{)=22i?jz+SOV_x?R$I+(zau3D4dSxAgY39G;IsB}{6XmU%rNw2e+ z`#L{tO8>4J5Z0%yJmIwKuQnZA$89l_b3FFdd2Q%s{$eYoEW5?t+wCP}bHRUr!~UpD zDQ!G1L@G}@QXzQ9+>rHYKZJ{KBeH`=4gM|Dbp$@!0YL9GQ*A2CmmiV$-gN;K_*u8! zM%veID2haP1>13UYPu%qCj&JTthfKovS^2&`pp2qP8uYwY;O-udy zT-EXH+KPu?Xuj#*E^u7B4me>rSf5{ibFy7);n$7a=0vB)Vu-v}h{+b?W6ZBZJ+(bN zp5|^09cf7n<}vMugji%TFc5^)iIOjD9W8iOhOwe=b72q}V;!y>ZtPK;s*|!_65TSk z-m{TUa{dmd^>FH_{7l(YZ0hH>(Z?r0@3PJB`qTu^@1*L zIZJ&Db1HRmg+Mu{6#W^wx@?pqnmZY4vY^dZ9NXY2frH3*}#VD=A*d zAQi{8!A^ZKf80m4ztiJBty5yXJ)pI2qN38vfg!0+9hTDZ6op?v?_e|{rNvP+yYpN- z+`18be`m(A+7_0&C&2S(xdh4FLXKk2?@RjP6+bjL>oNTK1HNWSEWvm2FVB+|&>#1{ z{hP}=mRB74rf#DCxPC`FORjjRwers0ibLFdN?`u&L>+VwQ$>b0PFasc-+=a=3^oCk z?!zOtZcEXQNAtXTq()tx73YhJOt_j}iW68^t0cII2{8g@lESWt;ZmH>qD3|M8;51T8rSeK3sk?MxXk)s1-o~C0L5$U9i`&SGAXS zB`1ulM1{?3^w(E3ctBW0MVJ{b7YbFpbR}_rHV%+dDNs3>>?R-X5a2{sqW9b8x$|Dm zI&CV`9d1+Z`NqZGXu(c^F2Zi}l^2}`2Y?eUYVu4t;^nD=1BkqJ7XmPURg%F0Z;sNA z(&JDOrOg9fN!AT~%hu}ctTmqZ#L)ft4{SZd<2!twerKrMq%#?ySG|hrGc9i?Mo4$u zcwzDS5Gy;-rHvErreWf$K-D|ClrZv5BSF)f1SGB!!w}8$`kbN08Lb=AE74E4X~Dxw zu+L(da>?|mwU2d0`j*jvm%zglwlfXCgQ%dam_=NP^<(>xR1{E^R1Zu+|M>mM-olCV zhIM>yODfnoHp;(XX()8GRI_sm4-YS?O2D8oO@<(WKRU4rR_Z)>_E{G@3q__-57K=e zyK!d8sriuCZ3;sF#4oIG05^7cOLhO5H#u5!g1e52PkYtkBs++j=~D8ZW8+GR;OnlI z$7@fI?}^Z}f%fPlD(xl1m^y*1(u?+uNl_kAEUi0vLqUrCmBUyB2xhEZD9ze(yWkE8R;7|LTY(<=m`QrwIq=u0Bw_(lwJr(u7igs)?M*FtQ%!e)6xVN44ys z0lRioF4X6!E@&sPFYvNwAMI7nB z4KOMn&ZCH+J1*sR-&-A_?SXhZ`R>SYTy*p!+z*>0C5?fjI5i7e1;J(*(RK1N4c#Rs@)*3Gb`V82MqE9dTZW-Bn3nHk{3$OPy( zIF;7b9SkL+!UQ262U$jj`G~xAvJ*57(kG{@7M@Wt`YCkw!^TV8gb4mt}_2c!GJ#wCYxMfv*4pS=pe$ zu|f`P5#uqMCbeuO7=lb!H%RQ$GzB8eD-@aR6Mu&YbL_bJ891Y?V&MIOI#DW3xX?}` z*7nvI(Xm|@C0Pm;4wP5nBkK;yF7rF@GFcku=jFy==>3U8_TLuX(a~xpQvMA!YN_%F^e}CLDIAVAaV|oowt8KIU^ZV>Un%({E6K!MG&qgV~UC{ZtTP( z7ea2?)ll=%f?Wp2$H74n-o3``H}#hNbvPOF7>$V&4l_3qZaNtU9r{?Z3&Gg#8_`ek zQtGe@6JE{KUUGJ;m~3_{^sx`<6lU};t5epeHnJPHg32_qNz9 zQqJ5Rj@8I;z!RE z-<)?p9dV;83m!f0s}r6iYIDj0v64$ed}W7=+laj-)vX z)~cU2Jx?$tF6%Ie(5+}1%q1mBzgor>>VyY=gSXOPm5uf0$kOVjR}tbUVv4g7dyU;k zU(W~0*kE9*pA#%z0N;-%T{7hG+%N0cHCzS5{UpQbCu#02e}BFPe#1+xyq(#(n|Xv1 z&t6U9mY%*z?*UiQ{`xvQ4}w&?<}(4pb92GqNySL;yz@bla_S1}Awwe!09|ag%s_a& zb!Wm&dhh`j#o0ZP0DJ%KI)_`3m>t}50vz<)a^ro6dN{Lme;mSdQpY>O3HvkzZShwa zC+;A=wzH&Znp|>fe@XuN?CKgJVan1=deZ=-2Ae^(d_Auu7wr^d;^f=TOa+IE|K~NZ zfAkY~qa^Tz*ZF}`_<10LSTP#-y8n%)Pmb{?>_!Xad{PoJ4o1JNOWZGPVgqDhIZQaN z^Fkb%d#dymfIbz<*R{1yZKpFEP>_fO0GKL5WQcirEZ@KC&c_<#ev4u8Ax@17QOsPm z*`o%opnSLv0fqxh|CJLNA3DZF?CiVn3@d5xdYKiHnT}o3HQ0+Fz_T5^t3Jp#)bmk$ zhrOZS;<_w?11GBisx_bXX>7IHxcm06=ew*XsL~h~Nj_iK>|PpDQ4zN1F*}-i z%Lcs7*PpN6JE#6}J-E@%e*g#L1RE5naTQSUdJ~e4MLS2>u<0hYh|9HN#FxNVxp-ouT0P zb-t{92`3|8w3-|X3|2aZPnOuu&sicLWhiTZQh8jW!ePT0PPS_UGM)d9V!QbCujwsB z3Z&`{Z#W`CMuv`8j+}xcFwl0{?+2F<#2VVw@_QnKGaT1vM`#89iuMwfWsX-G^1#ML ze%j&x{qflWW^T_2vL)Ydo3t-eF#}vEO_$2 zUBJA?V4;*gRDl0y;9qES-m=$mU#y-Z#)A=(F-OvQoVWFgm&kT{f9x1W!G|j3^yhv1 z{soSmH+({h5*0nD*9hnyA2(K0kL&*~QZQ*rhJ`F;o57i`;3rH`j!XBwKXZI9-c%d? zJB*GCSWhkZSKapZUh)C61BUmX!<+$W8FF6UZnrl(;h+e=WtX|O?99dQ_Hkn{%g}q& z+MpP2O}Q2M&1@rJys-SyyGTnKi~TiiTZiq`(0lDyeg>yWOR_y@SL_s_2G{)H=S}nz z>{mbK^tZ0B$?$!QS~~)>!1bo*i$0@U?W!ZkBvY?aRi34vT{{k7A>_*-6YQV=Sr6}3 zS09T0S4{cmzqRmxEqDKmnd0q#nYum#08uCA6MCP_M78Ws(7S+bXDkupSr5c{3+Yhj z>f$|ly+gUV4}DnwVYKiq#Vp}-!Lya)o07eG==fE#vdHrwQ?i6DtIA18kNWZ7EG{K; zHvMJ%Ag0(Epv1Gm=C4;|u;utIr*BRNl7C*_16p^;B_bBD#*gbbPJYCgMg8S|A%1U@ z8{$NR%_8ZTY#P7nr_NU0hNH2(;dw8dcQF+71}CA+>ve{e)-#!v(m^ZH6w)zUJNd6? z5l4Jf3to?T^Rvtk*L7~4_v96pL|}4|ePA%QkK<%)uu!#++!h-_fdlrh-&k&uvTwWM zNXJlU-#OT5y*EqU>YlhaqCw?!0aktW$$8&;>w_D{z3h5l+6EWYn>1Efy|B=rA;(uI>3;vad@73DjiJ!f z@$gW$LZ7w`1P5I9lK8M(U;LF5yS3SeY)oRZ=nabxJYVT3x-WTp7(JY&p z)?{&I>` zy~lBjpL*y?(cKCmtVS^pzyD%&+mHH0h!^ivNYI)d8#07ZbVy$^@P3(PnT02y z$7WA6y)&}*hXe~Qg10Cly;(v>2{l?uWG#pE@<9cKo_^mX#n8$~In)|4-iCJW);_N> zzgVL1e*2rE%mH1A_KJ6g+Ao;6gUNnHfofD!2;^4F&5z&Y)!24TEX85q-{;Zzo$KVhTpz7 z$oDAKArLvq5@;qQ1%#E-^USW(n=M_U@JSS4?-cU-1#zAnm1+_AnGWR-86{q#WQAr= z>)b@ua~$12YB^hC_4{=aLB|Q&lZw)-F-s5&sI%Us9F- zo9x?-4D2xe^3P8Hj}iWF?(csRf&Z`3es=!{y5ssd)cC|M2}_CW%r+vPGHClwoa_dO z(>CSi6@;%fP-oc#uX8Ywi)+&h8CAnpnqu{_+VD06oh0@*=-N+*;22>A z*6_ne-Dazoze5x!kTx1D8cTjv2tc|q>J}RE*9%jSMmi;-&dY%}eb1rLBHo$FwmW>5>lzW5b@_^Xm|e2gkp-8nuzd&=Dze^T&Bvud~0)416a8 zPw3F?tL5E{)b|~X9(4u2qYS|?I64>g$n5E#T>YnzdK8CAgv=OBiQcqt^$|8SHgj@# zWKUg!&yO)-i3q{DV&*20fo=lRuuR*q-|0a39-<` zIy8dT{pT9<(eeuGm2a~nxhg`Ts-fB;eN zVUhadJ_jW-0VSSVLgBPkolaR1=~2?Z4Oy|=Dd?kX{_Ur6Z2so^;?jk4?PCD=%6YeI z26@jy9h!TC+2(`_nIDaX1HMANp3+YD^8^A%f_z6R((D&-9V#{faLo&i_%X3FgqexIplhin3&OKGQC)5_kfY zycpj))~TBsQRD^XxA!a9i|wabAIsd|%-2`DxqcIEj@o7R0ND?AA_QWDseWNd5ghYV zQb#>_+%TZn5nSXL1<99aOrA`^Cw4}^7exVp+C!m%Ea8Uk5twdyZY~tB{>We)`U729 z1;D<#lM#u=_P*<7dXqR;{PJNWrHRd8fPh?fpc>!H{h;Tj9Fjqiq~jU5;_U|ygiKjD zh&>nXMi9TQYiMP)z9WQj;pjl^o#rloJe9ie$=hjqJ3mE3VJuRLz1ueKo7D&R0Sr_H z(28b5bU+DYd-fMe$7dsOwr`nKr|w*V5%DXZyQ|bpd>!?&HQ*;F!0ZMM%2b~u2DR-d zn3bnDl|MHb58SV%PDiV9+3NAoIB$3T5Cwp%I+Ul8JBE~rxn}KAu;5TET0M-g$FFot z438y&6h(TW?r62liDN81$NaiKS&-J?6_DA=n!hr=ila)-kaBahAorfMh59`J2!1AR zmTEnJo+Ez7iR3(y!G;I04Pk8Ie?UutO16u;yFq>%SD8X{_ACaGt(Tp>t-O{`>7St0 z$&u;cCsMkT3Zll-v%XKzdmeb8@Mj+Bq_a33DvSt;p*8G)kZ;PrHBOO|P5`cw_wM0cuH(*v(OIdHk&# z0OHAn3c{?nzRf$_C7QSU8h%t^0m<>F@Hq>O%Ber^gA!tL_vTKQ%B~3U(q7hmq6v2M z%iHC{+u6sbv2(rYuw&RYR67##T~xF(3~8bD)hxCj;5CwN$n&(&UD&{~)MEELit1Z! zqcph6F7>j5xIO6I#jTP3-5jXAnjOiCY{anr!#^{uFL9SQD1Cfk4IL$IN#Jt1m=jdc z8iu(8_=s7gpZ>))?@Kyw{>x7I-woXVunGR#91Sxyf+8hY?`u^_LwkGjuN%6z=JQaerX;-wGTm*+fnU3;EoFfp(Fp=csx1~Hl4)ha8>nR@7kZ^>C%>HJ(H z?Vi5W8Y}Gg5gqAh(@>FWm;&F$>WpNaOV zZviDY&+FN7dN$s8eL1I$gyhyAu+4K=<1TIN0Nzms$!|D-Of{0>7oXUQ%Zol6EKE7t zfPO@x?{aXy%QwDchgd!$Jtu|$T=gQhnGLCiS94d3@Neizr_sU`TU=jGSwJP%3N{J+ zWg9)GUZXP~5CDr9jrv_?OKsfV9ThHn_2m!K-uG{h@C#IED^UzcxBR<$m79EuXf_P5Z z9jtvjI-arHo140CkpS%tA_(bQ^L`pxv6g#`8wj?p@NG(^lu|L{U0Vdz=x06bdo2wG zpKup=P6pg9OT4+_id2mwt;q1LIBamp9Ue_ct!hn|-ql!65j%r5NvOEq9x1=mlQAuj z6}>3fYO>rN(>I5-z7Z)mRmyeJDsQ$X#Ev3)VUBy3k>MSOKj|7{gELr;H1jbS)W_MD+CbR_rPEyb6E` zcIhm&+|E@k1bjR@3(_zWzGEn|p1dfoMbP&^f7!mRKW9*MPt#6J9b~R`o3@_)a_?== zmVU4hA>il$vL>odGFllBF?f0eS&EgUlAYuv8LiolJ9tTHd2-eDHAd^G-dA-M7nNvl z4CfeIQ+r(Pi9u_;+m;CV+$Uk;1ve~PmImTh8Y}{pP0C^{OVl)(+xu;CJ@GhH9Tn%7 zPS#S(zpb&#Q&S#mEBQGJ!f;lN#*~IG(cgR)1V5T^Om~fDu{0Cjc{ZCEdaL>A62YRS zyIfzmZ03y4yA=b9EZy+D7B9v_=OOXFj>DDunChBT53o1*YBr^Shb#YJD&zB4H{%bKatIP_z|FwkhoYvBmIm#A36%YwkTk{uw)b}wI2*z(DaN2vFD?1E*Dwr6T1s5YdngB9vdJd~Rxi>)OI1PH3tyCQPjKl^bUm>Eqctq9@7c-_eN zxVr>LDU{{f4n2yRo*>XbR!&P5~OlBaLCuWtg4_%nqww%<*%z zON&L8f6j<#tY$4JKO3Efgvc%U3X89F=^HQK;$;-)l|g+fMzqk+Pomj~?8&_KX)b6-5Y&F(}eTaUH)v1Y4)= z2p3h9_3w(Z9TV~L%uQ2&dTOuXN(!NR&-{3PP4b2{MeY6gVw3_P94@tdrKC5>HjY4Y z?UP(J^?cFha29XJK;FaMK1*n+K-)bnN}LzA&QqH@@u2EbK$#wqzPFi=00UbnsZ&2t zMI^Z^Hm72Fx|rHSJe;WMKj8xE)En+@I@LB^(_WR{qM9#d7z#GcQd&jC%s!L324+C6 z%qJX;P@xXjY-~++=}lnu?Zn{z>b>QU6*qzwqk4#*nr6u)^9)(R(STQr1|#xmEI0Q7 zf;z**t$jy5cbJlI6m(i$HVzg8>YAP=11b$2yn7>9#xwqKlGMLe37DdCxNf$5c8Skz z)+iiXm96XWk*GRqJS8(9o#lj+BSi9%mcc54W+3sUuw>4S7?*;a#Y7d|wFyH)VqE4+ zXI%>m0;sqI&6;(+%w*X-wZZwltMXnwKTkuh8+9VlT11XB8h(J7%N3RQB>9|S1sI@o zxAl3Y_kPJxMWW#3{rQZAzhN}PgXj2Fw!^=GCE95E-Wvx)^S!)JL&J%e+Es4fehR$r z=_Z}Qhc;cA$x6OgH_Q0!F#Htz@inM7h&$3}X6sK70#e3d1mVh@s^wOeexhn7L8aYF zqbui|Bo`AVd+(qb!cwAeoV~k!S8F>6ss*{deT|*B!>^+BaE+@2)C+0J6Gf*^UCqnR z-(a(G$eV{`aaaU-@CHc>@&6-mEX1#pqhi_j;z%XU*BscRe^(wgQ5Z*e#l)ymr1Z3e zG@A7vim+eZ->S4eNB2#=Jl(Xhk5lS^DkFl_;2I~dyp#Jldgyy?H z;EhrSznH=I$4BE5bIm+0B==dPUC?)smQh$*Q!I>?FXWa~R}>7%>#hFz>XziisD92> zD4_lKLuet0L+Itl>16eq@(+xyGk1O%0ZiGj>En(5dly3(Iq-e?VF#F@sF+m2X0r9B z9-A?;K;Nq@H0LO4atoFsYWlmxv2Vc`+dIj~FEG-RcM&|qgd(EuVJ=s>{5Koq7WR$*be-_`1$1+}2|KZD`%&2Nm*ruXq|Hu8yyI zz;aCX40)fgcCS-dG!?o6bp})v8JA*dra8u=HK+uiu-mwds;MjXr^~CJG-*8FTup69 zH$fZp5}4#0dFlHOL65hTJFiHF4=wBL?RS2b@^Mm5eUZJ|Q%PhT$7jq5Y~YLvT`}Yr z`#;TnXEYpt*!Ca@f>fgO*IPu7E)mg5^b##Z@2f_v7DSXJYSblIHF~en%SJDY)q7oa zEsOPR{_lC)dCv2Ee9wD-oHOUlZ{~N-%stnAl`vHKx_ye!WTp5Kr{&P-E^C_UtdRFG zZ|2u3iM7^xvd&n@BaMX*+nzqur?qk?37BZgZ2p`Wp-eNN*$)V3J?w-wM-!+BF# z(5|Bu+6FUFqBI;G?qnoA0N*3N;~}u3mFyAW`ePdh^uf%CDc;92ilY3I16-+OkWZ}! zzuE8sZZwr%m%EIY$xL@7M0&mu0b@$U!}@fwv(Ng8f#0n+*npH(j@Y(G?qVUt0Q0#o zvhUGm0OXZ89&QfpacTH{bs}bzTW|pYvOZS&K0msOw+*cZ?Sb(wYKjVkmO{izqCV0o&gaHJWPu6^3;wKy*@+0UU(w{ZM5;5YyI7H5=!zVSE?~OwZ#TpPW75c?w^nDr~;o|9C!S5!m;&qLD50! zbcK_mH2i`|L_Qx@%po8{<>6UQ{yIUWX-G|C}5BvtN06 zaU`aXvjpS^!NecXk^=RO&>m?j;O;|9nn|D4fqJMkFld;Z{a}g-47Yp*h6kHCMyDPM z2`h(aeu=8vb78FTN+(AvAu1+RBi|0$fMu=jza@%_<685GO#R0Qa@lHK-r!L5w$#BF z`%_!_p@&$NAmv?=C!vM+V2=Q40MKT;Cu|fw%+Kj0mi#0x5V>Z?e-A(7+#}8gG$WL# zo<}7HE&}_zPaD5Bc+H|yMc$?kv#fm1m&~2Zquu#a)Wwh}O6|UCp*BGf4dL}8oG;61 z-3z?(+p05%`hZFyiMB!zx3@2}XR0!1d^?*;{7-kA zZ;m22KJ+HZD|8`4w%PM_zQ5(B!L3T`V*yvZH717l%We6cvHAA)Oe>rhyKZ{&_=LaN zf+j@7lWae31wJU6^RpJ}yOrirr>$ie8JzsB3%Hy)`jUl(L0kFTP7 zzqY~RX~Ygj5gNw@Be_ZmymVRT$c0c!(!|-?{c9B3S$0{{4-rzE1bjOi-w_sIqs=n< zME-bmDog_~N&{VQI|`RE^7Ewtsm;`IGcIXN*fbuX+bV3pLt8+^l3n%Vo ztybij9su7SNe6z*KXtkH4oV1&MPE`bhJxyz5_8B8#o!(TDc_5~AMvZAefg_pY)V>L zlmj~tz-%~oma{=DEH~$GZgGHUH=_h}^U9dml2XuHbJ1k4kIwtB2qU3d#n)Mb>kLhP z1a-gmZIX`;x1{zzx3+4q%}_EXc^KC?z3(H+dU@a~H?ZE|Ls6bhpev1N-862ve>=m* zIRZ^8Y>6%RFJ2p+A@Er+z=xM_R&QrQ&_;TgQk+r8C)$9`pnIV?cL4dgL^o`ON>esC z=~mFQqY3OKQ_*uoF1nhVksc@ra6i(n@v^?8qEZhUfaiOgVY4_4e?>gm+EONX{iwP5 ztYjkBG#{`cl3!mE*ko9^4>8SKn(-xPm@g*D^!z(>!}diVQ**X4G-*sUIo7vG+?Fk+rMfPd zIgTj({O*qulE9)lO=^B0=rG8|$G~d`F%ke@A%#gKUx3{$GJ~Sn-|8 zPtIgotq*SCOuD*@k&E@$HptDe32gOxulc)7?_Ji%B8?dNwEQL|(TxWt zdWnyy7xb`&k=x^#cFSMAd%l^e7-WZ&EAh=bWj7%ID1Cp2P6XSxIx!(0VKpmBq^@2< zw9|Q}kGuzS#a&~;dyJPI>)gFw}Hby(um=HMP2|DQ!Gxo_ld(EZ%E@F+)sRT|=Yg0it`* zaSQo^5crHNi}bb^7iJL^MNMW7T|q-B-xEAU(oru9+g;-pHsKg$BH=sSW)zxFdCJ;} z`w3c<*Y7zoPKjzMEG=##C-@zJP_37R`58`z$0?X@0l>~$-g1j91-Mq=e5zx+IP>@_8h4WPxMb}j4E?BZp3IlQ8CbU57=-uT3pnKP^6Nk7jklI zz}Y!%7uQ{M6E@@dbKs0fJT|ZqjmNr{YuQ#NjecWos+YGytt=+_`sT0I#F-Kt7H^L~ z@?z~Vw&iT*9{MgGl{Oxq~S1s2PbR~DT;LOwoa7&Y(ys1^{^6_%HRf7?2}Z)SHD<7+=EpXd{K zR(&)%q~J>^zDS)2H3-kFugQMz+;LSAb@1_ipmJcP@W+Miuvl0G`3D$D&5AX6z^)a$ z-~ik7x1x4c)7h?&PwYIJsRDUX+qOVrER^wp+v8s)CY+eZB&F(} zF@sFAohwHf^oz&}UaJ>1fvW-P7sq|AxkZ{dB-n`*Ko$$QufEdwyp8b&jpgQ)=G1kO zqt=1?GC3Hn@J?T9L+`;F`JCTJ)z2hAJ)}X|QP{0BIE!D$*qwGGsm1d z)osxuNzi&JDKXj9Aca5bqWZjj-HsPti-peRJ zRM048v9}zm)k$4##T8siEoAeiOd<-0+~-S?&*l2?E_F|v(M4S&q*4b&ES|KZ?$wKf+< z=-Wqz_n8c;A6vc-a4E3vTv{HUqi$7+w7?5$b~~xQ7r7YS!rOmisJU8GD}H5^n9S(9 zTUE7qO-xgYQYrahdnsn+;m!Dix(m?G&e?w;QSC zt<8+x$PIr@76-qxZ|Q-yG-pVnns+{ot0_*tGW*4~;t;8B(01gYX_dCU#bc&R7B(qF zqyw3su4*o=C{#ts@@q}7{aymi3Jbx@{7g7>@kMMBW=XlDe%&-Un#<_07XB=7%$0{CJ!;>Y>UD>LuJACnK$P~nLbggww ziDC>W_$={Ze|f5Ze5K4R!w=>$y0$#!*;wj&Q?-5JqxHw0Lz3PSVFTm6H?o}&{&T1I zrC_<|#HOdI=hamh8TC*`Jw%~peoT!nXaXqzAwK~*;HHBA7_k+hmrxgLw+;|LCQ%Ho zRonE7q82b~_C1UX}+^M<_H9k;Y?U}NZIuIW0 z43cXuEG*3ye9R}Kzzgc#ZqhWbcU$h*K2b@WXvhwiAN8!BRt?Uwl=TYZwr4VoE&~Od zHH{KPYoq_nU`}^AMRH%|jn;UM!BhkErVMp|u#O43{8S=l=3WxqI_)V?$bUu~{E`&F zi7|qDtnoxNCw!y21RdXTsi+RwpXYOMHvO=&Eu>uYq3l;C4~nHpu67kZI-fbgExyS^ zyoPz*(p;w?KF*@+pTK#Ynj31faVq_yflvA5yxd^lf3mYWCtkDWP=P}@DIxlBxhozO z=`+>Ur-Cjo)(~U{beVmx3-c*-KZK)?M_KedQq(o@<*UlGiipt=k{x*6*4gsIOn-=* zW7-CPdS-gd?BQ(8`4G~oanvfm)@Q2C{pd~SZ-j)>*;^1qtc&SyL}=+hHP^G}P&3T7 zl>#|CgA6nI-t_$7KugN6p+Pk*+FFy1Wf>CLC@W5cgTsUS<8-wBX7o}JD#4~Q{!ICQ zgIA;mB%WDgB7Zhw9<;h&Zd3A9GH-O;%mdlvCMs{qK_bbve8!nT56^OMH z^1PX>g~K)PkaM#b#g3kYzx>*mpHB{0Ozo;ZpDyIic(E|R-9&M6>GOC(0je?L)ade& zI=#{TL)!ao2h!V%{r=);FTxHF^()j_a`IOSa&BUNIG$htQM9k+*`S5Qonne3dj|Pa zr-7ipx-e}3Xml&x# zWU-I|%}~aar-8_VzD}_4Fh9!U5h8C}E;$WMRqN0SMlcSoTwv&2q68-mvxiRqY+^&md}i14l= zu8!L4>G7|_KM0g%GmPq`1wBxuTxvFJvr6CnHvPRwf8C9LmC0aW+SYE15BzD!)ceT) zgzvnT$gY)jszv2=6{v1uI`+KT8&Nz^&Qj{h9MH7GXZH7FJF|OL^`m~7RV#r0{GCbK zHyVd8cC%g^HNC3b$GCxS~VyzU40f^8nTQlV0Lb^~qZnL#DC|GIjNP=0^&P?WGikJie>-%4ys@Ly@b zRz&|_rw{DTVTRFPg8cvG0+QYK29gOHuA&{lz72h^zSoMw5oMt0*Ch zT_4l>z?YznVUD|th&pS8Rtj4TgNQS{Vc7k1 zF=KE~Hbc-#$2%|1a{k@M*ffxHfPL%kF}NbErKSvZ*(4->k$p zl2L=Xcz_~L0%;a#IvP{gomeyZf}Bu9GA%#9b4pNfYCZ0_k+veWXK8EuWJ}JZacTT| zH{{zI?13zrg7n(qXD~Amqzg-6iy(XvtgPXVx?|{&m)f5Ndx_tW+9URKB0E(3Eo(wN zF7h^5)_|Sb{)Z%aaUm|{?v67B&R$(xZH<&lEltHBs%ZD&Lm(!vI3M;C#}d`&5xEsr zN;Rdz?_8TPja)b@4Ib-V{E#i^(|&!DJ!?#P=>Qi+Jomn z!L2eX)MG>O?d=O#5AdzED&H%ANt|R{uP!;p@Vm(I?>sd%yuP?!toZ*(i@R1X$g!BY zo-FI|p5i%Vex-ZtR*%NAvd-`L%*~=BIMwII9maE_bZCG9SXDhu2GvsP-b{- z;3q85%n6)#ZFS-jcBTZ1kGsz*s)l@~-8Wb0C4;!Y+CRht`f(8^u2bHr>Gbr0hv@`3 zcT_4a z&|}B(w|x8~q9JX#xP^Co6+uifC3OQe^mc797^m6915}Z*CljK(6()tY*472x zTpuJC6cEjev9y^L74G}@g+rb?fNIA^rl;%Ov^c9=V2kPIJDY+h1SDCi84vEQJGrzS z*U-zm`-5*-6eto#vyYM6l$f5sH4#(rxxiH57SMGahLz-Su7kQq$B@_mNu6&om2~MB z6vGvVn9tXA4{4Q1sa{w4ADAUp`&r?+U)c1*MR!jvL=^9ngn&$W)2m~}Y^Vw38)izX zBk=e=A{9GxKPW*m3=H3yGl<0IEkRlcx`uE z(e*i3n$;p}R|S^Mc{IS98W!3Kb%9>i?619D6tdhBZ;scPtROg`m5fWYmGLv^+#bzS z4B&Vlrb)ly?l?a=*2sz0&1A`--vu?X1=} zS$eFp6`!xOm(X44Yi7Up>QE>yR4Ut5&m7_NrFIzw9l@xnMoI7z?;-0~N1Gol1Aqwa zuVsU?TR6Q&a4{MCWe&RD1yf%Mo)#y*(FYC%Mi`i_H*YO9o4O>z9dz-P(mk?tAuO)l|xv++Qc3(uKV^ zU1#lRq>X7PyO;e&?Y*|&YPV@lf!;uahNqv`y9&(7M>f%0-NMVF=^Z3l)*dORAVzja z_J6{|zRMaFP^qx*^a$dwtaMJ3A4M}qu8g}IvWu8$HuqsEX z)yQdd^;V2eZGt*SJa=0WsUWOFUMWYPj9pt}_3?9|=M3>s+rDl(%TGANe>}w^T~fVO znz7u?=EoE+G`1o-ww|Lo+s+JHqyzLC}*_a4UD@;sG9FFCi`LLGrM1z!y z6&>R*p1*#YhC7_d4v)?7J1kAN4pE=+)zdCsa}Y(HbUWw@xz8J*v*hD=6tD9>jTKmX zbZ^2)aUt#=?^osYJR;vtJqv*tb0@d6}5E~14J9u^1+SV0t@P|8Xc?*dg+tutw z+Yw9ZHb48Y{OY9N1RC?jg-Fq!{o+gH7w=H;{OnF< z3|>SS-nw|!xXVU5^TzhFU_OYKSB>!(o$R_pFGvaD4w~}v*=<`1zP)t?7PPuDr;J@l zH8wIz0eiZkMF-CyQ6rOd)$Tm|*fD#5h`zpltE`aM2F+x1&VvJ#H$(MunAu24A}b-Q zRF7|A;0T*teKjhyL0pO04NU3?GpSy#{( z9)E21Xudc2&#u6>ar-I`r!Y-%5Oze^@izBm-Ry4wmu?Dy4%NS9=l-@15Ed**d#jxEC5`oC~Cee IePI#u9}3TXfdBvi literal 0 HcmV?d00001 diff --git a/devices/surface/index.md b/devices/surface/index.md index 2cbeff64cf..2a2598a5cd 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -62,18 +62,22 @@ For more information on planning for, deploying, and managing Surface devices in

Explore the available options to manage firmware and driver updates for Surface devices.

+

[Manage Surface UEFI settings](manage-surface-uefi-settings.md)

+

Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.

+ +

[Surface Data Eraser](microsoft-surface-data-eraser.md)

Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.

- +

[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)

See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.

- +

[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)

Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.

- +

[Surface Dock Updater](surface-dock-updater.md)

Get a detailed walkthrough of Microsoft Surface Dock Updater.

diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md new file mode 100644 index 0000000000..e18dfc07a7 --- /dev/null +++ b/devices/surface/manage-surface-uefi-settings.md @@ -0,0 +1,138 @@ +--- +title: Manage Surface UEFI settings (Surface) +description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings. +keywords: firmware, security, features, configure, hardware +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: devices, surface +author: miladCA +--- + +#Manage Surface UEFI settings + +Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. + +>**Note:**  Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface devices do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI. + +You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot. + +##PC information + +On the **PC Information** page, detailed information about your Surface device is provided: + +- **Model** – Your Surface device’s model will be displayed here, such as Surface Book or Surface Pro 4. The exact configuration of your device is not shown, (such as processor, disk size, or memory size). +- **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. + +- **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios. +- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://www.microsoft.com/en-us/download/details.aspx?id=44076). + +You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC Information** page (as shown in Figure 1): + +- System UEFI + +- SAM Controller + +- Intel Management Engine + +- System Embedded Controller + +- Touch Firmware + +*Figure 1. System information and firmware version information* + +![figure 1](images/manage-surface-uefi-figure-1.png) + +You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/en-us/support/install-update-activate/surface-update-history) for your device. + +##Security + +On the **Security** page of Surface UEFI settings, you can set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): + +- Uppercase letters: A-Z + +- Lowercase letters: a-z + +- Numbers: 1-0 + +- Special characters: !@#$%^&*()?<>{}[]-_=+|.,;:’`” + +The password must be at least 6 characters and is case sensitive. + +*Figure 2. Add a password to protect Surface UEFI settings* + +![figure 2](images/manage-surface-uefi-fig2.png) + +On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library. + +*Figure 3. Configure Secure Boot* + +![figure 3](images/manage-surface-uefi-fig3.png) + +You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. + +*Figure 4. Configure Surface UEFI security settings* + +![figure 4](images/manage-surface-uefi-fig4.png) + +##Devices + +On the **Devices** page you can enable or disable specific devices and components of your Surface device. Devices that you can enable or disable on this page include: + +- Docking and USB Ports + +- MicroSD or SD Card Slot + +- Rear Camera + +- Front Camera + +- Infrared (IR) Camera + +- Wi-Fi and Bluetooth + +- Onboard Audio (Speakers and Microphone) + +Each device is listed with a slider that you can set into the **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. + +*Figure 5. Enable and disable specific devices* + +![figure 5](images/manage-surface-uefi-fig5.png) + +##Boot configuration + +On the **Boot Configuration** page, you can change the order of your boot devices and/or enable or disable boot of the following devices: + +- Windows Boot Manager + +- USB Storage + +- PXE Network + +- Internal Storage + +You can boot from a specific device immediately, or you can swipe left on that device’s entry in the list using the touchscreen. You can also boot immediately to a USB device or USB Ethernet adapter when the Surface device is powered off by pressing the **Volume Down** button and the **Power** button simultaneously. + +For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6. + +*Figure 6. Configure the boot order for your Surface device* + +![figure 6](images/manage-surface-uefi-fig6.png) + +You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only. + +##About + +The **About** page displays regulatory information, such as compliance with FCC Rules, as shown in Figure 7. + +*Figure 7. Regulatory information is displayed on the **About** page* + +![figure 7](images/manage-surface-uefi-fig7.png) + +##Exit + +Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. + +*Figure 8. Click **Restart Now** to exit Surface UEFI and restart the device* + +![figure 8](images/manage-surface-uefi-fig8.png) From 6918bf38767bbdca6d9b64185508c5c9c440ed9a Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Thu, 19 May 2016 18:44:49 -0700 Subject: [PATCH 10/16] fix typos --- devices/surface/manage-surface-uefi-settings.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index e18dfc07a7..20a0aa3322 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -19,7 +19,7 @@ You can enter the Surface UEFI settings on your Surface device by pressing the * ##PC information -On the **PC Information** page, detailed information about your Surface device is provided: +On the **PC information** page, detailed information about your Surface device is provided: - **Model** – Your Surface device’s model will be displayed here, such as Surface Book or Surface Pro 4. The exact configuration of your device is not shown, (such as processor, disk size, or memory size). - **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. @@ -27,7 +27,7 @@ On the **PC Information** page, detailed information about your Surface device i - **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios. - **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://www.microsoft.com/en-us/download/details.aspx?id=44076). -You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC Information** page (as shown in Figure 1): +You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC information** page (as shown in Figure 1): - System UEFI @@ -93,7 +93,7 @@ On the **Devices** page you can enable or disable specific devices and component - Onboard Audio (Speakers and Microphone) -Each device is listed with a slider that you can set into the **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. +Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. *Figure 5. Enable and disable specific devices* @@ -123,9 +123,9 @@ You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE ##About -The **About** page displays regulatory information, such as compliance with FCC Rules, as shown in Figure 7. +The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7. -*Figure 7. Regulatory information is displayed on the **About** page* +*Figure 7. Regulatory information is displayed on the About page* ![figure 7](images/manage-surface-uefi-fig7.png) @@ -133,6 +133,6 @@ The **About** page displays regulatory information, such as compliance with FCC Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. -*Figure 8. Click **Restart Now** to exit Surface UEFI and restart the device* +*Figure 8. Click Restart Now to exit Surface UEFI and restart the device* ![figure 8](images/manage-surface-uefi-fig8.png) From 548b5e37598bfa2c298af414499113817d6e5fb3 Mon Sep 17 00:00:00 2001 From: Jan Backstrom Date: Fri, 20 May 2016 08:45:49 -0700 Subject: [PATCH 11/16] fix wording --- devices/surface/manage-surface-uefi-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index 20a0aa3322..44428903c1 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -13,7 +13,7 @@ author: miladCA Current and future generations of Surface devices, including Surface Pro 4 and Surface Book, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. ->**Note:**  Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface devices do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI. +>**Note:**  Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI. You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot. From 0cc22ca5c21a8781f711729bea6878b3fef498ad Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 20 May 2016 09:04:28 -0700 Subject: [PATCH 12/16] removing offline maps UI step --- ...-devices-to-stop-data-flow-to-microsoft.md | 27 +++++-------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index bfc720cc35..8e22953d44 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -285,8 +285,7 @@ When you enable the **Don't search the web or display web results in Search** Gr - For **Remote port**, choose **All ports**. -**Note** -If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer. +> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. You should use a network traffic analyzer, such as WireShark or Message Analyzer. ### 1.2 Cortana MDM policies @@ -321,8 +320,7 @@ Starting with Windows 10, fonts that are included in Windows but that are not st To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. -**Note** -This may change in future versions of Windows. +> **Note:** This may change in future versions of Windows. ### 5. Insider Preview builds @@ -408,8 +406,7 @@ Use either Group Policy or MDM policies to manage settings for Microsoft Edge. F Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. -**Note** -The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. +> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| @@ -453,10 +450,6 @@ You can turn off NCSI through Group Policy: You can turn off the ability to download and update offline maps. -- In the UI: **Settings** > **System** > **Offline maps** > **Automatically update maps** - - -or- - - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** ### 12. OneDrive @@ -617,10 +610,7 @@ Use Settings > Privacy to configure some settings that may be important to yo To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: -**Note** -When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. - - +> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. - Turn off the feature in the UI. @@ -660,8 +650,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: -**Note** -If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. +> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. @@ -793,8 +782,7 @@ To turn off **Choose apps that can use your microphone**: In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. -**Note** -For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. +> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. @@ -987,8 +975,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic - To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. - **Note** - You can't use the UI to change the telemetry level to **Security**. + > **Note:** You can't use the UI to change the telemetry level to **Security**. From 4507a7a8d43566f66115545f99e108f8c1d95fe4 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 20 May 2016 09:11:40 -0700 Subject: [PATCH 13/16] Bug# 7594483 --- ...igure-windows-10-devices-to-stop-data-flow-to-microsoft.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md index 8e22953d44..7b24cfdfbe 100644 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md @@ -1094,6 +1094,10 @@ You can opt of the Microsoft Antimalware Protection Service. -or- - Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). + + -and- + + From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** You can stop sending file samples back to Microsoft. From 8f074a01089e7721fc6154ff01ddc42b12d8b430 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Fri, 20 May 2016 10:53:14 -0700 Subject: [PATCH 14/16] updates for 7616926 LOB and supported markets --- windows/manage/working-with-line-of-business-apps.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/manage/working-with-line-of-business-apps.md b/windows/manage/working-with-line-of-business-apps.md index a8a36b3268..2700a1f83a 100644 --- a/windows/manage/working-with-line-of-business-apps.md +++ b/windows/manage/working-with-line-of-business-apps.md @@ -78,7 +78,8 @@ After an app is published and available in the Store, ISVs publish an updated ve 5. Click **Save** to save your changes and start the app submission process. -For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543). +For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543).
+**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app. ### Add app to inventory (admin) From 767de92db7d80b935945dcbd3733b274f0ef3306 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Fri, 20 May 2016 11:58:40 -0700 Subject: [PATCH 15/16] small updates from review --- .../surface-hub/i-am-done-finishing-your-surface-hub-meeting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md index 02819a1963..137667385b 100644 --- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md +++ b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md @@ -38,7 +38,7 @@ Meeting attendees have access to a limited set of directories on the Surface Hub - Pictures - Downloads -Surface Hub also clears these directories, since many applications often write to these directories: +Surface Hub also clears these directories, since many applications often write to them: - Desktop - Favorites - Recent From d7f6f57bfe8d3f64037fa57a3ba3dd1eae299f71 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 20 May 2016 16:50:15 -0700 Subject: [PATCH 16/16] fixing spacing issues --- .../keep-secure/bitlocker-countermeasures.md | 60 ++- .../bitlocker-frequently-asked-questions.md | 202 +++++++- .../bitlocker-group-policy-settings.md | 436 ++++++++++++++---- ...tlocker-how-to-deploy-on-windows-server.md | 53 ++- .../bitlocker-how-to-enable-network-unlock.md | 176 +++++-- windows/keep-secure/bitlocker-overview.md | 111 ++--- .../bitlocker-recovery-guide-plan.md | 176 +++++-- 7 files changed, 943 insertions(+), 271 deletions(-) diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 4f52324123..687bf6047b 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -2,87 +2,137 @@ title: BitLocker Countermeasures (Windows 10) description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. ms.assetid: ebdb0637-2597-4da1-bb18-8127964686ea -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- # BitLocker Countermeasures + **Applies to** - Windows 10 + Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key. BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by: + - **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files. - **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer. + The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup. + ### Protection before startup + Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM andSecure Boot. Fortunately, many modern computers feature TPM. + **Trusted Platform Module** + Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify. + A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process. By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key. For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md). + **UEFI and Secure Boot** + No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys. + The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating system’s bootloader. As part of its introduction into the pre–operating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature. + Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the device’s firmware before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust. + Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. With the legacy BIOS boot process, the pre–operating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes. + ![the bios and uefi startup processes](images/bitlockerprebootprotection-bios-uefi-startup.jpg) + **Figure 1.** The BIOS and UEFI startup processes -With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature. Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate. + +With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature. +Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate. + If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed. + All Windows 8–certified devices must meet several requirements related to UEFI-based Secure Boot: + - They must have Secure Boot enabled by default. - They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed). - They must allow the user to configure Secure Boot to trust other signed bootloaders. - Except for Windows RT devices, they must allow the user to completely disable Secure Boot. + These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems: -- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of Secure Boot on Windows-certified devices. + +- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of +Secure Boot on Windows-certified devices. + - **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems. - **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however. + To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. Any device that doesn’t require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution. UEFI is secure by design, but it’s critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly. + For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](http://technet.microsoft.com/windows/dn168167.aspx). + ### Protection during pre-boot: Pre-boot authentication + Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key. + If Windows can’t access the encryption key, the device can’t read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they won’t be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key. + The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: That’s merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future. + On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: + - **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data. - **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key. - **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. - **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required. + For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself. + Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks). + BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Windows 8.1 and later InstantGo devices do not need pre-boot authentication to defend against DMA-based port attacks, as the ports will not be present on certified devices. A non-InstantGo Windows 8.1 and later device requires pre-boot authentication if DMA ports are enabled on the device and additional mitigations described in this document are not implemented. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy. Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however. + You can mitigate the risk of booting to a malicious operating system: + - **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option. - **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot. + ### Protection During Startup + During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail. + **Trusted Boot** + Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. + Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, it’s possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled. + **Early Launch Antimalware** + Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. + The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. + With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy. ELAM classifies drivers as follows: + - **Good.** The driver has been signed and has not been tampered with. - **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized. - **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver. + While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack. + ### Protection After Startup: eliminate DMA availability + Windows InstantGo–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA. + ## See also - [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md) - [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md) - [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) - [BitLocker overview](bitlocker-overview.md) -  -  diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index d9dd86cdc9..4d179869fb 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -2,17 +2,22 @@ title: BitLocker frequently asked questions (FAQ) (Windows 10) description: This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker frequently asked questions (FAQ) + **Applies to** - Windows 10 + This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. + BitLocker is a data protection feature that encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. + - [Overview and requirements](#bkmk-overview) - [Upgrading](#bkmk-upgrading) - [Deployment and administration](#bkmk-deploy) @@ -22,43 +27,75 @@ BitLocker is a data protection feature that encrypts the hard drives on your com - [Security](#bkmk-security) - [BitLocker Network Unlock](#bkmk-bnusect) - [Other questions](#bkmk-other) + ## Overview and requirements + ### How does BitLocker work? + **How BitLocker works with operating system drives** + You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data. + **How BitLocker works with fixed and removable data drives** + You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods. + ### Does BitLocker support multifactor authentication? + Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection. + ### What are the BitLocker hardware and software requirements? -**Note**   -Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker. + +> **Note:**  Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.   ### Why are two partitions required? Why does the system drive have to be so large? + Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive. + ### Which Trusted Platform Modules (TPMs) does BitLocker support? + BitLocker supports TPM version 1.2 or higher. + ### How can I tell if a TPM is on my computer? + Open the TPM MMC console (tpm.msc) and look under the **Status** heading. + ### Can I use BitLocker on an operating system drive without a TPM? + Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide. To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements. + ### How do I obtain BIOS support for the TPM on my computer? + Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements: + - It is compliant with the TCG standards for a client computer. - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer. + ### What credentials are required to use BitLocker? + To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. + ### What is the recommended boot order for computers that are going to be BitLocker-protected? + You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  + ## Upgrading + ### Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled? + Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLocker**, and then and click **Suspend**. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click **Resume Protection**. This reapplies the BitLocker authentication methods and deletes the clear key. + ### What is the difference between suspending and decrypting BitLocker? + **Decrypt** completely removes BitLocker protection and fully decrypts the drive. + **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased. + ### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? + The following table lists what action you need to take before you perform an upgrade or update installation. + @@ -95,142 +132,253 @@ The following table lists what action you need to take before you perform an upg
  -**Note**   -If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer. +> **Note:**  If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.   ## Deployment and administration + ### Can BitLocker deployment be automated in an enterprise environment? + Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](http://go.microsoft.com/fwlink/p/?LinkId=80600). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj649829.aspx). + ### Can BitLocker encrypt more than just the operating system drive? + Yes. + ### Is there a noticeable performance impact when BitLocker is enabled on a computer? + Generally it imposes a single-digit percentage performance overhead. + ### How long will initial encryption take when BitLocker is turned on? + Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive. + You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. + ### What happens if the computer is turned off during encryption or decryption? + If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. + ### Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data? + No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive. + ### How can I prevent users on a network from storing data on an unencrypted drive? + You can can Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. + ### What system changes would cause the integrity check on my operating system drive to fail? + The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive: + - Moving the BitLocker-protected drive into a new computer. - Installing a new motherboard with a new TPM. - Turning off, disabling, or clearing the TPM. - Changing any boot configuration settings. - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data. + ### What causes BitLocker to start into recovery mode when attempting to start the operating system drive? + Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed. + ### Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? + Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. + ### Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? + Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key. + ### Why is "Turn BitLocker on" not available when I right-click a drive? Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted. + ### What type of disk configurations are supported by BitLocker? Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. + ## Key management + ### What is the difference between a TPM owner password, recovery password, recovery key, password, PIN, enhanced PIN, and startup key? + There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require. + ### How can the recovery password and recovery key be stored? + The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed. + For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive. + A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive. + ### Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled? + You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *<4-20 digit numeric PIN>* with the numeric PIN you want to use: -**manage-bde –protectors –delete %systemdrive% -type tpm** -**manage-bde –protectors –add %systemdrive% -tpmandpin** *<4-20 digit numeric PIN>* + +`manage-bde –protectors –delete %systemdrive% -type tpm` + +`manage-bde –protectors –add %systemdrive% -tpmandpin <4-20 digit numeric PIN>` + ### If I lose my recovery information, will the BitLocker-protected data be unrecoverable? + BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. -**Important**   -Store the recovery information in AD DS, along with your Microsoft Account, or another safe location. + +>**Important:**  Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.   ### Can the USB flash drive that is used as the startup key also be used to store the recovery key? + While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check. + ### Can I save the startup key on multiple USB flash drives? + Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed. + ### Can I save multiple (different) startup keys on the same USB flash drive? + Yes, you can save BitLocker startup keys for different computers on the same USB flash drive. + ### Can I generate multiple (different) startup keys for the same computer? + You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check. + ### Can I generate multiple PIN combinations? + You cannot generate multiple PIN combinations. + ### What encryption keys are used in BitLocker? How do they work together? + Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios. + ### Where are the encryption keys stored? + The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key. + This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager. + ### Why do I have to use the function keys to enter the PIN or the 48-character recovery password? + The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards. + When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment. + ### How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive? + It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer. + The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks. After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset. + ### How can I determine the manufacturer of my TPM? + You can determine your TPM manufacturer in the TPM MMC console (tpm.msc) under the **TPM Manufacturer Information** heading. + ### How can I evaluate a TPM's dictionary attack mitigation mechanism? + The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism: + - How many failed authorization attempts can occur before lockout? - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters? - What actions can cause the failure count and lockout duration to be decreased or reset? + ### Can PIN length and complexity be managed with Group Policy? + Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy. + For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + ## BitLocker To Go + BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. + ## Active Directory Domain Services (AD DS) + ### What if BitLocker is enabled on a computer before the computer has joined the domain? + If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. + For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the C: drive to AD DS, you would use the following command from an elevated command prompt: **manage-bde -protectors -adbackup C:**. -**Important**   -Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). + +>**Important:**  Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).   ### Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? + Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed. + Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool. + ### If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password? + No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object. + ### What happens if the backup initially fails? Will BitLocker retry the backup? + If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS. + When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. + For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored. + ## Security + ### What form of encryption does BitLocker use? Is it configurable? + BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy. + ### What is the best practice for using BitLocker on an operating system drive? + The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, plus a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer. + ### What are the implications of using the sleep or hibernate power management options? + BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method. + ### What are the advantages of a TPM? + Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming. -**Note**   -Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. + +>**Note:**  Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.   ## BitLocker Network Unlock + BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method. + To use Network Unlock you must also have a PIN configured for your computer. When your computer is not connected to the network you will need to provide the PIN to unlock it. + BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. -Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. + +Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is +not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. + For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + ## Other questions + ### Can I run a kernel debugger with BitLocker? + Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode. + ### How does BitLocker handle memory dumps? + BitLocker has a storage driver stack that ensures memory dumps are encrypted when BitLocker is enabled. + ### Can BitLocker support smart cards for pre-boot authentication? + BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult. + ### Can I use a non-Microsoft TPM driver? + Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker. + ### Can other tools that manage or modify the master boot record work with BitLocker? + We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely. + ### Why is the system check failing when I am encrypting my operating system drive? + The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons: + - The computer's BIOS or UEFI firmware cannot read USB flash drives. - The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled. - There are multiple USB flash drives inserted into the computer. @@ -238,27 +386,45 @@ The system check is designed to ensure your computer's BIOS or UEFI firmware is - The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment. - The startup key was removed before the computer finished rebooting. - The TPM has malfunctioned and fails to unseal the keys. + ### What can I do if the recovery key on my USB flash drive cannot be read? + Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system. + ### Why am I unable to save my recovery key to my USB flash drive? + The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys. + ### Why am I unable to automatically unlock my drive? + Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. + ### Can I use BitLocker in Safe Mode? + Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode. + ### How do I "lock" a data drive? + Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command. -**Note**   -Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible. + +>**Note:**  Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.   The syntax of this command is: -**manage-bde** *<driveletter>* **-lock** + +`manage-bde -lock` + Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer. + ### Can I use BitLocker with the Volume Shadow Copy Service? + Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained. + ### Does BitLocker support virtual hard disks (VHDs)? + BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2. + ## More information + - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) @@ -267,5 +433,3 @@ BitLocker is not supported on bootable VHDs, but BitLocker is supported on data - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md) - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) - [BitLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/6f49f904-e04d-4b90-afbc-84bc45d4d30d) -  -  diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 2179049ec9..77412bda71 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -2,26 +2,36 @@ title: BitLocker Group Policy settings (Windows 10) description: This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. ms.assetid: 4904e336-29fe-4cef-bb6c-3950541864af -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker Group Policy settings + **Applies to** - Windows 10 + This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. + To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed. -**Note**   -A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](trusted-platform-module-services-group-policy-settings.md). + +>**Note:**  A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](trusted-platform-module-services-group-policy-settings.md).   BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance. -If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. + +If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group +Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. + ## BitLocker Group Policy settings + The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives. + The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. + - [Allow network unlock at startup](#bkmk-netunlock) - [Require additional authentication at startup](#bkmk-unlockpol1) - [Allow enhanced PINs for startup](#bkmk-unlockpol2) @@ -35,11 +45,15 @@ The following policy settings can be used to determine how a BitLocker-protected - [Configure use of passwords on removable data drives](#bkmk-unlockpol8) - [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9) - [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates) + The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers. + - [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1) - [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2) - [Control use of BitLocker on removable drives](#bkmk-driveaccess3) + The following policy settings determine the encryption methods and encryption types that are used with BitLocker. + - [Choose drive encryption method and cipher strength](#bkmk-encryptmeth) - [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd) - [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd) @@ -47,7 +61,9 @@ The following policy settings determine the encryption methods and encryption ty - [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd) - [Enforce drive encryption type on operating system drives](#bkmk-detypeosd) - [Enforce drive encryption type on removable data drives](#bkmk-detyperdd) + The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. + - [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1) - [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2) - [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3) @@ -55,7 +71,9 @@ The following policy settings define the recovery methods that can be used to re - [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6) - [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7) - [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot) + The following policies are used to support customized deployment scenarios in your organization. + - [Allow Secure Boot for integrity validation](#bkmk-secboot) - [Provide the unique identifiers for your organization](#bkmk-depopt1) - [Prevent memory overwrite on restart](#bkmk-depopt2) @@ -66,8 +84,11 @@ The following policies are used to support customized deployment scenarios in yo - [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd) - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) + ### Allow network unlock at startup + This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. + @@ -106,13 +127,17 @@ This policy controls a portion of the behavior of the Network Unlock feature in
  **Reference** + To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock. -**Note**   -For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup. + +>**Note:**  For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.   For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + ### Require additional authentication at startup + This policy setting is used to control which unlock options are available for operating system drives. + @@ -153,31 +178,43 @@ This policy setting is used to control which unlock options are available for op
  **Reference** + If you want to use BitLocker on a computer without a TPM, select the **Allow BitLocker without a compatible TPM** check box. In this mode, a USB drive is required for startup. Key information that is used to encrypt the drive is stored on the USB drive, which creates a USB key. When the USB key is inserted, access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, you need to use one of the BitLocker recovery options to access the drive. + On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use: + - only the TPM for authentication - insertion of a USB flash drive containing the startup key - the entry of a 4-digit to 20-digit personal identification number (PIN) - a combination of the PIN and the USB flash drive + There are four options for TPM-enabled computers or devices: + - Configure TPM startup + - Allow TPM - Require TPM - Do not allow TPM - Configure TPM startup PIN + - Allow startup PIN with TPM - Require startup PIN with TPM - Do not allow startup PIN with TPM - Configure TPM startup key + - Allow startup key with TPM - Require startup key with TPM - Do not allow startup key with TPM - Configure TPM startup key and PIN + - Allow TPM startup key with PIN - Require startup key and PIN with TPM - Do not allow TPM startup key with PIN + ### Allow enhanced PINs for startup + This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. + @@ -215,13 +252,17 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
  + **Reference** + Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker. -**Important**   -Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used. + +>**Important:**  Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.   ### Configure minimum PIN length for startup + This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN. + @@ -260,9 +301,13 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
  **Reference** + This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. + ### Disallow standard users from changing the PIN or password + This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. + @@ -300,10 +345,15 @@ This policy setting allows you to configure whether standard users are allowed t
  + **Reference** + To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker. + ### Configure use of passwords for operating system drives + This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords. + @@ -348,19 +398,26 @@ This policy controls how non-TPM based systems utilize the password protector. U
  + **Reference** + If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled. -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.   When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. + When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to: + - Allow password complexity - Do not allow password complexity - Require password complexity + ### Require additional authentication at startup (Windows Server 2008 and Windows Vista) + This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista. + @@ -399,21 +456,32 @@ This policy setting is used to control what unlock options are available for com
  **Reference** + On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 4-digit to 20-digit startup PIN. + A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive. + There are two options for TPM-enabled computers or devices: + - Configure TPM startup PIN + - Allow startup PIN with TPM - Require startup PIN with TPM - Do not allow startup PIN with TPM - Configure TPM startup key + - Allow startup key with TPM - Require startup key with TPM - Do not allow startup key with TPM + These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur. + To hide the advanced page on a TPM-enabled computer or device, set these options to **Do not allow** for the startup key and for the startup PIN. + ### Configure use of smart cards on fixed data drives + This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives. + @@ -456,11 +524,13 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
  **Reference** -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.   ### Configure use of passwords on fixed data drives + This policy setting is used to require, allow, or deny the use of passwords with fixed data drives. + @@ -503,21 +573,28 @@ This policy setting is used to require, allow, or deny the use of passwords with
  **Reference** + When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled. + When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is accepted regardless of the actual password complexity, and the drive is encrypted by using that password as a protector. + When set to **Do not allow complexity**, no password complexity validation is performed. + Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.   For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled. This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive. + Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive. -**Important**   -Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. + +>**Important:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.   ### Configure use of smart cards on removable data drives + This policy setting is used to require, allow, or deny the use of smart cards with removable data drives. + @@ -560,11 +637,13 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
  **Reference** -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.   ### Configure use of passwords on removable data drives + This policy setting is used to require, allow, or deny the use of passwords with removable data drives. + @@ -607,20 +686,28 @@ This policy setting is used to require, allow, or deny the use of passwords with
  **Reference** -If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled. -**Note**   -These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. + +If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at +**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled. + +>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.   Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box. + When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. + When set to **Allow complexity**, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of actual password complexity and the drive will be encrypted by using that password as a protector. + When set to **Do not allow complexity**, no password complexity validation will be done. -**Note**   -Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. + +>**Note:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.   For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852211.aspx). + ### Validate smart card certificate usage rule compliance + This policy setting is used to determine what certificate to use with BitLocker. + @@ -659,14 +746,19 @@ This policy setting is used to determine what certificate to use with BitLocker.
  **Reference** + This policy setting is applied when you turn on BitLocker. + The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. + The default object identifier is 1.3.6.1.4.1.311.67.1.1. -**Note**   -BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker. + +>**Note:**  BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.   ### Enable use of BitLocker authentication requiring preboot keyboard input on slates + This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. + @@ -705,15 +797,23 @@ This policy setting allows users to enable authentication options that require u
  **Reference** + The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password. + It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard. + When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. + If you do not enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available: + - Configure TPM startup PIN: Required and Allowed - Configure TPM startup key and PIN: Required and Allowed - Configure use of passwords for operating system drives + ### Deny write access to fixed drives not protected by BitLocker + This policy setting is used to require encryption of fixed drives prior to granting Write access. + @@ -752,16 +852,23 @@ This policy setting is used to require encryption of fixed drives prior to grant
  **Reference** + This policy setting is applied when you turn on BitLocker. + Conflict considerations include: + 1. When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts. 2. If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues: + - If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition is not formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker." 3. If this policy setting is enforced, a hard drive cannot be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers. + ### Deny write access to removable drives not protected by BitLocker + This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access. + @@ -800,16 +907,21 @@ This policy setting is used to require that removable drives are encrypted prior
  **Reference** + If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. -**Note**   -You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored. + +>**Note:**  You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.   Conflict considerations include: + 1. Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. 2. Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. 3. You must enable the **Provide the unique identifiers for your organization** policy setting if you want to deny Write access to drives that were configured in another organization. + ### Control use of BitLocker on removable drives + This policy setting is used to prevent users from turning BitLocker on or off on removable data drives. + @@ -852,13 +964,20 @@ This policy setting is used to prevent users from turning BitLocker on or off on
  **Reference** + This policy setting is applied when you turn on BitLocker. + For information about suspending BitLocker protection, see [BitLocker Basic Deployment](http://technet.microsoft.com/library/dn383581.aspx). + The options for choosing property settings that control how users can configure BitLocker are: + - **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive. - **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance. + ### Choose drive encryption method and cipher strength + This policy setting is used to control the encryption method and cipher strength. + @@ -897,14 +1016,18 @@ This policy setting is used to control the encryption method and cipher strength
  **Reference** + By default, BitLocker uses AES 128-bit encryption. Available options are AES-128 and AES-256. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored. -**Warning**   -This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning. + +>**Warning:**  This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.   When this policy setting is disabled, BitLocker uses AES with the same bit strength (128-bit or 256-bit) as specified in the policy setting **Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)**. If neither policy is set, BitLocker uses the default encryption method, AES-128, or the encryption method that is specified in the setup script. + ### Configure use of hardware-based encryption for fixed data drives + This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they are used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. + @@ -947,14 +1070,18 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
  **Reference** -**Note**   -The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. + +>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.   The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: + - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 + ### Configure use of hardware-based encryption for operating system drives + This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. + @@ -997,15 +1124,20 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
  **Reference** + If hardware-based encryption is not available, BitLocker software-based encryption is used instead. -**Note**   -The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. + +>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.   The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: + - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 + ### Configure use of hardware-based encryption for removable data drives + This policy controls how BitLocker reacts to encrypted drives when they are used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive. + @@ -1048,15 +1180,20 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
  **Reference** + If hardware-based encryption is not available, BitLocker software-based encryption is used instead. -**Note**   -The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. + +>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.   The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example: + - Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2 - AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42 + ### Enforce drive encryption type on fixed data drives + This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user. + @@ -1095,13 +1232,17 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
  **Reference** + This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -**Note**   -This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. + +>**Note:**  This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.   For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). + ### Enforce drive encryption type on operating system drives + This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. + @@ -1140,13 +1281,17 @@ This policy controls whether operating system drives utilize Full encryption or
  **Reference** + This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -**Note**   -This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. + +>**Note:**  This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.   For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). + ### Enforce drive encryption type on removable data drives + This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user. + @@ -1185,13 +1330,17 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
  **Reference** + This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. -**Note**   -This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space. + +>**Note:**  This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.   For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). + ### Choose how BitLocker-protected operating system drives can be recovered + This policy setting is used to configure recovery methods for operating system drives. + @@ -1231,18 +1380,28 @@ This policy setting is used to configure recovery methods for operating system d
  **Reference** + This policy setting is applied when you turn on BitLocker. + The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. + For more information about adding data recovery agents, see [BitLocker basic deployment](bitlocker-basic-deployment.md). + In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. -Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. + +Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for +the drive are determined by the policy setting. + In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS. + Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -**Note**   -If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. + +>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.   ### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) + This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista. + @@ -1281,18 +1440,22 @@ This policy setting is used to configure recovery methods for BitLocker-protecte
  **Reference** + This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. + Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key. + Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. -**Important**   -If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. + +>**Important:**  If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. The 48-digit recovery password is not available in FIPS-compliance mode.   -**Important**   -To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs. +>**Important:**  To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.   ### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) + This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. + @@ -1331,17 +1494,27 @@ This policy setting is used to configure the storage of BitLocker recovery infor
  **Reference** + This policy is only applicable to computers running Windows Server 2008 or Windows Vista. + This policy setting is applied when you turn on BitLocker. + BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted. + If you select **Require BitLocker backup to AD DS**, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. + A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted. + If the **Require BitLocker backup to AD DS** option is not selected, AD DS backup is attempted, but network or other backup failures do not prevent the BitLocker setup. The Backup process is not automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup. TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up. + For more information about this setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md). If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before a backup to AD DS can succeed. For more info, see [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md). + ### Choose default folder for recovery password + This policy setting is used to configure the default folder for recovery passwords. + @@ -1380,12 +1553,15 @@ This policy setting is used to configure the default folder for recovery passwor
  **Reference** + This policy setting is applied when you turn on BitLocker. -**Note**   -This policy setting does not prevent the user from saving the recovery password in another folder. + +>**Note:**  This policy setting does not prevent the user from saving the recovery password in another folder.   ### Choose how BitLocker-protected fixed drives can be recovered + This policy setting is used to configure recovery methods for fixed data drives. + @@ -1425,18 +1601,28 @@ This policy setting is used to configure recovery methods for fixed data drives.
  **Reference** + This policy setting is applied when you turn on BitLocker. + The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. + In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. + Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. + +In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. +Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. + For more information about the BitLocker repair tool, see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx). + Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -**Note**   -If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. + +>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.   ### Choose how BitLocker-protected removable drives can be recovered + This policy setting is used to configure recovery methods for removable data drives. + @@ -1476,17 +1662,25 @@ This policy setting is used to configure recovery methods for removable data dri
  **Reference** + This policy setting is applied when you turn on BitLocker. + The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor. + In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. + Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. + In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. + Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -**Note**   -If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. + +>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.   ### Configure the pre-boot recovery message and URL + This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked. + @@ -1525,19 +1719,23 @@ This policy setting is used to configure the entire recovery message and to repl
  **Reference** + Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key. + Once you enable the setting you have three options: + - If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen. - If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. - If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen. -**Important**   -Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen. + +>**Important:**  Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.   -**Important**   -Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box. +>**Important:**  Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.   ### Allow Secure Boot for integrity validation + This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy. + @@ -1577,13 +1775,16 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
  **Reference** + Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. -**Warning**   -Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. + +>**Warning:**  Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.   ### Provide the unique identifiers for your organization + This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. + @@ -1622,15 +1823,25 @@ This policy setting is used to establish an identifier that is applied to all dr
  **Reference** + These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool. + An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field. + For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx). + The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It is a comma-separated list of identification fields from your organization or external organizations. + You can configure the identification fields on existing drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool. + When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization. + Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters. + ### Prevent memory overwrite on restart + This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted. + @@ -1669,9 +1880,13 @@ This policy setting is used to control whether the computer's memory will be ove
  **Reference** + This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. + ### Configure TPM platform validation profile for BIOS-based firmware configurations + This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled. + @@ -1710,11 +1925,13 @@ This policy setting determines what values the TPM measures when it validates ea
  **Reference** + This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. -**Important**   -This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware. + +>**Important:**  This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.   A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: + - Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) - Option ROM Code (PCR 2) - Master Boot Record (MBR) Code (PCR 4) @@ -1722,10 +1939,11 @@ A platform validation profile consists of a set of PCR indices that range from 0 - NTFS Boot Block (PCR 9) - Boot Manager (PCR 10) - BitLocker Access Control (PCR 11) -**Note**   -Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. + +>**Note:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.   The following list identifies all of the PCRs available: + - PCR 0: Core root-of-trust for measurement, BIOS, and Platform extensions - PCR 1: Platform and motherboard configuration and data. - PCR 2: Option ROM code @@ -1739,8 +1957,11 @@ The following list identifies all of the PCRs available: - PCR 10: Boot manager - PCR 11: BitLocker access control - PCR 12-23: Reserved for future use + ### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) + This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7. + @@ -1779,8 +2000,11 @@ This policy setting determines what values the TPM measures when it validates ea
  **Reference** + This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. + A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following: + - Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0) - Option ROM Code (PCR 2) - Master Boot Record (MBR) Code (PCR 4) @@ -1788,10 +2012,11 @@ A platform validation profile consists of a set of PCR indices that range from 0 - NTFS Boot Block (PCR 9) - Boot Manager (PCR 10) - BitLocker Access Control (PCR 11) -**Note**   -The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only. + +>**Note:**  The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.   The following list identifies all of the PCRs available: + - PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code - PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration - PCR 2: Option ROM code @@ -1805,11 +2030,13 @@ The following list identifies all of the PCRs available: - PCR 10: Boot manager - PCR 11: BitLocker access control - PCR 12 - 23: Reserved for future use -**Warning**   -Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. + +>**Warning:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.   ### Configure TPM platform validation profile for native UEFI firmware configurations + This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations. + @@ -1850,12 +2077,15 @@ This policy setting determines what values the TPM measures when it validates ea
  **Reference** + This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. -**Important**   -This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. + +>**Important:**  This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.   A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). + The following list identifies all of the PCRs available: + - PCR 0: Core System Firmware executable code - PCR 1: Core System Firmware data - PCR 2: Extended or pluggable executable code @@ -1864,7 +2094,9 @@ The following list identifies all of the PCRs available: - PCR 5: GPT/Partition Table - PCR 6: Resume from S4 and S5 Power State Events - PCR 7: Secure Boot State + For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic. + - PCR 8: Initialized to 0 with no Extends (reserved for future use) - PCR 9: Initialized to 0 with no Extends (reserved for future use) - PCR 10: Initialized to 0 with no Extends (reserved for future use) @@ -1873,11 +2105,13 @@ The following list identifies all of the PCRs available: - PCR 13: Boot Module Details - PCR 14: Boot Authorities - PCR 15 – 23: Reserved for future use -**Warning**   -Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. + +>**Warning:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.   ### Reset platform validation data after BitLocker recovery + This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. + @@ -1920,9 +2154,13 @@ This policy setting determines if you want platform validation data to refresh w
  **Reference** + For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md). + ### Use enhanced Boot Configuration Data validation profile + This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23. + @@ -1965,11 +2203,13 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t
  **Reference** -**Note**   -The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list. + +>**Note:**  The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.   ### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows + This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive. + @@ -2008,12 +2248,15 @@ This policy setting is used to control whether access to drives is allowed by us
  **Reference** -**Note**   -This policy setting does not apply to drives that are formatted with the NTFS file system. + +>**Note:**  This policy setting does not apply to drives that are formatted with the NTFS file system.   When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. + ### Allow access to BitLocker-protected removable data drives from earlier versions of Windows + This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive. + @@ -2052,12 +2295,15 @@ This policy setting controls access to removable data drives that are using the
  **Reference** -**Note**   -This policy setting does not apply to drives that are formatted with the NTFS file system. + +>**Note:**  This policy setting does not apply to drives that are formatted with the NTFS file system.   When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed. + ## FIPS setting + You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users cannot create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted. + @@ -2096,28 +2342,44 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
  **Reference** + This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. + You can save the optional recovery key to a USB drive. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy. + You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures. + For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852197.aspx). + ## Power management Group Policy settings: Sleep and Hibernate + PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users are not required to re-authenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised. + However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting does not have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states. + You can use disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states: + - Allow Standby States (S1-S3) When Sleeping (Plugged In) - Allow Standby States (S1-S3) When Sleeping (Battery) + ## About the Platform Configuration Register (PCR) + A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system. + Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. + **About PCR 7** -PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. + +PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This +reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration. + PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](http://msdn.microsoft.com/library/windows/hardware/jj923068.aspx). + PCR 7 measurements are a mandatory logo requirement for systems that support InstantGo (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. + ## See also -[Trusted Platform Module](trusted-platform-module-overview.md) -[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[BitLocker overview](bitlocker-overview.md) -[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -  -  +- [Trusted Platform Module](trusted-platform-module-overview.md) +- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [BitLocker overview](bitlocker-overview.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md index 5c66b70012..e7035aa4e8 100644 --- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md @@ -2,22 +2,31 @@ title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10) description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker: How to deploy on Windows Server 2012 and later + **Applies to** - Windows 10 + This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. + For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment. + ## Installing BitLocker + BitLocker requires administrator privileges on the server to install. You can install BitLocker either by using Server Manager or Windows PowerShell cmdlets. + - To install BitLocker using Server Manager - To install BitLocker using Windows PowerShell + ### To install BitLocker using Server Manager + 1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe. 2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** 3. With the **Add Roles and Features Wizard** open, select **Next** at the **Before you begin** pane (if shown). @@ -25,32 +34,42 @@ BitLocker requires administrator privileges on the server to install. You can in 5. Select the **Select a server from the server pool option** in the **Server Selection** pane and confirm the server for the BitLocker feature install. 6. Server roles and features install using the same wizard in Server Manager. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. 7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features Wizard**. The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the **Include management tools option** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. - **Note**   - The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems. + + > **Note:**   The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems.   8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features Wizard** to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane will force a restart of the computer after installation is complete. 9. If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. + ### To install BitLocker using Windows PowerShell + Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation. -**Note**   -You must restart the server to complete the installation of BitLocker. + +>**Note:**  You must restart the server to complete the installation of BitLocker.   ### Using the servermanager module to install BitLocker + The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. This can be determined using the `Get-WindowsFeature` cmdlet with a query such as: + ``` syntax Get-WindowsFeature Bit ``` The results of this command displays a table of all of the feature names beginning with “Bit” as their prefix. This allows you to confirm that the feature name is `BitLocker` for the BitLocker feature. + By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell. + ``` syntax Install-WindowsFeature BitLocker -WhatIf ``` The results of this command show that only the BitLocker Drive Encryption feature installs using this command. + To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command: + ``` syntax Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl ``` + The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). + - BitLocker Drive Encryption - BitLocker Drive Encryption Tools - BitLocker Drive Encryption Administration Utilities @@ -58,31 +77,39 @@ The result of this command displays the following list of all the administration - AD DS Snap-Ins and Command-Line Tools - AD DS Tools - AD DS and AD LDS Tools + The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is: + ``` syntax Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` -**Important**   -Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately. + +>**Important:**  Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.   ### Using the dism module to install BitLocker + The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. + ``` syntax Get-WindowsOptionalFeature -Online | ft ``` + From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items. + To install BitLocker using the `dism` module, use the following command: + ``` syntax Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` + This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: + ``` syntax Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` ## More information -[BitLocker overview](bitlocker-overview.md) -[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) -[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) -  -  + +- [BitLocker overview](bitlocker-overview.md) +- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) +- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) +- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index c74d7c12a8..37e9e8b02d 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -2,20 +2,27 @@ title: BitLocker How to enable Network Unlock (Windows 10) description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker: How to enable Network Unlock + **Applies to** - Windows 10 + This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. + Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. + Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. + This topic contains: + - [Network Unlock core requirements](#bkmk-nunlockcorereqs) - [Network Unlock sequence](#bkmk-networkunlockseq) - [Configure Network Unlock](#bkmk-configuringnetworkunlock) @@ -24,8 +31,11 @@ This topic contains: - [Update Network Unlock certificates](#bkmk-updatecerts) - [Troubleshoot Network Unlock](#bkmk-troubleshoot) - [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems) + ## Network Unlock core requirements + Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include: + - You must be running at least Windows 8 or Windows Server 2012. - Any supported operating system with UEFI DHCP drivers can be Network Unlock clients. - A server running the Windows Deployment Services (WDS) role on any supported server operating system. @@ -33,20 +43,31 @@ Network Unlock must meet mandatory hardware and software requirements before the - A DHCP server, separate from the WDS server. - Properly configured public/private key pairing. - Network Unlock Group Policy settings configured. + The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer. -**Note**   -To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. + +>**Note:**  To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. + For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.   The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement. + Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server. + The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. + ## Network Unlock sequence + The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. + On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet in order to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive. + The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and for the public key certificate to be distributed to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM). + ![bitlocker network unlock sequence](images/bitlockernetworkunlocksequence.png) + **Phases in the Network Unlock process** + 1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. 2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. 3. The client computer broadcasts a vendor-specific DHCP request that contains the Network Key (a 256-bit intermediate key) and an AES-256 session key for the reply. Both of these keys are encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. @@ -56,50 +77,75 @@ The server side configuration to enable Network Unlock also requires provisionin 7. The returned intermediate key is then combined with another local 256-bit intermediate key that can only be decrypted by the TPM. 8. This combined key is used to create an AES-256 key that unlocks the volume. 9. Windows continues the boot sequence. + ## Configure Network Unlock + The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. + ### Step One: Install the WDS Server role + The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. + To install the role using Windows PowerShell, use the following command: + ``` syntax Install-WindowsFeature WDS-Deployment ``` + You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard. + ### Step Two: Confirm the WDS Service is running + To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. + To confirm the service is running using Windows PowerShell, use the following command: + ``` syntax Get-Service WDSServer ``` ### Step Three: Install the Network Unlock feature + To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. + To install the feature using Windows PowerShell, use the following command: + ``` syntax Install-WindowsFeature BitLocker-NetworkUnlock ``` ### Step Four: Create the Network Unlock certificate + Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. + To enroll a certificate from an existing certification authority (CA), do the following: + 1. Open Certificate Manager on the WDS server using **certmgr.msc** 2. Under the Certificates - Current User item, right-click Personal 3. Select All Tasks, then **Request New Certificate** 4. Select **Next** when the Certificate Enrollment wizard opens 5. Select Active Directory Enrollment Policy 6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: + - Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain" + 7. Create the certificate. Ensure the certificate appears in the Personal folder. 8. Export the public key certificate for Network Unlock + 1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 2. Select **No, do not export the private key**. 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. 4. Give the file a name such as BitLocker-NetworkUnlock.cer. + 9. Export the public key with a private key for Network Unlock + 1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. 2. Select **Yes, export the private key**. 3. Complete the wizard to create the .pfx file. + To create a self-signed certificate, do the following: + 1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf 2. Add the following contents to the previously created file: + ``` syntax [NewRequest] Subject="CN=BitLocker Network Unlock certificate" @@ -117,46 +163,63 @@ To create a self-signed certificate, do the following: 2.5.29.37 = "{text}" _continue_ = "1.3.6.1.4.1.311.67.1.1" ``` + 3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name: + ``` syntax certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` + 4. Verify the previous command properly created the certificate by confirming the .cer file exists 5. Launch the Certificate Manager by running **certmgr.msc** 6. Create a .pfx file by opening the **Certificates – Current User\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. + ### Step Five: Deploy the private key and certificate to the WDS server + With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: + 1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. 2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import** 3. In the **File to Import** dialog, choose the .pfx file created previously. 4. Enter the password used to create the .pfx and complete the wizard. + ### Step Six: Configure Group Policy settings for Network Unlock + With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. + The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. + 1. Open Group Policy Management Console (gpmc.msc) 2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers + The following steps describe how to deploy the required Group Policy setting: -**Note**   -The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. + +>**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.   1. Copy the .cer file created for Network Unlock to the domain controller 2. On the domain controller, launch Group Policy Management Console (gpmc.msc) 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. 4. Deploy the public certificate to clients + 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** 2. Right-click the folder and choose **Add Network Unlock Certificate** 3. Follow the wizard steps and import the .cer file that was copied earlier. -**Note**   -Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. + +>**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.   ### Step Seven: Require TPM+PIN protectors at startup + An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following: + 1. Open Group Policy Management Console (gpmc.msc) 2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers + ### Create the certificate template for Network Unlock + The following steps detail how to create a certificate template for use with BitLocker Network Unlock. A properly configured Active Directory Services Certification Authority can use this certificate to create and issue Network Unlock certificates. + 1. Open the Certificates Template snap-in (certtmpl.msc). 2. Locate the User template. Right-click the template name and select **Duplicate Template** 3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8respectively. Ensure the **Show resulting changes** dialog box is selected. @@ -170,104 +233,129 @@ The following steps detail how to create a certificate template for use with Bit 11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**. 12. On the **Edit Application Policies Extension** dialog box, select **Add**. 13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy: + - **Name:** **BitLocker Network Unlock** - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** + 14. Select the newly created **BitLocker Network Unlock** application policy and select **OK** 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission 17. Select **OK** to complete configuration of the template. + To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. + After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock. + ### Subnet policy configuration files on WDS Server (Optional) + By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock. + The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests. + The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names. -``` syntax - [SUBNETS] -SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon -SUBNET2=10.185.252.200/28 -SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet -SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. -``` -Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. -**Note**   -When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. -  -Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. -Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. -``` syntax - [‎2158a767e1c14e88e27a4c0aee111d2de2eafe60] -;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on. -;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. -SUBNET1 -;SUBNET2 -SUBNET3 -``` + + [SUBNETS] + SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon + SUBNET2=10.185.252.200/28 + SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet + SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. + ``` + Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. + + >**Note:**  When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. +   + Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. + Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. + [‎2158a767e1c14e88e27a4c0aee111d2de2eafe60] + ;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on. + ;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. + SUBNET1 + ;SUBNET2 + SUBNET3 + To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED". + ### Turning off Network Unlock + To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. -**Note**   -Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. + +>**Note:**  Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.   ### Update Network Unlock certificates + To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller. + ## Troubleshoot Network Unlock + Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include: + - Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode. - All required roles and services are installed and started - Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer. - Group policy for Network Unlock is enabled and linked to the appropriate domains - Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. - Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: + ``` syntax Manage-bde –protectors –get C: ``` -**Note**   -Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock +>**Note:**  Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock   Files to gather when troubleshooting BitLocker Network Unlock include: + 1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log + Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging. + 1. Start an elevated command prompt and run the following command: + ``` syntax wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true ``` 2. Open Event Viewer on the WDS server. + In the left pane, click **Applications and Services Logs**, click **Microsoft**, click **Windows**, click **Deployment-Services-Diagnostics**, and then click **Debug**. + In the right pane, click **Enable Log**. + 2. The DHCP subnet configuration file (if one exists). 3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell 4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address + ## Configure Network Unlock Group Policy settings on earlier versions + Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008. **Requirements** + - The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic. - Client computers must be running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. + The following steps can be used to configure Network Unlock on these older systems. + 1. [Step One: Install the WDS Server role](#bkmk-stepone) 2. [Step Two: Confirm the WDS Service is running](#bkmk-steptwo) 3. [Step Three: Install the Network Unlock feature](#bkmk-stepthree) 4. [Step Four: Create the Network Unlock certificate](#bkmk-stepfour) 5. [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive) 6. **Step Six: Configure registry settings for Network Unlock** + Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. - ``` syntax - certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f - ``` + certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f + 7. [Create the Network Unlock certificate](#bkmk-stepfour) 8. [Deploy the private key and certificate to the WDS server](#bkmk-stepfive) 9. [Create the certificate template for Network Unlock](#bkmk-createcerttmpl) 10. [Require TPM+PIN protectors at startup](#bkmk-stepseven) + ## See also + - [BitLocker overview](bitlocker-overview.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) -  -  diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 66039b8143..897f3dd747 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -2,103 +2,78 @@ title: BitLocker (Windows 10) description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft --- + # BitLocker + **Applies to** - Windows 10 + This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. + ## + BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. + +BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been +tampered with while the system was offline. + On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. + In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. + ## Practical applications + Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. + There are two additional tools in the Remote Server Administration Tools, which you can use to manage BitLocker. + - **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator. -- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console. + +- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the +BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console. + ## New and changed functionality + To find out what's new in BitLocker for Windows 10, see [What's new in BitLocker?](../whats-new/bitlocker.md)   ## System requirements + BitLocker has the following hardware requirements: + For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive. + A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. + The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. + The hard disk must be partitioned with at least two drives: + - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. - The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space. + When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker. + When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. + ## In this section - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)

This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.

[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

This topic for the IT professional explains how can you plan your BitLocker deployment.

[BitLocker basic deployment](bitlocker-basic-deployment.md)

This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.

[BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)

This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.

[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)

This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it.

[BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)

This topic for the IT professional describes how to use tools to manage BitLocker.

[BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)

This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.

[BitLocker Group Policy settings](bitlocker-group-policy-settings.md)

This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.

[BCD settings and BitLocker](bcd-settings-and-bitlocker.md)

This topic for IT professionals describes the BCD settings that are used by BitLocker.

[BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)

This topic for IT professionals describes how to recover BitLocker keys from AD DS.

[Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)

This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.

[Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)

This topic for IT pros describes how to protect CSVs and SANs with BitLocker.

-  -  -  + +| Topic | Description | +| - | - | +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | +| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | +| [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.| +| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. | +| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.| +| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. | +| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.| +| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. | +| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | +| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md index ef750b5769..80df5a2c52 100644 --- a/windows/keep-secure/bitlocker-recovery-guide-plan.md +++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md @@ -2,33 +2,48 @@ title: BitLocker recovery guide (Windows 10) description: This topic for IT professionals describes how to recover BitLocker keys from AD DS. ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 -ms.pagetype: security ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library +ms.pagetype: security author: brianlic-msft + --- + # BitLocker recovery guide + **Applies to** - Windows 10 + This topic for IT professionals describes how to recover BitLocker keys from AD DS. + Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. + This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. + This article does not detail how to configure AD DS to store the BitLocker recovery information. + This article contains the following topics: + - [What Is BitLocker Recovery?](#bkmk-whatisrecovery) - [Testing Recovery](#bkmk-testingrecovery) - [Planning Your Recovery Process](#bkmk-planningrecovery) - [Using Additional Recovery Information](#bkmk-usingaddrecovery) - [Resetting Recovery Passwords](#bkmk-appendixb) - [Retrieving the BitLocker Key Package](#bkmk-appendixc) + ## What is BitLocker recovery? + BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario you have the following options to restore access to the drive: + - The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). - A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. - A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). + ### What causes BitLocker recovery? + The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: + - On PCs that use either BitLocker or Device Encryption when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. - Changing the boot order to boot another drive in advance of the hard drive. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. @@ -49,8 +64,8 @@ The following list provides examples of specific events that will cause BitLocke - Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. - Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. - **Note**   - Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. + + >**Note:**  Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.   - Moving the BitLocker-protected drive into a new computer. - Upgrading the motherboard to a new one with a new TPM. @@ -58,169 +73,249 @@ The following list provides examples of specific events that will cause BitLocke - Failing the TPM self-test. - Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. - Changing the usage authorization for the storage root key of the TPM to a non-zero value. - **Note**   - The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. + + >**Note:**  The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.   - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). - Pressing the F8 or F10 key during the boot process. - Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards. - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. -**Note**   -Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. + +>**Note:**  Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.   For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. -**Note**   -If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. + +>**Note:**  If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. + If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premise user to provide the additional authentication method.   Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. + ## Testing recovery + Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation. + **To force a recovery for the local computer** + 1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. 2. At the command prompt, type the following command and then press ENTER: - **manage-bde -forcerecovery** *<Volume>* + `manage-bde -forcerecovery ` + **To force recovery for a remote computer** + 1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. 2. At the command prompt, type the following command and then press ENTER: - **manage-bde. -ComputerName** *<ComputerName>***-forcerecovery** *<Volume>* -**Note**   -*<ComputerName>* represents the name of the remote computer. *<Volume>* represents the volume on the remote computer that is protected with BitLocker. + `manage-bde. -ComputerName -forcerecovery ` + +> **Note:**  *ComputerName* represents the name of the remote computer. *Volume* represents the volume on the remote computer that is protected with BitLocker.   ## Planning your recovery process + When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model. -Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](http://technet.microsoft.com/windows/hh826072.aspx). + +Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker +Administration and Monitoring](http://technet.microsoft.com/windows/hh826072.aspx). + After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization. + When you determine your recovery process, you should: + - Become familiar with how you can retrieve the recovery password. See: + - [Self-recovery](#bkmk-selfrecovery) - [Recovery password retrieval](#bkmk-recoveryretrieval) + - Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See: + - [Post-recovery analysis](#bkmk-planningpostrecovery) + ### Self-recovery + In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. + ### Recovery password retrieval + If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. + - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** - **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. -**Note**   -If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required. +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD +DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. + +>**Note:**  If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.   The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. + You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. + - [Record the name of the user's computer](#bkmk-recordcomputername) - [Verify the user's identity](#bkmk-verifyidentity) - [Locate the recovery password in AD DS](#bkmk-locatepassword) - [Gather information to determine why recovery occurred](#bkmk-gatherinfo) - [Give the user the recovery password](#bkmk-givepassword) + ### Record the name of the user's computer + You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer. + ### Verify the user's identity + You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user. + ### Locate the recovery password in AD DS + Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. + ### Multiple recovery passwords + If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created. + If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. + Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume. + ### Gather information to determine why recovery occurred + Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). + ### Give the user the recovery password + Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. -**Note**   -Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. + +>**Note:**  Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.   ### Post-recovery analysis -When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. + +When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption +when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. + If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: + - [Determine the root cause of the recovery](#bkmk-determinecause) - [Refresh BitLocker protection](#bkmk-refreshprotection) + ### Determine the root cause of the recovery + If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security. + While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further. + Review and answer the following questions for your organization: + 1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? 3. If TPM mode was in effect, was recovery caused by a boot file change? 4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software? 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? + To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely. + ### Resolve the root cause + After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. + The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. -**Note**   -You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. + +>**Note:**  You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.   - [Unknown PIN](#bkmk-unknownpin) - [Lost startup key](#bkmk-loststartup) - [Changes to boot files](#bkmk-changebootknown) ### Unknown PIN + If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted. + **To prevent continued recovery due to an unknown PIN** + 1. Unlock the computer using the recovery password. -2. Reset the PIN: - 1. - 2. Right-click the drive and then click **Change PIN** - 3. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. - 4. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. +2. Reset the PIN: + 1. Right-click the drive and then click **Change PIN** + 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. 3. You will use the new PIN the next time you unlock the drive. + ### Lost startup key + If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key. + **To prevent continued recovery due to a lost startup key** + 1. Log on as an administrator to the computer that has the lost startup key. 2. Open Manage BitLocker. 3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. + ### Changes to boot files + This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. + ## Windows RE and BitLocker + Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker or by Device Encryption. If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. + ## Using additional recovery information + Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used. + ### BitLocker key package + If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password. -**Note**   -You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. + +>**Note:**  You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.   The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). + ## Resetting recovery passwords + You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. + You can reset the recovery password in two ways: + - **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. - **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. + **To reset a recovery password using manage-bde** + 1. Remove the previous recovery password + ``` syntax Manage-bde –protectors –delete C: –type RecoveryPassword ``` + 2. Add the new recovery password + ``` syntax Manage-bde –protectors –add C: -RecoveryPassword + ``` + 3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. + ``` syntax Manage-bde –protectors –get C: -Type RecoveryPassword + ``` 4. Backup the new recovery password to AD DS + ``` syntax Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` - **Warning**   - You must include the braces in the ID string. + >**Warning:**  You must include the braces in the ID string.   **To run the sample recovery password script** + 1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. 2. At the command prompt, type a command similar to the following: + **cscript ResetPassword.vbs** -**Important**   -This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. + +>**Important:**  This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.   -**Note**   -To manage a remote computer, you can specify the remote computer name rather than the local computer name. +> **Note:**  To manage a remote computer, you can specify the remote computer name rather than the local computer name.   You can use the following sample script to create a VBScript file to reset the recovery passwords. + ``` syntax ' Target drive letter strDriveLetter = "c:" @@ -291,16 +386,25 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re 'WScript.Echo "" 'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords." ``` + ## Retrieving the BitLocker key package + You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): + - **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. - **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. + The following sample script exports all previously-saved key packages from AD DS. + **To run the sample key package retrieval script** + 1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs. 2. At the command prompt, type a command similar to the following: + **cscript GetBitLockerKeyPackageADDS.vbs -?** + You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS. + ``` syntax ' -------------------------------------------------------------------------------- ' Usage @@ -615,7 +719,9 @@ Function BinaryToString(Binary) BinaryToString = S End Function ``` + ## See also + - [BitLocker overview](bitlocker-overview.md)