" -AsPlainText -Force) -EnableRoomMailboxAccount $true
```
- 
+ 
4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
@@ -205,7 +205,7 @@ Now that you're connected to the online services, you can finish setting up the
Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a room!"
```
- 
+ 
5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
@@ -260,11 +260,11 @@ You can use the Exchange Admin Center to create a device account:
1. Sign in to your Exchange Admin Center using Exchange admin credentials.
2. Once you are at the Exchange Admin Center (EAC), navigate to **Recipients** in the left panel.
- 
+ 
3. On the controls above the list of mailboxess, choose **+** to create a new one, and provide a **Display name**, **Name**, and **User logon name**, and then click **Save**.
- 
+ 
### Create a mobile device mailbox policy from the Exchange Admin Center
@@ -274,37 +274,37 @@ You can use the Exchange Admin Center to create a device account:
1. Go to the Exchange Admin Center.
- 
+ 
2. To create a mobile device mailbox policy, click **Mobile** from the left panel, then **Mobile device mailbox policies**. Surface Hubs require an account with a mobile device mailbox policy that does not require a password, so if you already have an existing policy that matches this requirement, you can apply that policy to the account. Otherwise use the following steps to create a new one to be used only for Surface Hub device accounts.
- 
+ 
3. To create a new mobile device account mailbox policy, click the **+** button from the controls above the list of policies to add a new policy. For the name provide a name that will help you distinguish this policy from other device accounts (for example, *SurfaceHubDeviceMobilePolicy*). The policy must not be password-protected, so make sure **Require a Password** remains unchecked, then click **Save**.
- 
+ 
4. After you have created the new mobile device mailbox policy, go back to the Exchange Admin Center and you will see the new policy listed.
- 
+ 
5. To apply the ActiveSync policy without using PowerShell, you can do the following:
- In the EAC, click **Recipients** > **Mailboxes** and select a mailbox.
- 
+ 
- In the **Details** pane, scroll to **Phone and Voice Features** and click **View details** to display the **Mobile Device Details** screen.
- 
+ 
- The mobile device mailbox policy that’s currently assigned is displayed. To change the mobile device mailbox policy, click **Browse**.
- 
+ 
- Choose the appropriate mobile device mailbox policy from the list, click **OK** and then click **Save**.
- 
+ 
### Use PowerShell to configure the account
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index d63259487e..aeb2e566ac 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -116,7 +116,7 @@ You can check online for updated versions at [Surface Hub device account scripts
Your infrastructure will likely fall into one of three configurations. Which configuration you have will affect how you prepare for device setup.
-
+
- [Online deployment (Office 365)](online-deployment-surface-hub-device-accounts.md): Your organization’s environment is deployed entirely on Office 365.
- [On-premises deployment](on-premises-deployment-surface-hub-device-accounts.md): Your organization has servers that it controls, where Active Directory, Exchange, and Skype for Business (or Lync) are hosted.
diff --git a/devices/surface-hub/device-reset-suface-hub.md b/devices/surface-hub/device-reset-suface-hub.md
index e4f36616da..b90a11ada6 100644
--- a/devices/surface-hub/device-reset-suface-hub.md
+++ b/devices/surface-hub/device-reset-suface-hub.md
@@ -2,6 +2,7 @@
title: Device reset (Surface Hub)
description: You may wish to reset your Microsoft Surface Hub.
ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
+redirect_url: https://technet.microsoft.com/en-us/itpro/surface-hub/device-reset-surface-hub
keywords: reset Surface Hub
ms.prod: w10
ms.mktglfcycl: manage
@@ -27,7 +28,10 @@ Initiating a reset will return the device to the last cumulative Windows update,
- MDM enrollment
- Domain join or Azure AD join information
- Local admins on the device
-- Configurations from MDM or the Settings app.
+- Configurations from MDM or the Settings app
+
+**Important Note**
+Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
After the reset, you'll be taken through the [first run program](first-run-program-surface-hub.md) again.
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
new file mode 100644
index 0000000000..d2e58dc6fc
--- /dev/null
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -0,0 +1,55 @@
+---
+title: Device reset (Surface Hub)
+description: You may wish to reset your Microsoft Surface Hub.
+ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
+keywords: reset Surface Hub
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: TrudyHa
+---
+
+# Device reset (Surface Hub)
+
+
+You may wish to reset your Microsoft Surface Hub.
+
+Typical reasons for a reset include:
+
+- The device isn’t running well after installing an update.
+- You’re repurposing the device for a new meeting space and want to reconfigure it.
+- You want to change how you locally manage the device.
+
+Initiating a reset will return the device to the last cumulative Windows update, and remove all local user files and configuration, including:
+
+- The device account
+- MDM enrollment
+- Domain join or Azure AD join information
+- Local admins on the device
+- Configurations from MDM or the Settings app
+
+**To reset a Surface Hub**
+1. On your Surface Hub, open **Settings**.
+
+ 
+
+2. Click **Update & Security**.
+
+ 
+
+3. Click **Recovery**, and then click **Get started**.
+
+ 
+
+**Important Note**
+Performing a device reset may take up to 6 hours. Do not interrupt the reset process. Interrupting the process will render the device inoperable, requiring warranty service to return to normal functionality.
+
+After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again.
+
+## Related topics
+
+
+[Manage Microsoft Surface Hub](manage-surface-hub.md)
+
+[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
\ No newline at end of file
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index da4eafbf85..449c447e5c 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -46,7 +46,7 @@ This is the first screen you'll see when you power up the Surface Hub for the fi
-
+
### Details
@@ -72,7 +72,7 @@ If no wired connection can be found, then the device will attempt to set up a wi
If your device does not detect a wired connection that it can use to connect to a network or the Internet, you will see this page. Here you can either connect to a wireless network, or skip making the network connection.
-
+
### Details
@@ -97,7 +97,7 @@ If you want to connect to a secured wireless network from this page, click on th
This page will be shown when you've selected a secured wireless network.
-
+
### Details
@@ -121,11 +121,11 @@ This page will be shown when the device detects a wired connection with limited
- You can select **Enter proxy settings** which will allow you to specify how to use the network proxy. You'll be taken to the next screen.
-
+
This is the screen you'll see if you clicked **Enter proxy settings** on the previous screen.
-
+
### Details
@@ -149,7 +149,7 @@ You can skip connecting to a network by selecting **Skip this step**. You'll be
This screen is purely informational, and shows which recommended settings have been enabled by default.
-
+
### Details
@@ -170,7 +170,7 @@ On this page, the Surface Hub will ask for credentials for the device account th
-
+
### Details
@@ -192,7 +192,7 @@ If you skip setting it up now, you can add a device account later by using the S
If you click **Skip setting up a device account**, the device will display a dialog box showing what will happen if the device doesn't have a device account. If you choose **Yes, skip this**, you will be sent to the [Name this device page](#name-this-device).
-
+
### What happens?
@@ -211,7 +211,7 @@ The device will use the UPN or DOMAIN\\User name and password for the device acc
This page will only be shown if there's a problem. Typically, it means that the device account that you provided was found in Active Directory (AD) or Azure Active Directory (Azure AD), but the Exchange server for the account was not discovered.
-
+
### Details
@@ -230,7 +230,7 @@ You can enable Exchange services for a device account later by using the Setting
If you click **Skip setting up Exchange services**, the device will display a dialog showing what will happen. If you choose **Yes, skip this**, then Exchange services will not be set up.
-
+
### What happens?
@@ -249,7 +249,7 @@ This page will be shown when:
- Exchange supported protocols are not supported by the Surface Hub.
- Exchange returns incorrect XML.
-
+
### Details
@@ -273,7 +273,7 @@ If you choose to skip this check, the Surface Hub will stop looking for the Exch
This page asks you to provide two names that will be used for identifying the Surface Hub.
-
+
### Details
@@ -307,7 +307,7 @@ Because every Surface Hub can be used by any number of authenticated employees,
-
+
### Details
@@ -348,7 +348,7 @@ Joining Azure AD has two primary benefits:
1. Some employees from your organization will be able to access the device as admins, and will be able to start the Settings app and configure the device. People that have admin permissions will be defined in your Azure AD subscription.
2. If your Azure AD is connected to a mobile device management (MDM) solution, the device will enroll with that MDM solution so you can apply policies and configuration.
-
+
### Details
@@ -357,11 +357,11 @@ The following input is required:
- **User's UPN:** The user principal name (UPN) of an account that can join Azure AD.
- **Password:** The password of the account you’re using to join Azure AD.
-
+
If you get to this point and don't have valid credentials for an Azure AD account, the device will allow you to continue by creating a local admin account. Click **Set up Windows with a local account instead**.
-
+
### What happens?
@@ -373,7 +373,7 @@ This page will ask for credentials to join a domain so that the Surface Hub can
Once the device has been domain joined, you must specify a security group from the domain you joined. This security group will be provisioned as administrators on the Surface Hub, and anyone from the security group can enter their domain credentials to access Settings.
-
+
### Details
@@ -385,7 +385,7 @@ The following input is required:
After the credentials are verified, you will be asked to type a security group name. This input is required.
-
+
### What happens?
@@ -401,7 +401,7 @@ If the join is successful, you'll see the **Enter a security group** page. When
If you decide not to use Azure Active Directory (Azure AD) or Active Directory (AD) to manage the Surface Hub, you'll need to create a local admin account.
-
+
### Details
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index fae114b8da..7d9bfa37be 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -21,17 +21,17 @@ Use this procedure if you use Exchange on-prem.
- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.
- 
+ 
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
- 
+ 
- Click **Finish** to create the account.
- 
+ 
2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
@@ -223,17 +223,17 @@ Use this procedure if you use Exchange online.
- In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**.
- Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**.
- 
+ 
- Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected.
>**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account.
- 
+ 
- Click **Finish** to create the account.
- 
+ 
6. Directory synchronization.
diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png
new file mode 100644
index 0000000000..bdb16e8e20
Binary files /dev/null and b/devices/surface-hub/images/sh-settings-reset-device.png differ
diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png
new file mode 100644
index 0000000000..44bb2202f0
Binary files /dev/null and b/devices/surface-hub/images/sh-settings-update-security.png differ
diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png
new file mode 100644
index 0000000000..12783739ed
Binary files /dev/null and b/devices/surface-hub/images/sh-settings.png differ
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 061bfada43..5fe5d1931c 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -30,7 +30,7 @@ If you joined your Surface Hub to an Azure Active Directory (Azure AD) subscript
Alternatively, the device can be enrolled like any other Windows device by going to **Settings** > **Accounts** > **Work access**.
-
+
### Manage a device through MDM
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 8656c33064..d4af065b4b 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -29,7 +29,7 @@ In order to function properly, the Surface Hub must have access to a wired or wi
- Can receive an IP address using DHCP
- Open ports:
- HTTPS: 443
- - HTTP: 8080
+ - HTTP: 80
A wired connection is preferred.
@@ -79,7 +79,7 @@ In order to ensure that your environment is ready for the Surface Hub, verify th
- It must have these ports open:
- HTTPS: 443
- - HTTP: 8080
+ - HTTP: 80
If your network runs through a proxy, you'll need the proxy address or script information as well.
diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
index f3ecf5f2d4..0d7c350af6 100644
--- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md
@@ -58,9 +58,7 @@ In order to create and deploy provisioning packages, all of the following are re
### Install the Windows Imaging and Configuration Designer
1. The Windows Imaging and Configuration Designer (ICD) is installed as part of the Windows 10 ADK. The installer for the ADK can be downloaded from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?LinkId=718147).
- >**Note** The ADK must be installed on a separate PC, not on the Surface Hub.
-
-
+ >**Note** The ADK must be installed on a separate PC, not on the Surface Hub.
2. Run the installer, and set your preferences for installation. When asked what features you want to install, you will see a checklist like the one in the following figure. Note that **Windows Performance Toolkit** and **Windows Assessment Toolkit** should be unchecked, as they are not needed to run the ICD.
@@ -73,7 +71,7 @@ In order to create and deploy provisioning packages, all of the following are re
All four of these features are required to run the ICD and create a package for the Surfact Hub.
- 
+ 
3. Continue with the installer until the ADK is installed. This may take a while, because the installer downloads remote content.
@@ -83,29 +81,29 @@ This example will demonstrate how to create a provisioning package to install a
1. On the PC that had the Windows 10 ADK installed, open ICD and choose the **New provisioning package** tile from the main menu.
- 
+ 
2. When the **New project** dialog box opens, type whatever name you like in the **Name** box. The **Location** and **Description** boxes can also be filled at your discretion, though we recommend using the **Description** box to help you distinguish among multiple packages. Click **Next**.
- 
+ 
Select the settings that are **Common to all Windows editions**, and click **Next**.
- 
+ 
When asked to import a provisioning package, just click **Finish.**
- 
+ 
3. ICD's main screen will be displayed. This is where you create the provisioning package. In the **Available customizations** pane, expand **Runtime settings** and then expand **Certificates**. Click **Root certificates**.
- 
+ 
In the center pane, you’ll be asked to specify a **CertificateName** for the Root certificate. You can set this to whatever you want. For the example, we've used the same name as the project. Click **Add**, and an entry will be added in the left pane.
4. In the **Available customizations** pane on the left, a new category has appeared for **CertificatePath** underneath the **CertificateName** you provided. There’s also a red exclamation icon indicating that there is a required field that needs to be set. Click **CeritficatePath**.
- 
+ 
5. In the center pane, you’ll be asked to specify the path for the certificate. Enter the name of the .cer file that you want to deploy, either by typing or clicking **Browse**. It must be a root certificate. The provisioning package created will copy the .cer file into the package it creates.
@@ -238,15 +236,15 @@ The following two methods for deploying provisioning packages apply to any kind
3. Navigate to **System > Work Access**. Under the header **Related settings**, click on **Add or remove a management package**.
4. Here, click the button for **Add a package**.
- 
+ 
5. Click **Removable media** from the dropdown list. You will see a list of available provisioning packages on the **Settings** page.
- 
+ 
6. Choose your package and click **Add**.
- 
+ 
7. You may have to re-enter the admin credentials if User Access Control (UAC) asks for them.
8. You’ll see a confirmation dialog box. Click **Yes, add it**. The certificate will be installed.
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 590099c5ec..79edc9e9a3 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -68,7 +68,7 @@ You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial
This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable.
-
+
## Command sets
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index c68b67eb32..a84ca0aa97 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -25,33 +25,33 @@ If a wired network connection is not available, the Surface Hub can use a wirele
1. On the Surface Hub, open **Settings** and enter your admin credentials.
2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**.
- 
+ 
3. If the network is secured, you'll be asked to enter the security key. Click **Next** to connect.
- 
+ 
### Review wireless settings
1. On the Surface Hub, open **Settings** and enter your admin credentials.
2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**.
- 
+ 
3. The system will show you the properties for the wireless network connection.
- 
+ 
### Review wired settings
1. On the Surface Hub, open **Settings** and enter your admin credentials.
2. Click **System**, click **Network & Internet**, then click on the network under Ethernet.
- 
+ 
3. The system will show you the properties for the wired network connection.
- 
+ 
## Related topics
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md
index 69a46fdc96..0b2f363936 100644
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@@ -13,4 +13,7 @@
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
## [Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)
## [Surface Dock Updater](surface-dock-updater.md)
+## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
+### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
+### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index 01fc609a8f..4c35222e31 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -81,6 +81,8 @@ Figure 5 shows the required frameworks for the Surface app.
*Figure 5. Required frameworks for the Surface app*
+>**Note:** The version numbers of the Surface app and required frameworks will change as the apps are updated. Check for the latest version of Surface app and each framework in Windows Store for Business. Always use the Surface app and recommended framework versions as provided by Windows Store for Business. Using outdated frameworks or the incorrect versions may result in errors or application crashes.
+
To download the required frameworks for the Surface app, follow these steps:
1. Click the **Download** button under **Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
2. Click the **Download** button under **Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe**. This downloads the Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx file to your specified folder.
diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
new file mode 100644
index 0000000000..08696c682d
--- /dev/null
+++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
@@ -0,0 +1,135 @@
+---
+title: Enroll and configure Surface devices with SEMM (Surface)
+description: Learn how to create a Surface UEFI configuration package to control the settings of Surface UEFI, as well as enroll a Surface device in SEMM.
+keywords: surface enterprise management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices, security
+ms.sitesec: library
+author: jobotto
+---
+
+# Enroll and configure Surface devices with SEMM
+
+With Microsoft Surface Enterprise Management Mode (SEMM), you can securely configure the settings of Surface UEFI on a Surface device and manage those settings on Surface devices in your organization. When a Surface device is managed by SEMM, that device is considered to be *enrolled* (sometimes referred to as activated). This article shows you how to create a Surface UEFI configuration package that will not only control the settings of Surface UEFI, but will also enroll a Surface device in SEMM.
+
+For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+
+#### Download and install Microsoft Surface UEFI Configurator
+The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+Run the Microsoft Surface UEFI Configurator Windows Installer (.msi) file to start the installation of the tool. When the installer completes, find Microsoft Surface UEFI Configurator in the All Apps section of your Start menu.
+
+>**Note**: Microsoft Surface UEFI Configurator is supported only on Windows 10.
+
+## Create a Surface UEFI configuration package
+
+The Surface UEFI configuration package performs both the role of applying a new configuration of Surface UEFI settings to a Surface device managed with SEMM and the role of enrolling Surface devices in SEMM. The creation of a configuration package requires you to have a signing certificate to be used with SEMM to secure the configuration of UEFI settings on each Surface device. For more information about the requirements for the SEMM certificate, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+
+To create a Surface UEFI configuration package, follow these steps:
+
+1. Open Microsoft Surface UEFI Configurator from the Start menu.
+2. Click **Start**.
+3. Click **Configuration Package**, as shown in Figure 1.
+
+ 
+
+ *Figure 1. Select Configuration Package to create a package for SEMM enrollment and configuration*
+
+4. Click **Certificate Protection** to add your exported certificate file with private key (.pfx), as shown in Figure 2. Browse to the location of your certificate file, select the file, and then click **OK**.
+
+ 
+
+ *Figure 2. Add the SEMM certificate and Surface UEFI password to a Surface UEFI configuration package*
+
+5. When you are prompted to confirm the certificate password, enter and confirm the password for your certificate file, and then click **OK**.
+6. Click **Password Protection** to add a password to Surface UEFI. This password will be required whenever you boot to UEFI. If this password is not entered, only the **PC information**, **About**, **Enterprise management**, and **Exit** pages will be displayed. This step is optional.
+7. When you are prompted, enter and confirm your chosen password for Surface UEFI, and then click **OK**. If you want to clear an existing Surface UEFI password, leave the password field blank.
+8. If you do not want the Surface UEFI package to apply to a particular device, on the **Choose which Surface type you want to target** page, click the slider beneath the corresponding Surface Book or Surface Pro 4 image so that it is in the **Off** position. (As shown in Figure 3.)
+
+ 
+
+ *Figure 3. Choose the devices for package compatibility*
+
+9. Click **Next**.
+10. If you want to deactivate a component on managed Surface devices, on the **Choose which components you want to activate or deactivate** page, click the slider next to any device or group of devices you want to deactivate so that the slider is in the **Off** position. (Shown in Figure 4.) The default configuration for each device is **On**. Click the **Reset** button if you want to return all sliders to the default position.
+
+ 
+
+ *Figure 4. Disable or enable individual Surface components*
+
+11. Click **Next**.
+12. To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
+
+ 
+
+ *Figure 5. Control advanced Surface UEFI settings and Surface UEFI pages with SEMM*
+
+13. In the **Save As** dialog box, specify a name for the Surface UEFI configuration package, browse to the location where you would like to save the file, and then click **Save**.
+14. When the package is created and saved, the **Successful** page is displayed.
+
+>**Note**: Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
+
+
+
+*Figure 6. The last two characters of the certificate thumbprint are displayed on the Successful page*
+
+Now that you have created your Surface UEFI configuration package, you can enroll or configure Surface devices.
+
+>**Note**: When a Surface UEFI configuration package is created, a log file is created on the desktop with details of the configuration package settings and options.
+
+## Enroll a Surface device in SEMM
+When the Surface UEFI configuration package is executed, the SEMM certificate and Surface UEFI configuration files are staged in the firmware storage of the Surface device. When the Surface device reboots, Surface UEFI processes these files and begins the process of applying the Surface UEFI configuration or enrolling the Surface device in SEMM, as shown in Figure 7.
+
+
+
+*Figure 7. The SEMM process for configuration of Surface UEFI or enrollment of a Surface device*
+
+Before you begin the process to enroll a Surface device in SEMM, ensure that you have the last two characters of the certificate thumbprint on hand. You will need these characters to confirm the device’s enrollment (see Figure 6).
+
+To enroll a Surface device in SEMM with a Surface UEFI configuration package, follow these steps:
+
+1. Run the Surface UEFI configuration package .msi file on the Surface device you want to enroll in SEMM. This will provision the Surface UEFI configuration file in the device’s firmware.
+2. Select the **I accept the terms in the License Agreement** check box to accept the End User License Agreement (EULA), and then click **Install** to begin the installation process.
+3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so.
+4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows:
+ * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate.
+ * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
+
+ 
+
+ *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
+
+ * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file.
+
+5. The Surface device is now enrolled in SEMM and will boot to Windows.
+
+You can verify that a Surface device has been successfully enrolled in SEMM by looking for **Microsoft Surface Configuration Package** in **Programs and Features** (as shown in Figure 9), or in the events stored in the **Microsoft Surface UEFI Configurator** log, found under **Applications and Services Logs** in Event Viewer (as shown in Figure 10).
+
+
+
+*Figure 9. Verify the enrollment of a Surface device in SEMM in Programs and Features*
+
+
+
+*Figure 10. Verify the enrollment of a Surface device in SEMM in Event Viewer*
+
+You can also verify that the device is enrolled in SEMM in Surface UEFI – while the device is enrolled, Surface UEFI will contain the **Enterprise management** page (as shown in Figure 11).
+
+
+
+*Figure 11. The Surface UEFI Enterprise management page*
+
+
+## Configure Surface UEFI settings with SEMM
+
+After a device is enrolled in SEMM, you can run Surface UEFI configuration packages signed with the same SEMM certificate to apply new Surface UEFI settings. These settings are applied automatically the next time the device boots, without any interaction from the user. You can use application deployment solutions like System Center Configuration Manager to deploy Surface UEFI configuration packages to Surface devices to change or manage the settings in Surface UEFI.
+
+For more information about how to deploy Windows Installer (.msi) files with Configuration Manager, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt627959).
+
+If you have secured Surface UEFI with a password, users without the password who attempt to boot to Surface UEFI will only have the **PC information**, **About**, **Enterprise management**, and **Exit** pages displayed to them.
+
+If you have not secured Surface UEFI with a password or a user enters the password correctly, settings that are configured with SEMM will be dimmed (unavailable) and the text Some settings are managed by your organization will be displayed at the top of the page, as shown in Figure 12.
+
+
+
+*Figure 12. Settings managed by SEMM will be disabled in Surface UEFI*
\ No newline at end of file
diff --git a/devices/surface/images/sda-fig1-select-steps.png b/devices/surface/images/sda-fig1-select-steps.png
index 15e6e64edc..cb5c24c2e0 100644
Binary files a/devices/surface/images/sda-fig1-select-steps.png and b/devices/surface/images/sda-fig1-select-steps.png differ
diff --git a/devices/surface/images/sda-fig2-specify-local.png b/devices/surface/images/sda-fig2-specify-local.png
index 24d002bc50..a7eb4d5b33 100644
Binary files a/devices/surface/images/sda-fig2-specify-local.png and b/devices/surface/images/sda-fig2-specify-local.png differ
diff --git a/devices/surface/images/sdasteps-fig4-select.png b/devices/surface/images/sdasteps-fig4-select.png
index 48f7d695a2..15d4df2af7 100644
Binary files a/devices/surface/images/sdasteps-fig4-select.png and b/devices/surface/images/sdasteps-fig4-select.png differ
diff --git a/devices/surface/images/sdasteps-fig6-specify-driver-app-files.png b/devices/surface/images/sdasteps-fig6-specify-driver-app-files.png
index 7c6750a0c8..cb82d3fec7 100644
Binary files a/devices/surface/images/sdasteps-fig6-specify-driver-app-files.png and b/devices/surface/images/sdasteps-fig6-specify-driver-app-files.png differ
diff --git a/devices/surface/images/surface-enroll-semm-fig1.png b/devices/surface/images/surface-enroll-semm-fig1.png
new file mode 100644
index 0000000000..0db814ae84
Binary files /dev/null and b/devices/surface/images/surface-enroll-semm-fig1.png differ
diff --git a/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png b/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png
new file mode 100644
index 0000000000..7ed392d31d
Binary files /dev/null and b/devices/surface/images/surface-ent-mgmt-fig1-uefi-configurator.png differ
diff --git a/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png b/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png
new file mode 100644
index 0000000000..a1316359d3
Binary files /dev/null and b/devices/surface/images/surface-ent-mgmt-fig2-securepackage.png differ
diff --git a/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png b/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png
new file mode 100644
index 0000000000..39b0c797e7
Binary files /dev/null and b/devices/surface/images/surface-ent-mgmt-fig3-enabledisable.png differ
diff --git a/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png b/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png
new file mode 100644
index 0000000000..405e8c4d7e
Binary files /dev/null and b/devices/surface/images/surface-ent-mgmt-fig4-advancedsettings.png differ
diff --git a/devices/surface/images/surface-ent-mgmt-fig5-success.png b/devices/surface/images/surface-ent-mgmt-fig5-success.png
new file mode 100644
index 0000000000..508f76533c
Binary files /dev/null and b/devices/surface/images/surface-ent-mgmt-fig5-success.png differ
diff --git a/devices/surface/images/surface-ent-mgmt-fig6-enrollconfirm.png b/devices/surface/images/surface-ent-mgmt-fig6-enrollconfirm.png
new file mode 100644
index 0000000000..78126407fa
Binary files /dev/null and b/devices/surface/images/surface-ent-mgmt-fig6-enrollconfirm.png differ
diff --git a/devices/surface/images/surface-ent-mgmt-fig7-semmrecovery.png b/devices/surface/images/surface-ent-mgmt-fig7-semmrecovery.png
new file mode 100644
index 0000000000..5a3395e0ee
Binary files /dev/null and b/devices/surface/images/surface-ent-mgmt-fig7-semmrecovery.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig1.png b/devices/surface/images/surface-semm-enroll-fig1.png
new file mode 100644
index 0000000000..0db814ae84
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig1.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig10.png b/devices/surface/images/surface-semm-enroll-fig10.png
new file mode 100644
index 0000000000..e61cf3d70a
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig10.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig11.png b/devices/surface/images/surface-semm-enroll-fig11.png
new file mode 100644
index 0000000000..91c03fef5e
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig11.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig12.png b/devices/surface/images/surface-semm-enroll-fig12.png
new file mode 100644
index 0000000000..d6c0505c16
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig12.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig3.png b/devices/surface/images/surface-semm-enroll-fig3.png
new file mode 100644
index 0000000000..2d66b485f9
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig3.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig4.png b/devices/surface/images/surface-semm-enroll-fig4.png
new file mode 100644
index 0000000000..39b0c797e7
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig4.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig5.png b/devices/surface/images/surface-semm-enroll-fig5.png
new file mode 100644
index 0000000000..b3d3db34c7
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig5.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig6.png b/devices/surface/images/surface-semm-enroll-fig6.png
new file mode 100644
index 0000000000..95b1c1b24b
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig6.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig7.png b/devices/surface/images/surface-semm-enroll-fig7.png
new file mode 100644
index 0000000000..26a640ac0c
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig7.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig8.png b/devices/surface/images/surface-semm-enroll-fig8.png
new file mode 100644
index 0000000000..a1421da21c
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig8.png differ
diff --git a/devices/surface/images/surface-semm-enroll-fig9.png b/devices/surface/images/surface-semm-enroll-fig9.png
new file mode 100644
index 0000000000..9229ee255d
Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig9.png differ
diff --git a/devices/surface/images/surface-semm-enrollment-fig2.png b/devices/surface/images/surface-semm-enrollment-fig2.png
new file mode 100644
index 0000000000..1a5649b01e
Binary files /dev/null and b/devices/surface/images/surface-semm-enrollment-fig2.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig1.png b/devices/surface/images/surface-semm-unenroll-fig1.png
new file mode 100644
index 0000000000..b0247d3871
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig1.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig10.png b/devices/surface/images/surface-semm-unenroll-fig10.png
new file mode 100644
index 0000000000..968bf44d8c
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig10.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig11.png b/devices/surface/images/surface-semm-unenroll-fig11.png
new file mode 100644
index 0000000000..c5e86d2b65
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig11.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig12.png b/devices/surface/images/surface-semm-unenroll-fig12.png
new file mode 100644
index 0000000000..d9a3e0617b
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig12.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig13.png b/devices/surface/images/surface-semm-unenroll-fig13.png
new file mode 100644
index 0000000000..cfe16c3a99
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig13.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig14.png b/devices/surface/images/surface-semm-unenroll-fig14.png
new file mode 100644
index 0000000000..5c95097c8d
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig14.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig2.png b/devices/surface/images/surface-semm-unenroll-fig2.png
new file mode 100644
index 0000000000..5affd8cef6
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig2.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig3.png b/devices/surface/images/surface-semm-unenroll-fig3.png
new file mode 100644
index 0000000000..45c1ae38ed
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig3.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig4.png b/devices/surface/images/surface-semm-unenroll-fig4.png
new file mode 100644
index 0000000000..c4ecf92b1b
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig4.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig5.png b/devices/surface/images/surface-semm-unenroll-fig5.png
new file mode 100644
index 0000000000..9229ee255d
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig5.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig6.png b/devices/surface/images/surface-semm-unenroll-fig6.png
new file mode 100644
index 0000000000..91c03fef5e
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig6.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig7.png b/devices/surface/images/surface-semm-unenroll-fig7.png
new file mode 100644
index 0000000000..0dcbace491
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig7.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig8.png b/devices/surface/images/surface-semm-unenroll-fig8.png
new file mode 100644
index 0000000000..77e7e05407
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig8.png differ
diff --git a/devices/surface/images/surface-semm-unenroll-fig9.png b/devices/surface/images/surface-semm-unenroll-fig9.png
new file mode 100644
index 0000000000..b40ccb2449
Binary files /dev/null and b/devices/surface/images/surface-semm-unenroll-fig9.png differ
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 19658afe3a..08b52df1e9 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -1,6 +1,6 @@
---
title: Surface (Surface)
-description: .
+description:
ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04
ms.prod: w10
ms.mktglfcycl: manage
@@ -86,6 +86,11 @@ For more information on planning for, deploying, and managing Surface devices in
[Surface Dock Updater](surface-dock-updater.md) |
Get a detailed walkthrough of Microsoft Surface Dock Updater. |
+
+[Surface Enterprise Management Mode](surface-enterprise-management-mode.md) |
+See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization.
+ |
+
diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md
index 9428200756..f11c5fefe8 100644
--- a/devices/surface/manage-surface-dock-firmware-updates.md
+++ b/devices/surface/manage-surface-dock-firmware-updates.md
@@ -43,7 +43,7 @@ The Surface Dock firmware update process shown in Figure 1 follows these steps:
8. When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply.
-
+
*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater*
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index 44428903c1..e36486bfa4 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -39,9 +39,9 @@ You will also find detailed information about the firmware of your Surface devic
- Touch Firmware
-*Figure 1. System information and firmware version information*
+
-
+*Figure 1. System information and firmware version information*
You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/en-us/support/install-update-activate/surface-update-history) for your device.
@@ -59,21 +59,21 @@ On the **Security** page of Surface UEFI settings, you can set a password to pro
The password must be at least 6 characters and is case sensitive.
-*Figure 2. Add a password to protect Surface UEFI settings*
+
-
+*Figure 2. Add a password to protect Surface UEFI settings*
On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
-*Figure 3. Configure Secure Boot*
+
-
+*Figure 3. Configure Secure Boot*
You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library.
-*Figure 4. Configure Surface UEFI security settings*
+
-
+*Figure 4. Configure Surface UEFI security settings*
##Devices
@@ -95,9 +95,9 @@ On the **Devices** page you can enable or disable specific devices and component
Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5.
-*Figure 5. Enable and disable specific devices*
+
-
+*Figure 5. Enable and disable specific devices*
##Boot configuration
@@ -115,9 +115,9 @@ You can boot from a specific device immediately, or you can swipe left on that d
For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6.
-*Figure 6. Configure the boot order for your Surface device*
+
-
+*Figure 6. Configure the boot order for your Surface device*
You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.
@@ -125,14 +125,14 @@ You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE
The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7.
-*Figure 7. Regulatory information is displayed on the About page*
+
-
+*Figure 7. Regulatory information displayed on the About page*
##Exit
Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8.
-*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
+
-
+*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 6f76da2a15..1fde46555c 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -65,24 +65,24 @@ After the creation tool is installed, follow these steps to create a Microsoft S
3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
- 
+ 
- Figure 1. Start the Microsoft Surface Data Eraser tool
+ *Figure 1. Start the Microsoft Surface Data Eraser tool*
4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
>**Note:** If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
- 
+ 
- Figure 2. USB thumb drive selection
+ *Figure 2. USB thumb drive selection*
5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
- 
+ 
- Figure 3. Complete the Microsoft Surface Data Eraser USB creation process
+ *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
7. Click **X** to close Microsoft Surface Data Eraser.
@@ -105,9 +105,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
- 
+ 
- Figure 4. Booting the Microsoft Surface Data Eraser USB stick
+ *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
4. Read the software license terms, and then close the notepad file.
@@ -123,9 +123,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
7. If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
- 
+ 
- Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser
+ *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
8. If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index 8b9b17335c..3a37d4c81c 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -13,17 +13,17 @@ author: miladCA
# Microsoft Surface Deployment Accelerator
-Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
+Microsoft Surface Deployment Accelerator (SDA) provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
-Microsoft Surface Deployment Accelerator includes a wizard that automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. The resulting deployment solution is complete with everything you need to immediately begin the deployment of Windows to a Surface device. You can also use Microsoft Surface Deployment Accelerator to create and capture a Windows reference image and then deploy it with the latest Windows Updates.
+SDA includes a wizard that automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. The resulting deployment solution is complete with everything you need to immediately begin the deployment of Windows to a Surface device. You can also use SDA to create and capture a Windows reference image and then deploy it with the latest Windows updates.
-Microsoft Surface Deployment Accelerator is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
+SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution.
You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of customized deployment solution implementation, on the Deploy page of the [Surface TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=691693).
**Download Microsoft Surface Deployment Accelerator**
-You can download the installation files for Microsoft Surface Deployment Accelerator from the Microsoft Download Center. To download the installation files:
+You can download the installation files for SDA from the Microsoft Download Center. To download the installation files:
1. Go to the [Surface Tools for IT](http://go.microsoft.com/fwlink/p/?LinkId=618121) page on the Microsoft Download Center.
@@ -32,9 +32,9 @@ You can download the installation files for Microsoft Surface Deployment Acceler
## Microsoft Surface Deployment Accelerator prerequisites
-Before you install Microsoft Surface Deployment Accelerator, your environment must meet the following prerequisites:
+Before you install SDA, your environment must meet the following prerequisites:
-- Microsoft Surface Deployment Accelerator must be installed on Windows Server 2012 R2 or later
+- SDA must be installed on Windows Server 2012 R2 or later
- PowerShell Script Execution Policy must be set to **Unrestricted**
@@ -44,45 +44,74 @@ Before you install Microsoft Surface Deployment Accelerator, your environment mu
- To support network boot, the Windows Server 2012 R2 environment must have Windows Deployment Services installed and configured to respond to PXE requests
-- Access to Windows source files or installation media is required when you prepare a deployment with Microsoft Surface Deployment Accelerator
+- Access to Windows source files or installation media is required when you prepare a deployment with SDA
- At least 6 GB of free space for each version of Windows you intend to deploy
## How Microsoft Surface Deployment Accelerator works
-As you progress through the Microsoft Surface Deployment Accelerator wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows.
+As you progress through the SDA wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows.
-
+
-Figure 1: Select desired apps and drivers
+*Figure 1. Select desired apps and drivers*
-When the Microsoft Surface Deployment Accelerator completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the Microsoft Surface Deployment Accelerator wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device.
+When the SDA completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the SDA wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device.
You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](http://go.microsoft.com/fwlink/p/?linkid=691700), or to [pause the automated installation routine](http://go.microsoft.com/fwlink/p/?linkid=691701). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before.
->**Note:** With Microsoft Surface Deployment Accelerator v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
+>**Note:** With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment.
## Use Microsoft Surface Deployment Accelerator without an Internet connection
-For environments where the Microsoft Surface Deployment Accelerator server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder.
+For environments where the SDA server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder.
-
+
-Figure 2. Specify a local source for Surface driver and app files
+*Figure 2. Specify a local source for Surface driver and app files*
You can find a full list of available driver downloads at [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
>**Note:** Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder.
+>**Note:** Using files from a local directory is not supported when including Office 365 in your deployment share. To include Office 365 in your deployment share, select the **Download from the Internet** check box.
+
+## Changes and updates
+
+SDA is periodically updated by Microsoft. For instructions on how these features are used, see [Step-by-Step: Microsoft Surface Deployment Accelerator](https://technet.microsoft.com/en-us/itpro/surface/step-by-step-surface-deployment-accelerator).
+
+>**Note:** To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share.
+### Version 1.96.0405
+This version of SDA adds support for the following:
+* Microsoft Deployment Toolkit (MDT) 2013 Update 2
+* Office 365 Click-to-Run
+* Surface 3 and Surface 3 LTE
+* Reduced Windows Assessment and Deployment Kit (Windows ADK) footprint, only the following Windows ADK components are installed:
+ * Deployment tools
+ * Windows Preinstallation Environment (WinPE)
+ * User State Migration Tool (USMT)
-
+### Version 1.90.0258
+This version of SDA adds support for the following:
+* Surface Book
+* Surface Pro 4
+* Windows 10
-
+### Version 1.90.0000
+This version of SDA adds support for the following:
+* Local driver and app files can be used to create a deployment share without access to the Internet
+
+### Version 1.70.0000
+This version is the original release of SDA. This version of SDA includes support for:
+* MDT 2013 Update 1
+* Windows ADK
+* Surface Pro 3
+* Windows 8.1
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 07c32b693b..016c7ddfbd 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -26,17 +26,17 @@ For information about prerequisites and instructions for how to download and ins
3. Accept the End User License Agreement (EULA) by selecting the check box, and then click **Install**, as shown in Figure 1.
- 
+ 
- Figure 1. SDA setup
+ *Figure 1. SDA setup*
4. Click **Finish** to complete the installation of SDA.
-The tool installs in the Surface Deployment Accelerator program group, as shown in Figure 2.
+The tool installs in the SDA program group, as shown in Figure 2.
-
+
-Figure 2. The Surface Deployment Accelerator program group and icon
+*Figure 2. The SDA program group and icon*
>**Note:** At this point the tool has not yet prepared any deployment environment or downloaded any materials from the Internet.
@@ -45,7 +45,7 @@ Figure 2. The Surface Deployment Accelerator program group and icon
## Create a deployment share
-The following steps show how you create a deployment share for Windows 10 that supports Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, and the Surface Asset Tag Tool. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
+The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
>**Note:** SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
@@ -55,7 +55,14 @@ The following steps show how you create a deployment share for Windows 10 that
2. On the **Welcome** page, click **Next** to continue.
-3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 1. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
+3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
+
+ >**Note:** As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
+ * Deployment tools
+ * User State Migration Tool (USMT)
+ * Windows Preinstallation Environment (WinPE)
+
+ >**Note:** As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue.
@@ -75,15 +82,17 @@ The following steps show how you create a deployment share for Windows 10 that
- **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**.
- 
+ 
- Figure 3. Specify Windows 10 deployment share options
+ *Figure 3. Specify Windows 10 deployment share options*
-6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface Pro 3 and cannot be selected unless Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
+6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
- 
+ 
- Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers
+ *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers*
+
+ >**Note:** You cannot select both Surface 3 and Surface 3 LTE models at the same time.
7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
@@ -105,9 +114,9 @@ The following steps show how you create a deployment share for Windows 10 that
- Creation of rules and task sequences for Windows deployment
- 
+ 
- Figure 5. The **Installation Progress** window
+ *Figure 5. The Installation Progress window*
8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
@@ -115,13 +124,15 @@ The following steps show how you create a deployment share for Windows 10 that
If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver an app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6.
->**Note:** All of the downloaded driver and applications files must be located in the same folder. The driver and app files do not need to be extracted from the downloaded .zip files.
+>**Note:** All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step.
-
+>**Note:** The driver and app files do not need to be extracted from the downloaded .zip files.
-
+>**Note:** Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files.
-Figure 6. Specify the Surface driver and app files from a local path
+
+
+*Figure 6. Specify the Surface driver and app files from a local path*
>**Note:** The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
@@ -159,9 +170,9 @@ Before you can create bootable media files within the MDT Deployment Workbench o
9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window.
- 
+ 
- Figure 7. Use DiskPart to prepare a USB drive for boot
+ *Figure 7. Use DiskPart to prepare a USB drive for boot*
>**Note:** You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly.
@@ -177,15 +188,15 @@ After you have prepared the USB drive for boot, the next step is to generate off
4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard.
- 
+ 
- Figure 8. The Media folder of the SDA deployment share
+ *Figure 8. The Media folder of the SDA deployment share*
5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**.
- 
+ 
- Figure 9. Specify a location and selection profile for your offline media
+ *Figure 9. Specify a location and selection profile for your offline media*
6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media.
@@ -195,9 +206,9 @@ After you have prepared the USB drive for boot, the next step is to generate off
9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10.
- 
+ 
- Figure 10. The Rules of the SDA deployment share
+ *Figure 10. Rules of the SDA deployment share*
10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text.
@@ -229,15 +240,17 @@ After you have prepared the USB drive for boot, the next step is to generate off
UserPassword=
```
- 
+ 
- Figure 11. The Bootstrap.ini file of MEDIA001
+ *Figure 11. The Bootstrap.ini file of MEDIA001*
20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window.
21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share.
- Figure 12. Select **Update Media Content**
+ 
+
+ *Figure 12. Select the Update Media Content option*
22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.**
@@ -252,11 +265,11 @@ Your USB drive is now configured as bootable offline media that contains all of
## SDA task sequences
-The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 1 Lite Touch components](http://technet.microsoft.com/en-us/itpro/windows/deploy/mdt-2013-lite-touch-components).
+The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 2 Lite Touch components](https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components).
-
+
-Figure 13. Task sequences in the Deployment Workbench
+*Figure 13. Task sequences in the Deployment Workbench*
### Deploy Microsoft Surface
@@ -286,7 +299,7 @@ The **2 – Create Windows Reference Image** task sequence is used to perform a
Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations.
->**Note:** Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information see [Deploy a Windows 10 image using MDT 2013 Update 1](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
+>**Note:** Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](http://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
@@ -323,9 +336,9 @@ To instruct your Surface device to boot from the network, start with the device
4. Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14.
- 
+ 
- Figure 14. The prompt for credentials to the deployment share
+ *Figure 14. The prompt for credentials to the deployment share*
5. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process.
@@ -343,15 +356,15 @@ To run the Deploy Microsoft Surface task sequence:
1. On the **Task Sequence** page, select the **1 – Deploy Microsoft Surface** task sequence as shown in Figure 15, and then click **Next.**
- 
+ 
- Figure 15. Select the **1 – Deploy Microsoft Surface** task sequence
+ *Figure 15. Select the 1 – Deploy Microsoft Surface task sequence*
2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**.
- 
+ 
- Figure 16. Enter the computer name and domain information
+ *Figure 16. Enter the computer name and domain information*
3. On the **Product Key** page, keep the **No product key is required** check box selected if you are deploying the same version and edition of Windows to your Surface devices as they came with from the factory. If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise, select the licensing option that is applicable to your scenario.
@@ -363,9 +376,9 @@ To run the Deploy Microsoft Surface task sequence:
7. On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will close and an **Installation Progress** window is displayed to show progress of the task sequence as the image is applied and applications are installed (Figure 17).
- 
+ 
- Figure 17. The **Installation Progress** window
+ *Figure 17. The Installation Progress window*
8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device.
diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md
index ea56c4cc95..4020a499aa 100644
--- a/devices/surface/surface-dock-updater.md
+++ b/devices/surface/surface-dock-updater.md
@@ -34,15 +34,15 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
- If the tool determines that the firmware of your Surface Dock is up to date, a **You have the latest firmware for this Surface Dock** message is displayed, as shown in Figure 1.
- 
+ 
- Figure 1. Your Surface Dock firmware is up to date.
+ *Figure 1. Your Surface Dock firmware is up to date*
- If Microsoft Surface Dock Updater determines that the firmware of your Surface Dock is not up to date, a **This Surface Dock is not running the latest firmware** message is displayed, as shown in Figure 2.
- 
+ 
- Figure 2. Your Surface Dock firmware needs to be updated
+ *Figure 2. Your Surface Dock firmware needs to be updated*
3. To begin the firmware update process, click **Update** on the **Surface Dock Firmware** page.
@@ -50,27 +50,27 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
5. As the firmware update is uploaded to the Surface Dock, a **Progress** page is displayed, as shown in Figure 3. Do not disconnect the Surface Dock while firmware is being uploaded.
- 
+ 
- Figure 3. Progress of firmware update upload to Surface Dock
+ *Figure 3. Progress of firmware update upload to Surface Dock*
6. After the firmware update has successfully uploaded to the Surface Dock, you are prompted to disconnect and then reconnect the Surface Dock from the Surface device, as shown in Figure 4. The main chipset firmware update will be applied while the Surface Dock is disconnected.
- 
+ 
- Figure 4. Disconnect and reconnect Surface Dock when prompted
+ *Figure 4. Disconnect and reconnect Surface Dock when prompted*
7. When the main chipset firmware update is verified, the DisplayPort chipset firmware update will be uploaded to the Surface Dock. Upon completion, a **Success** page is displayed and you will again be prompted to disconnect the Surface Dock, as shown in Figure 5.
- 
+ 
- Figure 5. Successful upload of Surface Dock firmware
+ *Figure 5. Successful upload of Surface Dock firmware*
8. After you disconnect the Surface Dock the DisplayPort firmware update will be installed. This process occurs on the Surface Dock hardware while it is disconnected. The Surface Dock must remain powered for up to 3 minutes after it has been disconnected for the firmware update to successfully install. An **Update in Progress** page is displayed (as shown in Figure 6), with a countdown timer to show the estimated time remaining to complete the firmware update installation.
- 
+ 
- Figure 6. Countdown timer to complete firmware installation on Surface Dock
+ *Figure 6. Countdown timer to complete firmware installation on Surface Dock*
9. If you want to update multiple Surface Docks in one sitting, you can click the **Update another Surface Dock** button to begin the process on the next Surface Dock.
@@ -83,9 +83,9 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
If the Surface Dock firmware update process encounters an installation error with either firmware update, the **Encountered an unexpected error** page may be displayed, as shown in Figure 7.
-
+
-Figure 7. Firmware update installation has encountered an error
+*Figure 7. Firmware update installation has encountered an error*
Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in Figure 8. If you need to troubleshoot an update through this tool, you will find Surface Dock events recorded with the following event IDs:
@@ -97,9 +97,9 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in
| 12105 | Error |
-Figure 8. Surface Dock Updater events in Event Viewer
+
-
+*Figure 8. Surface Dock Updater events in Event Viewer*
## Related topics
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
new file mode 100644
index 0000000000..981d6dae06
--- /dev/null
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -0,0 +1,163 @@
+---
+title: Surface Enterprise Management Mode (Surface)
+description: See how this feature of Surface devices with Surface UEFI helps you secure and manage firmware settings within your organization.
+keywords: uefi, configure, firmware, secure, semm
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices, security
+ms.sitesec: library
+author: jobotto
+---
+
+# Microsoft Surface Enterprise Management Mode
+
+Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal.
+
+>**Note**: SEMM is only available on devices with Surface UEFI firmware, such as Surface Pro 4 and Surface Book. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-uefi-settings).
+
+When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM.
+
+## Microsoft Surface UEFI Configurator
+
+The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
+
+
+
+*Figure 1. Microsoft Surface UEFI Configurator*
+
+>**Note**: Windows 10 is required to run Microsoft Surface UEFI Configurator
+
+You can use the Microsoft Surface UEFI Configurator tool in three modes:
+
+* [Surface UEFI Configuration Package](#configuration-package). Use this mode to create a Surface UEFI configuration package to enroll a Surface device in SEMM and to configure UEFI settings on enrolled devices.
+* [Surface UEFI Reset Package](#reset-package). Use this mode to unenroll a Surface device from SEMM.
+* [Surface UEFI Recovery Request](#recovery-request). Use this mode to respond to a recovery request to unenroll a Surface device from SEMM where a Reset Package operation is not successful.
+
+
+#### Download Microsoft Surface UEFI Configurator
+
+You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
+
+### Configuration package
+
+Surface UEFI configuration packages are the primary mechanism to implement and manage SEMM on Surface devices. These packages contain a configuration file of UEFI settings specified during creation of the package in Microsoft Surface UEFI Configurator and a certificate file, as shown in Figure 2. When a configuration package is run for the first time on a Surface device that is not already enrolled in SEMM, it provisions the certificate file in the device’s firmware and enrolls the device in SEMM. When enrolling a device in SEMM, you will be prompted to confirm the operation by providing the last two digits of the SEMM certificate thumbprint before the certificate file is stored and the enrollment can complete. This confirmation requires that a user be present at the device at the time of enrollment to perform the confirmation.
+
+
+
+*Figure 2. Secure a SEMM configuration package with a certificate*
+
+See the [Surface Enterprise Management Mode certificate requirements](#surface-enterprise-management-mode-certificate-requirements) section of this article for more information about the requirements for the SEMM certificate.
+
+>**Note**: You can also specify a UEFI password with SEMM that is required to view the **Security**, **Devices**, **Boot Configuration**, or **Enterprise Management** pages of Surface UEFI.
+
+After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device.
+
+You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4).
+
+
+
+*Figure 3. Enable or disable devices in Surface UEFI with SEMM*
+
+
+
+*Figure 4. Configure advanced settings with SEMM*
+
+You can enable or disable the following devices with SEMM:
+
+* Docking USB Port
+* On-board Audio
+* Type Cover
+* Micro SD or SD Card Slots
+* Front Camera
+* Rear Camera
+* Infrared Camera, for Windows Hello
+* Bluetooth Only
+* Wi-Fi and Bluetooth
+* Trusted Platform Module (TPM)
+
+You can configure the following advanced settings with SEMM:
+
+* IPv6 support for PXE boot
+* Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device
+* Lock the boot order to prevent changes
+* Support for booting to USB devices
+* Display of the Surface UEFI **Security** page
+* Display of the Surface UEFI **Devices** page
+* Display of the Surface UEFI **Boot** page
+
+>**Note**: When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5.
+
+
+
+*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page*
+
+These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6.
+
+
+
+*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint*
+
+To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM.
+
+### Reset package
+
+A Surface UEFI reset package is used to perform only one task — to unenroll a Surface device from SEMM. The reset package contains signed instructions to remove the SEMM certificate from the device’s firmware and to reset UEFI settings to factory default. Like a Surface UEFI configuration package, a reset package must be signed with the same SEMM certificate that is provisioned on the Surface device. When you create a SEMM reset package, you are required to supply the serial number of the Surface device you intend to reset. SEMM reset packages are not universal and are specific to one device.
+
+### Recovery request
+
+In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation.
+
+
+
+*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page*
+
+When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM.
+
+>**Note**: A Reset Request expires two hours after it is created.
+
+## Surface Enterprise Management Mode certificate requirements
+
+>**Note**: The SEMM certificate is required to perform any modification to SEMM or Surface UEFI settings on enrolled Surface devices. If the SEMM certificate is corrupted or lost, SEMM cannot be removed or reset. Manage your SEMM certificate accordingly with an appropriate solution for backup and recovery.
+
+Packages created with the Microsoft Surface UEFI Configurator tool are signed with a certificate. This certificate ensures that after a device is enrolled in SEMM, only packages created with the approved certificate can be used to modify the settings of UEFI. The following settings are recommended for the SEMM certificate:
+
+* **Key Algorithm** – RSA
+* **Key Length** – 2048
+* **Hash Algorithm** – SHA-256
+* **Type** – SSL Server Authentication
+* **Key Usage** – Key Encipherment
+* **Provider** – Microsoft Enhanced RSA and AES Cryptographic Provider
+* **Expiration Date** – 15 Months from certificate creation
+* **Key Export Policy** – Exportable
+
+It is also recommended that the SEMM certificate be authenticated in a two-tier public key infrastructure (PKI) architecture where the intermediate certification authority (CA) is dedicated to SEMM, enabling certificate revocation. For more information about a two-tier PKI configuration, see [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348).
+
+>**Note**: You can use the following PowerShell script to create a self-signed certificate for use in proof-of-concept scenarios.
+ To use this script, copy the following text into Notepad and save the file as a PowerShell script (.ps1). This script creates a certificate with a password of `12345678`.
The certificate generated by this script is not recommended for production environments.
+
+ ```
+if (-not (Test-Path "Demo Certificate")) { New-Item -ItemType Directory -Force -Path "Demo Certificate" }
+if (Test-Path "Demo Certificate\TempOwner.pfx") { Remove-Item "Demo Certificate\TempOwner.pfx" }
+
+# Generate the Ownership private signing key with password 12345678
+$pw = ConvertTo-SecureString "12345678" -AsPlainText -Force
+
+$TestUefiV2 = New-SelfSignedCertificate `
+ -Subject "CN=Surface Demo Kit, O=Contoso Corporation, C=US" `
+ -Type SSLServerAuthentication `
+ -HashAlgorithm sha256 `
+ -KeyAlgorithm RSA `
+ -KeyLength 2048 `
+ -KeyUsage KeyEncipherment `
+ -KeyUsageProperty All `
+ -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
+ -NotAfter (Get-Date).AddYears(25) `
+ -TextExtension @("2.5.29.37={text}1.2.840.113549.1.1.1") `
+ -KeyExportPolicy Exportable
+
+$TestUefiV2 | Export-PfxCertificate -Password $pw -FilePath "Demo Certificate\TempOwner.pfx"
+ ```
+
+For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must be exported with the private key and with password protection. Microsoft Surface UEFI Configurator will prompt you to select the SEMM certificate file (.pfx) and certificate password when it is required.
+
+>**Note**: For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md
new file mode 100644
index 0000000000..5e31091376
--- /dev/null
+++ b/devices/surface/unenroll-surface-devices-from-semm.md
@@ -0,0 +1,148 @@
+---
+title: Unenroll Surface devices from SEMM (Surface)
+description: Learn how to unenroll a device from SEMM by using a Surface UEFI reset package or the Recovery Request option.
+keywords: surface enterprise management
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices, security
+ms.sitesec: library
+author: jobotto
+---
+
+# Unenroll Surface devices from SEMM
+
+When a Surface device is enrolled in Surface Enterprise Management Mode (SEMM), a certificate is stored in the firmware of that device. The presence of that certificate and the enrollment in SEMM prevent any unauthorized changes to Surface UEFI settings or options while the device is enrolled in SEMM. To restore control of Surface UEFI settings to the user, the Surface device must be unenrolled from SEMM, a process sometimes described as reset or recovery. There are two methods you can use to unenroll a device from SEMM—a Surface UEFI reset package and a Recovery Request.
+
+>**Warning:** To unenroll a device from SEMM and restore user control of Surface UEFI settings, you must have the SEMM certificate that was used to enroll the device in SEMM. If this certificate becomes lost or corrupted, it is not possible to unenroll from SEMM. Back up and protect your SEMM certificate accordingly.
+
+For more information about SEMM, see [Microsoft Surface Enterprise Management Mode](https://technet.microsoft.com/en-us/itpro/surface/surface-enterprise-management-mode).
+
+## Unenroll a Surface device from SEMM with a Surface UEFI reset package
+
+The Surface UEFI reset package is the primary method you use to unenroll a Surface device from SEMM. Like a Surface UEFI configuration package, the reset package is a Windows Installer (.msi) file that configures SEMM on the device. Unlike the configuration package, the reset package will reset the Surface UEFI configuration on a Surface device to its default settings, remove the SEMM certificate, and unenroll the device from SEMM.
+
+Reset packages are created specifically for an individual Surface device. To begin the process of creating a reset package, you will need the serial number of the device you want to unenroll, as well as the SEMM certificate used to enroll the device. You can find the serial number of your Surface device on the **PC information** page of Surface UEFI, as shown in Figure 1. This page is displayed even if Surface UEFI is password protected and the incorrect password is entered.
+
+
+
+*Figure 1. The serial number of the Surface device is displayed on the Surface UEFI PC information page*
+
+>**Note:** To boot to Surface UEFI, press **Volume Up** and **Power** simultaneously while the device is off. Hold **Volume Up** until the Surface logo is displayed and the device begins to boot.
+
+To create a Surface UEFI reset package, follow these steps:
+
+1. Open Microsoft Surface UEFI Configurator from the Start menu.
+2. Click **Start**.
+3. Click **Reset Package**, as shown in Figure 2.
+
+ 
+
+ *Figure 2. Click Reset Package to create a package to unenroll a Surface device from SEMM*
+
+4. Click **Certificate Protection** to add your SEMM certificate file with private key (.pfx), as shown in Figure 3. Browse to the location of your certificate file, select the file, and then click **OK**.
+
+ 
+
+ *Figure 3. Add the SEMM certificate to a Surface UEFI reset package*
+
+5. Click **Next**.
+6. Type the serial number of the device you want to unenroll from SEMM (as shown in Figure 4), and then click **Build** to generate the Surface UEFI reset package.
+
+ 
+
+ *Figure 4. Use the serial number of your Surface device to create a Surface UEFI reset package*
+
+7. In the **Save As** dialog box, specify a name for the Surface UEFI reset package, browse to the location where you would like to save the file, and then click **Save**.
+8. When the package generation has completed, the **Successful** page is displayed. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
+
+Run the Surface UEFI reset package Windows Installer (.msi) file on the Surface device to unenroll the device from SEMM. The reset package will require a reboot to perform the unenroll operation. After the device has been unenrolled, you can verify the successful removal by ensuring that the **Microsoft Surface Configuration Package** item in **Programs and Features** (shown in Figure 5) is no longer present.
+
+
+
+*Figure 5. The presence of the Microsoft Surface Configuration Package item in Programs and Features indicates that the device is enrolled in SEMM*
+
+## Unenroll a Surface device from SEMM with a Recovery Request
+
+In some scenarios, a Surface UEFI reset package may not be a viable option to unenroll a Surface device from SEMM (for example, where Windows has become unusable). In these scenarios you can unenroll the device by using a Recovery Request generated from within Surface UEFI. The Recovery Request process can be initiated even on devices where you do not have the Surface UEFI password.
+
+The Recovery Request process is initiated from Surface UEFI on the Surface device, approved with Microsoft Surface UEFI Configurator on another computer, and then completed in Surface UEFI. Like the reset package, approving a Recovery Request with Microsoft Surface UEFI Configurator requires access to the SEMM certificate that was used to enroll the Surface device.
+
+To initiate a Recovery Request, follow these steps:
+
+1. Boot the Surface device that is to be unenrolled from SEMM to Surface UEFI.
+2. Type the Surface UEFI password if you are prompted to do so.
+3. Click the **Enterprise management** page, as shown in Figure 6.
+
+ 
+
+ *Figure 6. The Enterprise management page is displayed in Surface UEFI on devices enrolled in SEMM*
+
+4. Click or press **Get Started**.
+5. Click or press **Next** to begin the Recovery Request process.
+ >**Note:** A Recovery Request expires two hours after it is created. If a Recovery Request is not completed in this time, you will have to restart the Recovery Request process.
+6. Select **SEMM Certificate** from the list of certificates displayed on the **Choose a SEMM reset key** page (shown in Figure 7), and then click or press **Next**.
+
+ 
+
+ *Figure 7. Choose SEMM Certificate for your Recovery Request (Reset Request)*
+
+7. On the **Enter SEMM reset verification code** page you can click the **QR Code** or **Text** buttons to display your Recovery Request (Reset Request) as shown in Figure 8, or the **USB** button to save your Recovery Request (Reset Request) as a file to a USB drive, as shown in Figure 9.
+
+ 
+
+ *Figure 8. A Recovery Request (Reset Request) displayed as a QR Code*
+
+ 
+
+ *Figure 9. Save a Recovery Request (Reset Request) to a USB drive*
+
+ * To use a QR Code Recovery Request (Reset Request), use a QR reader app on a mobile device to read the code. The QR reader app will translate the QR code into an alphanumeric string. You can then email or message that string to the administrator that will produce the reset verification code with Microsoft Surface UEFI Configurator.
+ * To use a Recovery Request (Reset Request) saved to a USB drive as a file, use the USB drive to transfer the file to the computer where Microsoft Surface UEFI Configurator will be used to produce the Reset Verification Code. The file can also be copied from the USB drive on another device to be emailed or transferred over the network.
+ * To use the Recovery Request (Reset Request) as text, simply type the text directly into Microsoft Surface UEFI Configurator.
+
+8. Open Microsoft Surface UEFI Configurator from the Start menu on another computer.
+>**Note:** Microsoft Surface UEFI Configurator must run in an environment that is able to authenticate the certificate chain for the SEMM certificate.
+9. Click **Start**.
+10. Click **Recovery Request**, as shown in Figure 10.
+
+ 
+
+ *Figure 10. Click Recovery Request to begin the process to approve a Recovery Request*
+
+11. Click **Certificate Protection** to authenticate the Recovery Request with the SEMM certificate.
+12. Browse to and select your SEMM certificate file, and then click **OK**.
+13. When you are prompted to enter the certificate password as shown in Figure 11, type and confirm the password for the certificate file, and then click **OK**.
+
+ 
+
+ *Figure 11. Type the password for the SEMM certificate*
+
+14. Click **Next**.
+15. Enter the Recovery Request (Reset Request), and then click **Generate** to create a reset verification code (as shown in Figure 12).
+
+ 
+
+ *Figure 12. Enter the Recovery Request (Reset Request)*
+
+ * If you displayed the Recovery Request (Reset Request) as text on the Surface device being reset, use the keyboard to type the Recovery Request (Reset Request) in the provided field.
+ * If you displayed the Recovery Request (Reset Request) as a QR Code and then used a messaging or email application to send the code to the computer with Microsoft Surface UEFI Configurator, copy and paste the code into the provided field.
+ * If you saved the Recovery Request (Reset Request) as a file to a USB drive, click the **Import** button, browse to and select the Recovery Request (Reset Request) file, and then click **OK**.
+
+16. The reset verification code is displayed in Microsoft Surface UEFI Configurator, as shown in Figure 13.
+
+ 
+
+ *Figure 13. The reset verification code displayed in Microsoft Surface UEFI Configurator*
+
+ * Click the **Share** button to send the reset verification code by email.
+
+17. Enter the reset verification code in the provided field on the Surface device (shown in Figure 8), and then click or press **Verify** to reset the device and unenroll the device from SEMM.
+18. Click or press **Restart now** on the **SEMM reset successful** page to complete the unenrollment from SEMM, as shown in Figure 14.
+
+ 
+
+ *Figure 14. Successful unenrollment from SEMM*
+
+19. Click **End** in Microsoft Surface UEFI Configurator to complete the Recovery Request (Reset Request) process and close Microsoft Surface UEFI Configurator.
+
+
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 7ab6d68a18..d0d6052781 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -20,10 +20,10 @@ author: jdeckerMS
Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
- A Microsoft Edge browser window opens, showing just the test and nothing else.
+- The clipboard is cleared.
- Students aren’t able to go to other websites.
- Students can’t open or access other apps.
- Students can't share, print, or record their screens.
-- Students can’t copy or paste.
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index a1fa849959..fece24bac1 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -20,10 +20,10 @@ author: jdeckerMS
The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
- A Microsoft Edge browser window opens, showing just the test and nothing else.
+- The clipboard is cleared.
- Students aren’t able to go to other websites.
- Students can’t open or access other apps.
- Students can't share, print, or record their screens.
-- Students can’t copy or paste.
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 9e881238b6..c0de33cc5b 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -20,10 +20,10 @@ author: jdeckerMS
Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10, Version 1607, creates the right environment for taking a test:
- **Take a Test** shows just the test and nothing else.
+- **Take a Test** clears the clipboard.
- Students aren’t able to go to other websites.
- Students can’t open or access other apps.
- Students can't share, print, or record their screens.
-- Students can’t copy or paste.
- Students can’t change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md
index ff58491fd1..a6d2e9d108 100644
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@@ -35,6 +35,7 @@
## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
+## [Windows 10 upgrade paths](windows-10-upgrade-paths.md)
## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md
index ce380b474a..3276e429b0 100644
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@@ -15,7 +15,8 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
| New or changed topic | Description |
|----------------------|-------------|
| [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
-| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated |
+| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated support statement for Office 2016 |
+| [Windows 10 upgrade paths](windows-10-upgrade-paths.md) | New |
## May 2016
| New or changed topic | Description |
diff --git a/windows/deploy/images/PoC.png b/windows/deploy/images/PoC.png
new file mode 100644
index 0000000000..de73506071
Binary files /dev/null and b/windows/deploy/images/PoC.png differ
diff --git a/windows/deploy/images/check_grn.png b/windows/deploy/images/check_grn.png
new file mode 100644
index 0000000000..f9f04cd6bd
Binary files /dev/null and b/windows/deploy/images/check_grn.png differ
diff --git a/windows/deploy/images/hyper-v-feature.png b/windows/deploy/images/hyper-v-feature.png
new file mode 100644
index 0000000000..d7293d808e
Binary files /dev/null and b/windows/deploy/images/hyper-v-feature.png differ
diff --git a/windows/deploy/images/sec-bios.png b/windows/deploy/images/sec-bios.png
new file mode 100644
index 0000000000..4498497d59
Binary files /dev/null and b/windows/deploy/images/sec-bios.png differ
diff --git a/windows/deploy/images/x_blk.png b/windows/deploy/images/x_blk.png
new file mode 100644
index 0000000000..69432ff71c
Binary files /dev/null and b/windows/deploy/images/x_blk.png differ
diff --git a/windows/deploy/index.md b/windows/deploy/index.md
index c6b8e27ed1..d4254111b1 100644
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@@ -23,6 +23,7 @@ Learn about deploying Windows 10 for IT professionals.
|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
+|[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
|[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. |
|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md
index 8b20a8f77c..cbc6ee73c5 100644
--- a/windows/deploy/windows-10-edition-upgrades.md
+++ b/windows/deploy/windows-10-edition-upgrades.md
@@ -15,17 +15,17 @@ author: greg-lindsay
- Windows 10
- Windows 10 Mobile
-With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882).
+With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
-The following table shows the methods you can use to upgrade editions of Windows 10.
+The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
|-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) | | | | | | |
-| Using a provisioning package | | | | | | |
-| Using a command-line tool | | | | | | |
-| Entering a product key manually | | | | | | |
-| Purchasing a license from the Windows Store | | | | | | |
+| Using mobile device management (MDM) | | | | | | |
+| Using a provisioning package | | | | | | |
+| Using a command-line tool | | | | | | |
+| Entering a product key manually | | | | | | |
+| Purchasing a license from the Windows Store | | | | | | |
**Note**
Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md
new file mode 100644
index 0000000000..04cb2496e2
--- /dev/null
+++ b/windows/deploy/windows-10-poc-mdt.md
@@ -0,0 +1,28 @@
+---
+title: Placeholder (Windows 10)
+description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
+
+**Applies to**
+
+- Windows 10
+
+## In this guide
+
+## Related Topics
+
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/windows-10-poc-sccm.md b/windows/deploy/windows-10-poc-sccm.md
new file mode 100644
index 0000000000..3e43d7c402
--- /dev/null
+++ b/windows/deploy/windows-10-poc-sccm.md
@@ -0,0 +1,28 @@
+---
+title: Placeholder (Windows 10)
+description: Deploy Windows 10 in a test lab using System Center Configuration Manager
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+---
+
+# Deploy Windows 10 in a test lab using System Center Configuration Manager
+
+**Applies to**
+
+- Windows 10
+
+## In this guide
+
+## Related Topics
+
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md
new file mode 100644
index 0000000000..3d7f0d96e9
--- /dev/null
+++ b/windows/deploy/windows-10-upgrade-paths.md
@@ -0,0 +1,416 @@
+---
+title: Windows 10 upgrade paths (Windows 10)
+description: You can upgrade to Windows 10 from a previous version of Windows, providing the upgrade path is supported.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+author: greg-lindsay
+---
+
+# Windows 10 upgrade paths
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+## Upgrade paths
+
+This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
+
+>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+
+>**Free upgrade**: Some upgrade paths qualify for a free upgrade using Windows Update. For a list of upgrade paths that are available as part of the free upgrade offer, see [Free upgrade paths](#Free-upgrade-paths).
+
+✔ = Full upgrade is supported including personal data, settings, and applications.
+D = Edition downgrade; personal data is maintained, applications and settings are removed.
+
+
+
+ | |
+ |
+ Windows 10 Home |
+ Windows 10 Pro |
+ Windows 10 Pro for Education |
+ Windows 10 Education |
+ Windows 10 Enterprise |
+ Windows 10 Mobile |
+ Windows 10 Mobile Enterprise |
+
+
+ | Windows 7 |
+
+
+ | Starter |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+ |
+
+
+ | Home Basic |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+ |
+
+
+ | Home Premium |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+ |
+
+
+ | Professional |
+ D |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Ultimate |
+ D |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Enterprise |
+ |
+ |
+ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Windows 8 |
+
+
+ | (Core) |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+ |
+
+
+ | Professional |
+ D |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Professional WMC |
+ D |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Enterprise |
+ |
+ |
+ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Embedded Industry |
+ |
+ |
+ |
+ |
+ ✔ |
+ |
+ |
+
+
+ | Windows RT |
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+ | Windows Phone 8 |
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+ | Windows 8.1 |
+
+
+ | (Core) |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+ |
+
+
+ | Connected |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+ |
+
+
+ | Professional |
+ D |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Professional Student |
+ D |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Professional WMC |
+ D |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Enterprise |
+ |
+ |
+ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Embedded Industry |
+ |
+ |
+ |
+ |
+ ✔ |
+ |
+ |
+
+
+ | Windows RT |
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+
+
+ | Windows Phone 8.1 |
+ |
+ |
+ |
+ |
+ |
+ ✔ |
+ |
+
+
+ | Windows 10 |
+
+
+ | Home |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+ |
+
+
+ | Professional |
+ D |
+ ✔ |
+ ✔ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Education |
+ |
+ |
+ |
+ ✔ |
+ D |
+ |
+ |
+
+
+ | Enterprise |
+ |
+ |
+ |
+ ✔ |
+ ✔ |
+ |
+ |
+
+
+ | Mobile |
+ |
+ |
+ |
+ |
+ |
+ ✔ |
+ ✔ |
+
+
+ | Mobile Enterprise |
+ |
+ |
+ |
+ |
+ |
+ D |
+ ✔ |
+
+
+
+## Free upgrade paths
+
+Windows 10 is offered as a free upgrade for the first year after launch of Windows 10, with the following restrictions:
+- The offer expires on July 29th, 2016.
+- The offer applies to devices connected to the Internet with Windows Update enabled.
+- Upgrading to Windows 10 Pro requires a computer running the Pro or Ultimate version of Windows 7/8/8.1.
+- Windows Phone 8.0 users must update to Windows 8.1 before upgrading to Windows 10 Mobile1.
+- Editions that are excluded from the free upgrade offer include: Windows 7 Enterprise, Windows 8/8.1 Enterprise, and Windows RT/RT 8.12.
+
+>1The availability of Windows 10 Mobile for Windows 8.1 devices will vary by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. For a list of eligible phones and important info about the upgrade and Windows 10 Mobile, see [Windows 10 specifications](http://windows.com/specsmobile).
+
+>2Active Software Assurance customers in volume licensing have the benefit to upgrade to Windows 10 Enterprise outside of this offer. Windows 10 is not supported on devices running the RT versions of Windows 8.
+
+The following table summarizes the free upgrade paths to Windows 10. For a list of frequently asked questions about the free upgrade to Windows 10, see [Upgrade to Windows 10: FAQ](http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq).
+
+
+
+ | |
+ From |
+ To |
+
+
+ | Windows 7 |
+
+
+ |
+ Windows 7 Starter |
+ Windows 10 Home |
+
+
+ | |
+ Windows 7 Home Basic |
+
+
+ | |
+ Windows 7 Home Premium |
+
+
+ |
+ Windows 7 Professional |
+ Windows 10 Pro |
+
+
+ | |
+ Windows 7 Ultimate |
+
+
+ | Windows 8/8.1 |
+
+
+ |
+ Windows Phone 8.1 |
+ Windows 10 Mobile |
+
+
+ |
+ Windows 8/8.1 |
+ Windows 10 Home |
+
+
+ |
+ Windows 8/8.1 Pro |
+ Windows 10 Pro |
+
+
+ | |
+ Windows 8/8.1 Pro for Students |
+
+
+
+
+## Related Topics
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
+
+
+
+
+
+
+
+
diff --git a/windows/deploy/windows-upgrade-and-migration-considerations.md b/windows/deploy/windows-upgrade-and-migration-considerations.md
index 7763b0502d..fc4c69a980 100644
--- a/windows/deploy/windows-upgrade-and-migration-considerations.md
+++ b/windows/deploy/windows-upgrade-and-migration-considerations.md
@@ -8,13 +8,13 @@ ms.sitesec: library
author: greg-lindsay
---
-# Windows Upgrade and Migration Considerations
+# Windows upgrade and migration considerations
Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
-## Upgrade from a Previous Version of Windows
+## Upgrade from a previous version of Windows
You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
-## Migrate Files and Settings
+## Migrate files and settings
Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349).
@@ -29,13 +29,13 @@ With Windows Easy Transfer, files and settings can be transferred using a netwo
### Migrate with the User State Migration Tool
You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
-## Upgrade and Migration Considerations
+## Upgrade and migration monsiderations
Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
-### Application Compatibility
+### Application compatibility
For more information about application compatibility in Windows, see the [Application Compatibility Toolkit (ACT)](http://go.microsoft.com/fwlink/p/?LinkId=131349).
-### Multilingual Windows Image Upgrades
+### Multilingual Windows image upgrades
When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
@@ -43,7 +43,7 @@ If you are using a single-language Windows image that matches the system default
### Errorhandler.cmd
When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
-### Data Drive ACL Migration
+### Data drive ACL migration
During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
@@ -57,7 +57,10 @@ Value: "DDACLSys_Disabled" = 1
This feature is disabled if this registry key value exists and is configured to `1`.
## Related topics
-- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 3211ee8eb9..1e55f667ce 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -28,7 +28,18 @@
#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [VPN profile options](vpn-profile-options.md)
+## [Windows security baselines](windows-security-baselines.md)
## [Security technologies](security-technologies.md)
+### [Access Control Overview](access-control.md)
+#### [Dynamic Access Control Overview](dynamic-access-control.md)
+#### [Security identifiers](security-identifiers.md)
+#### [Security Principals](security-principals.md)
+#### [Local Accounts](local-accounts.md)
+#### [Active Directory Accounts](active-directory-accounts.md)
+#### [Microsoft Accounts](microsoft-accounts.md)
+#### [Service Accounts](service-accounts.md)
+#### [Active Directory Security Groups](active-directory-security-groups.md)
+#### [Special Identities](special-identities.md)
### [AppLocker](applocker-overview.md)
#### [Administer AppLocker](administer-applocker.md)
##### [Maintain AppLocker policies](maintain-applocker-policies.md)
@@ -670,7 +681,6 @@
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
-
##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
@@ -692,6 +702,7 @@
### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
+#### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
diff --git a/windows/keep-secure/access-control.md b/windows/keep-secure/access-control.md
new file mode 100644
index 0000000000..969bd01684
--- /dev/null
+++ b/windows/keep-secure/access-control.md
@@ -0,0 +1,137 @@
+---
+title: Access Control Overview (Windows 10)
+description: Access Control Overview
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Access Control Overview
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
+
+## Feature description
+
+
+Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.
+
+Shared resources are available to users and groups other than the resource’s owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
+
+Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways:
+
+- Deny access to unauthorized users and groups
+
+- Set well-defined limits on the access that is provided to authorized users and groups
+
+Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
+
+This content set contains:
+
+- [Dynamic Access Control Overview](dynamic-access-control.md)
+
+- [Security identifiers](security-identifiers.md)
+
+- [Security Principals](security-principals.md)
+
+ - [Local Accounts](local-accounts.md)
+
+ - [Active Directory Accounts](active-directory-accounts.md)
+
+ - [Microsoft Accounts](microsoft-accounts.md)
+
+ - [Service Accounts](service-accounts.md)
+
+ - [Active Directory Security Groups](active-directory-security-groups.md)
+
+## Practical applications
+
+
+Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
+
+- Protect a greater number and variety of network resources from misuse.
+
+- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs.
+
+- Enable users to access resources from a variety of devices in numerous locations.
+
+- Update users’ ability to access resources on a regular basis as an organization’s policies change or as users’ jobs change.
+
+- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones).
+
+- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.
+
+## Permissions
+
+
+Permissions define the type of access that is granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat.
+
+By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
+
+For any object, you can grant permissions to:
+
+- Groups, users, and other objects with security identifiers in the domain.
+
+- Groups and users in that domain and any trusted domains.
+
+- Local groups and users on the computer where the object resides.
+
+The permissions attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from those that can be attached to a registry key. Some permissions, however, are common to most types of objects. These common permissions are:
+
+- Read
+
+- Modify
+
+- Change owner
+
+- Delete
+
+When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print.
+
+When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](http://technet.microsoft.com/library/cc770962.aspx).
+
+**Note**
+Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](http://technet.microsoft.com/library/cc754178.aspx).
+
+
+
+### Ownership of objects
+
+An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](http://technet.microsoft.com/library/cc732983.aspx).
+
+### Inheritance of permissions
+
+Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder inherit the permissions of the folder. Only permissions marked to be inherited will be inherited.
+
+## User rights
+
+
+User rights grant specific privileges and sign-in rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
+
+User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
+
+For more information about user rights, see [User Rights Assignment](user-rights-assignment.md).
+
+## Object auditing
+
+
+With administrator's rights, you can audit users' successful or failed access to objects. You can select which object access to audit by using the access control user interface, but first you must enable the audit policy by selecting **Audit object access** under **Local Policies** in **Local Security Settings**. You can then view these security-related events in the Security log in Event Viewer.
+
+For more information about auditing, see [Security Auditing Overview](security-auditing-overview.md).
+
+## See also
+
+- For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/en-us/library/jj134043(v=ws.11).aspx).
+
+
+
+
+
+
+
+
+
diff --git a/windows/keep-secure/active-directory-accounts.md b/windows/keep-secure/active-directory-accounts.md
new file mode 100644
index 0000000000..3b4ee0e979
--- /dev/null
+++ b/windows/keep-secure/active-directory-accounts.md
@@ -0,0 +1,851 @@
+---
+title: Active Directory Accounts (Windows 10)
+description: Active Directory Accounts
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Active Directory Accounts
+
+**Applies to**
+- Windows Server 2016
+
+Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory.
+
+This reference topic does not describe default local user accounts for a member or standalone server or for a Windows client. For more information, see [Local Accounts](local-accounts.md).
+
+## About this topic
+
+
+This topic describes the following:
+
+- [Default local accounts in Active Directory](#sec-ad-default-accounts)
+
+ - [Administrator account](#sec-administrator)
+
+ - [Guest account](#sec-guest)
+
+ - [HelpAssistant account (installed with a Remote Assistance session)](#sec-helpassistant)
+
+ - [KRBTGT account](#sec-krbtgt)
+
+- [Settings for default local accounts in Active Directory](#sec-account-settings)
+
+- [Manage default local accounts in Active Directory](#sec-manage-local-accounts)
+
+- [Restrict and protect sensitive domain accounts](#sec-restrict-protect-accounts)
+
+ - [Separate administrator accounts from user accounts](#task1-separate-admin-accounts)
+
+ - [Create dedicated workstation hosts without Internet and email access](#task2-admin-workstations)
+
+ - [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon)
+
+ - [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation)
+
+- [Secure and manage domain controllers](#sec-secure-manage-dcs)
+
+## Default local accounts in Active Directory
+
+
+Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. These default local accounts have counterparts in Active Directory. These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server.
+
+You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU).
+
+The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory.
+
+Primarily, default local accounts do the following:
+
+- Let the domain represent, identify, and authenticate the identity of the user that is assigned to the account by using unique credentials (user name and password). It is a best practice to assign each user to a single account to ensure maximum security. Multiple users are not allowed to share one account. A user account lets a user sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
+
+- Authorize (grant or deny) access to resources. After a user’s credentials have been authenticated, the user is authorized to access the network and domain resources based on the user’s explicitly assigned rights on the resource.
+
+- Audit the actions that are carried out on a user account.
+
+In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications.
+
+Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md).
+
+On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md).
+
+A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below.
+
+Some of the default local accounts are protected by a background process that periodically checks and applies a specific security descriptor. A security descriptor is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the default local accounts or groups is overwritten with the protected settings.
+
+This security descriptor is present on the AdminSDHolder object. If you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object to ensure that it is applied consistently. Be careful when making these modifications, because you are also changing the default settings that are applied to all of your protected accounts.
+
+## Administrator account
+
+
+The Administrator account is a default account that is used in all versions of the Windows operating system on every computer and device. The Administrator account is used by the system administrator for tasks that require administrative credentials. This account cannot be deleted or locked out, but the account can be renamed or disabled.
+
+The Administrator account gives the user complete access (Full Control permissions) of the files, directories, services, and other resources that are on that local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. Administrator can also be used to take control of local resources at any time simply by changing the user rights and permissions. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
+
+**Account group membership**
+
+The Administrator account has membership in the default security groups as described in the Administrator account attributes table later in this topic.
+
+The security groups ensure that you can control administrator rights without having to change each Administrator account. In most instances, you do not have to change the basic settings for this account. However, you might have to change its advanced settings, such as membership in particular groups.
+
+**Security considerations**
+
+After installation of the server operating system, your first task is to set up the Administrator account properties securely. This includes setting up an especially long, strong password, and securing the Remote control and Remote Desktop Services profile settings.
+
+The Administrator account can also be disabled when it is not required. Renaming or disabling the Administrator account makes it more difficult for malicious users to try to gain access to the account. However, even when the Administrator account is disabled, it can still be used to gain access to a domain controller by using safe mode.
+
+On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources.
+
+**Note**
+When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards.
+
+
+
+When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation.
+
+**Administrator account attributes**
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-500 |
+
+
+Type |
+User |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+N/A |
+
+
+Default member of |
+Administrators, Domain Admins, Enterprise Administrators, Domain Users. Note that the Primary Group ID of all user accounts is Domain Users.
+Group Policy Creator Owners, and Schema Admins in Active Directory
+Domain Users group |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-service administrators? |
+No |
+
+
+
+
+
+
+## Guest account
+
+
+The Guest account is a default local account has limited access to the computer and is disabled by default. The Guest account cannot be deleted or disabled, and the account name cannot be changed. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
+
+The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain.
+
+**Account group membership**
+
+The Guest account has membership in the default security groups that are described in the following Guest account attributes table. By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain.
+
+A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one or more computers.
+
+**Security considerations**
+
+Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with restricted rights and permissions for a very limited period of time.
+
+When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:
+
+- Do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
+
+- Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
+
+- Do not use the Guest account when the server has external network access or access to other computers.
+
+If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution.
+
+In addition, an administrator is responsible for managing the Guest account. The administrator monitors the Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as needed.
+
+For details about the Guest account attributes, see the following table.
+
+**Guest account attributes**
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-501 |
+
+
+Type |
+User |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+Guests, Domain Guests |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Can be moved out, but we do not recommend it. |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+
+
+
+
+## HelpAssistant account (installed with a Remote Assistance session)
+
+
+The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
+
+HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
+
+**Security considerations**
+
+The SIDs that pertain to the default HelpAssistant account include:
+
+- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
+
+- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+
+For details about the HelpAssistant account attributes, see the following table.
+
+**HelpAssistant account attributes**
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon) |
+
+
+Type |
+User |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+Domain Guests
+Guests |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Can be moved out, but we do not recommend it. |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+
+
+
+
+## KRBTGT account
+
+
+The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
+
+KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
+
+Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.
+
+### KRBTGT account maintenance considerations
+
+A strong password is assigned to the KRBTGT account automatically. Be sure that you change the password on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
+
+On occasion, the KRBTGT account password requires a reset, for example, when an attempt to change the password on the KRBTGT account fails. In order to resolve this issue, you reset the KRBTGT user account password twice by using Active Directory Users and Computers. You must reset the password twice because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the password history.
+
+Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
+
+After you reset the KRBTGT password, ensure that event ID 6 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
+
+### Security considerations
+
+It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password.
+
+An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort.
+
+The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected.
+
+For all account types (users, computers, and services)
+
+- All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid.
+
+- All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate.
+
+- NTLM authenticated connections are not affected
+
+Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
+
+**Important**
+Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
+
+For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
+
+### Read-only domain controllers and the KRBTGT account
+
+Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
+
+After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.
+
+### KRBTGT account attributes
+
+For details about the KRBTGT account attributes, see the following table.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-502 |
+
+
+Type |
+User |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+Domain Users group. Note that the Primary Group ID of all user accounts is Domain Users. |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Can be moved out, but we do not recommend it. |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+
+
+
+
+## Settings for default local accounts in Active Directory
+
+
+Each default local account in Active Directory has a number of account settings that you can use to configure password settings and security-specific information, as described in the following table.
+
+**Settings for default local accounts in Active Directory**
+
+
+
+
+
+
+
+
+
+
+
+User must change password at next logon |
+Forces a password change the next time that the user logs signs in to the network. Use this option when you want to ensure that the user is the only person to know his or her password. |
+
+
+User cannot change password |
+Prevents the user from changing the password. Use this option when you want to maintain control over a user account, such as for a Guest or temporary account. |
+
+
+Password never expires |
+Prevents a user password from expiring. It is a best practice to enable this option with service accounts and to use strong passwords. |
+
+
+Store passwords using reversible encryption |
+Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.
+This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS). |
+
+
+Account is disabled |
+Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts. |
+
+
+Smart card is required for interactive logon |
+Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.
+When this attribute is applied on the account, the effect is as follows:
+
+The attribute only restricts initial authentication for interactive logon and Remote Desktop logon. When interactive or Remote Desktop logon requires a subsequent network logon, such as with a domain credential, an NT Hash provided by the domain controller is used to complete the smartcard authentication process Each time the attribute is enabled on an account, the account’s current password hash value is replaced with a 128-bit random number. This invalidates the use of any previously configured passwords for the account. The value does not change after that unless a new password is set or the attribute is disabled and re-enabled. Accounts with this attribute cannot be used to start services or run scheduled tasks. |
+
+
+Account is trusted for delegation |
+Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously. |
+
+
+Account is sensitive and cannot be delegated |
+Gives control over a user account, such as for a Guest account or a temporary account. This option can be used if this account cannot be assigned for delegation by another account. |
+
+
+Use DES encryption types for this account |
+Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
+
+ Note
+ DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).
+
+
+ |
+
+
+Do not require Kerberos preauthentication |
+Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option. Note that domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time. |
+
+
+
+
+
+
+## Manage default local accounts in Active Directory
+
+
+After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers. Default local accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers Microsoft Management Console (MMC) and by using command-line tools.
+
+You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner.
+
+For more information about creating and managing local user accounts in Active Directory, see [Manage Local Users](http://technet.microsoft.com/library/cc731899.aspx).
+
+You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network.
+
+You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager (SCM) tool. For more information, see [Microsoft Security Compliance Manager](http://technet.microsoft.com/library/cc677002.aspx).
+
+Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This security descriptor is present on the AdminSDHolder object.
+
+This means, when you want to modify the permissions on a service administrator group or on any of its member accounts, you are also required to modify the security descriptor on the AdminSDHolder object. This approach ensures that the permissions are applied consistently. Be careful when you make these modifications, because this action can also affect the default settings that are applied to all of your protected administrative accounts.
+
+## Restrict and protect sensitive domain accounts
+
+
+Restricting and protecting domain accounts in your domain environment requires you to adopt and implement the following best practices approach:
+
+- Strictly limit membership to the Administrators, Domain Admins, and Enterprise Admins groups.
+
+- Stringently control where and how domain accounts are used.
+
+Member accounts in the Administrators, Domain Admins, and Enterprise Admins groups in a domain or forest are high-value targets for malicious users. It is a best practice to strictly limit membership to these administrator groups to the smallest number of accounts in order to limit any exposure. Restricting membership in these groups reduces the possibility that an administrator might unintentionally misuse these credentials and create a vulnerability that malicious users can exploit.
+
+Moreover, it is a best practice to stringently control where and how sensitive domain accounts are used. Restrict the use of Domain Admins accounts and other administrator accounts to prevent them from being used to sign in to management systems and workstations that are secured at the same level as the managed systems. When administrator accounts are not restricted in this manner, each workstation from which a domain administrator signs in provides another location that malicious users can exploit.
+
+Implementing these best practices is separated into the following tasks:
+
+- [Separate administrator accounts from user accounts](#task1-separate-admin-accounts)
+
+- [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
+
+- [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon)
+
+- [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation)
+
+Note that, to provide for instances where integration challenges with the domain environment are expected, each task is described according to the requirements for a minimum, better, and ideal implementation. As with all significant changes to a production environment, ensure that you test these changes thoroughly before you implement and deploy them. Then stage the deployment in a manner that allows for a rollback of the change in case technical issues occur.
+
+### Separate administrator accounts from user accounts
+
+Restrict Domain Admins accounts and other sensitive accounts to prevent them from being used to sign in to lower trust servers and workstations. Restrict and protect administrator accounts by segregating administrator accounts from standard user accounts, by separating administrative duties from other tasks, and by limiting the use of these accounts. Create dedicated accounts for administrative personnel who require administrator credentials to perform specific administrative tasks, and then create separate accounts for other standard user tasks, according to the following guidelines:
+
+- **Privileged account**. Allocate administrator accounts to perform the following administrative duties only:
+
+ - **Minimum**. Create separate accounts for domain administrators, enterprise administrators, or the equivalent with appropriate administrator rights in the domain or forest. Use accounts that have been granted sensitive administrator rights only to administer domain data and domain controllers.
+
+ - **Better**. Create separate accounts for administrators that have reduced administrative rights, such as accounts for workstation administrators, and accounts with user rights over designated Active Directory organizational units (OUs).
+
+ - **Ideal**. Create multiple, separate accounts for an administrator who has a variety of job responsibilities that require different trust levels. Set up each administrator account with significantly different user rights, such as for workstation administration, server administration and domain administration, to let the administrator sign in to given workstations, servers and domain controllers based strictly on his or her job responsibilities.
+
+- **Standard user account**. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business (LOB) applications. These accounts should not be granted administrator rights.
+
+**Important**
+Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section.
+
+
+
+### Create dedicated workstation hosts without Internet and email access
+
+Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks. Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see [Separate administrator accounts from user accounts](#task1-separate-admin-accounts).
+
+**Note**
+If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task.
+
+
+
+- **Minimum**. Build dedicated administrative workstations and block Internet access on those workstations including web browsing and email. Use the following ways to block Internet access:
+
+ - Configure authenticating boundary proxy services, if they are deployed, to disallow administrator accounts from accessing the Internet.
+
+ - Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that are assigned to dedicated administrative workstations.
+
+ - Block outbound access to the boundary proxy servers in the Windows Firewall.
+
+ The instructions for meeting this minimum requirement are described in the following procedure.
+
+- **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections.
+
+- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](applocker-overview.md).
+
+The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
+
+**Note**
+In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure.
+
+**To install administrative workstations in a domain and block Internet and email access (minimum)**
+
+1. As a domain administrator on a domain controller, open Active Directory Users and Computers, and create a new OU for administrative workstations.
+
+2. Create computer accounts for the new workstations.
+
+ > **Note** You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
+
+ 
+
+3. Close Active Directory Users and Computers.
+
+4. Start the **Group Policy Management** Console (GPMC).
+
+5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**.
+
+ 
+
+6. Name the GPO, and > **OK**.
+
+7. Expand the GPO, right-click the new GPO, and > **Edit**.
+
+ 
+
+8. Configure which members of accounts can log on locally to these administrative workstations as follows:
+
+ 1. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**.
+
+ 2. Double-click **Allow log on locally**, and then select the **Define these policy settings** check box.
+
+ 3. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**.
+
+ 4. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
+
+ **Important**
+ These instructions assume that the workstation is to be dedicated to domain administrators.
+
+
+
+ 5. Click **Add User or Group**, type **Administrators**, and > **OK**.
+
+ 
+
+9. Configure the proxy configuration:
+
+ 1. Navigate to User Configuration\\Policies\\Windows Settings\\Internet Explorer, and > **Connection**.
+
+ 2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**.
+
+ 
+
+10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:
+
+ 1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\System, and > **Group Policy**.
+
+ 2. Double-click **User Group Policy loopback policy processing mode**, and > **Enabled**.
+
+ 3. Select **Merge Mode**, and > **OK**.
+
+11. Configure software updates as follows:
+
+ 1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\Windows Components, and then click **Windows Update**.
+
+ 2. Configure Windows Update settings as described in the following table.
+
+
+
+
+
+
+
+
+ Windows Update Setting |
+ Configuration |
+
+
+ Allow Automatic Updates immediate installation |
+ Enabled |
+
+
+ Configure Automatic Updates |
+ Enabled
4 - Auto download and schedule the installation
0 - Every day 03:00 |
+
+
+ Enable Windows Update Power Management to automatically wake up the system to install scheduled updates |
+ Enabled |
+
+
+ Specify intranet Microsoft Update service location |
+ Enabled http://<WSUSServername> http://<WSUSServername> Where <WSUSServername> is the DNS name or IP address of the Windows Server Update Services (WSUS) in the environment. |
+
+
+ Automatic Updates detection frequency |
+ 6 hours |
+
+
+ Re-prompt for restart with scheduled installations |
+ 1 minute |
+
+
+ Delay restart for scheduled installations |
+ 5 minutes |
+
+
+
+
+ > **Note** This step assumes that Windows Server Update Services (WSUS) is installed and configured in the environment. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates.
+
+12. Configure the inbound firewall to block all connections as follows:
+
+ 1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**.
+
+ 
+
+ 2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**.
+
+ 
+
+ 3. Click **OK** to complete the configuration.
+
+13. Close the Group Policy Management Console.
+
+14. Install the Windows operating system on the workstations, give each workstation the same names as the computer accounts assigned to them, and then join them to the domain.
+
+### Restrict administrator logon access to servers and workstations
+
+It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer.
+
+**Important**
+Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation.
+
+
+
+Restrict logon access to lower-trust servers and workstations by using the following guidelines:
+
+- **Minimum**. Restrict domain administrators from having logon access to servers and workstations. Before starting this procedure, identify all OUs in the domain that contain workstations and servers. Any computers in OUs that are not identified will not restrict administrators with sensitive accounts from signing-in to them.
+
+- **Better**. Restrict domain administrators from non-domain controller servers and workstations.
+
+- **Ideal**. Restrict server administrators from signing in to workstations, in addition to domain administrators.
+
+**Note**
+For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
+
+
+
+**To restrict domain administrators from workstations (minimum)**
+
+1. As a domain administrator, open the Group Policy Management Console (GPMC).
+
+2. Open **Group Policy Management**, and expand *<forest>*\\Domains\\*<domain>*, and then expand to **Group Policy Objects**.
+
+3. Right-click **Group Policy Objects**, and > **New**.
+
+ 
+
+4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**.
+
+ 
+
+5. Right-click **New GPO**, and > **Edit**.
+
+6. Configure user rights to deny logon locally for domain administrators.
+
+7. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**, and perform the following:
+
+ 1. Double-click **Deny logon locally**, and > **Define these policy settings**.
+
+ 2. Click **Add User or Group**, click **Browse**, type **Enterprise Admins**, and > **OK**.
+
+ 3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**.
+
+ 
+
+ **Note**
+ You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
+
+
+
+ 4. Click **OK** to complete the configuration.
+
+8. Configure the user rights to deny batch and service logon rights for domain administrators as follows:
+
+ **Note**
+ Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services.
+
+
+
+ 1. Double-click **Deny logon as a batch job**, and > **Define these policy settings**.
+
+ 2. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**.
+
+ 3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
+
+ 
+
+ **Note**
+ You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
+
+
+
+ 4. Double-click **Deny logon as a service**, and > **Define these policy settings**.
+
+ 5. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**.
+
+ 6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
+
+ 
+
+ **Note**
+ You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
+
+
+
+9. Link the GPO to the first Workstations OU.
+
+ Navigate to the *<forest>*\\Domains\\*<domain>*\\OU Path, and then:
+
+ 1. Right-click the workstation OU, and then > **Link an Existing GPO**.
+
+ 
+
+ 2. Select the GPO that you just created, and > **OK**.
+
+ 
+
+10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
+
+11. Link all other OUs that contain workstations.
+
+ However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations).
+
+ **Important**
+ If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators.
+
+
+
+### Disable the account delegation right for sensitive administrator accounts
+
+Although user accounts are not marked for delegation by default, accounts in an Active Directory domain can be trusted for delegation. This means that a service or a computer that is trusted for delegation can impersonate an account that authenticates to them to access other resources across the network.
+
+For sensitive accounts, such as those belonging to members of the Administrators, Domain Admins, or Enterprise Admins groups in Active Directory, delegation can present a substantial risk of rights escalation. For example, if an account in the Domain Admins group is used to sign in to a compromised member server that is trusted for delegation, that server can request access to resources in the context of the Domain Admins account, and escalate the compromise of that member server to a domain compromise.
+
+It is a best practice to configure the user objects for all sensitive accounts in Active Directory by selecting the **Account is sensitive and cannot be delegated** check box under **Account options** to prevent these accounts from being delegated. For more information, see [Setting for default local accounts in Active Directory](#sec-account-settings).
+
+As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it.
+
+
+
+## Secure and manage domain controllers
+
+
+It is a best practice to strictly enforce restrictions on the domain controllers in your environment. This ensures that the domain controllers:
+
+1. Run only required software
+
+2. Required software is regularly updated
+
+3. Are configured with the appropriate security settings
+
+One aspect of securing and managing domain controllers is to ensure that the default local user accounts are fully protected. It is of primary importance to restrict and secure all sensitive domain accounts, as described in the preceding sections.
+
+Because domain controllers store credential password hashes of all accounts in the domain, they are high-value targets for malicious users. When domain controllers are not well managed and secured by using restrictions that are strictly enforced, they can be compromised by malicious users. For example, a malicious user could steal sensitive domain administrator credentials from one domain controller, and then use these credentials to attack the domain and forest.
+
+In addition, installed applications and management agents on domain controllers might provide a path for escalating rights that malicious users can use to compromise the management service or administrators of that service. The management tools and services, which your organization uses to manage domain controllers and their administrators, are equally important to the security of the domain controllers and the domain administrator accounts. Ensure that these services and administrators are fully secured with equal effort.
+
+## See also
+
+- [Security Principals](security-principals.md)
+
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/active-directory-security-groups.md b/windows/keep-secure/active-directory-security-groups.md
new file mode 100644
index 0000000000..630308945a
--- /dev/null
+++ b/windows/keep-secure/active-directory-security-groups.md
@@ -0,0 +1,3591 @@
+---
+title: Active Directory Security Groups (Windows 10)
+description: Active Directory Security Groups
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Active Directory Security Groups
+
+**Applies to**
+- Windows Server 2016
+
+This reference topic for the IT professional describes the default Active Directory security groups.
+
+##
+
+
+There are two forms of common security principals in Active Directory: user accounts and computer accounts. These accounts represent a physical entity (a person or a computer). User accounts can also be used as dedicated service accounts for some applications. Security groups are used to collect user accounts, computer accounts, and other groups into manageable units.
+
+In the Windows Server operating system, there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. For Active Directory, there are two types of administrative responsibilities:
+
+- **Service administrators** Responsible for maintaining and delivering Active Directory Domain Services (AD DS), including managing domain controllers and configuring the AD DS.
+
+- **Data administrators** Responsible for maintaining the data that is stored in AD DS and on domain member servers and workstations.
+
+## About Active Directory groups
+
+
+Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration.
+
+There are two types of groups in Active Directory:
+
+- **Distribution groups** Used to create email distribution lists.
+
+- **Security groups** Used to assign permissions to shared resources.
+
+### Distribution groups
+
+Distribution groups can be used only with email applications (such as Exchange Server) to send email to collections of users. Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs).
+
+### Security groups
+
+Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can:
+
+- Assign user rights to security groups in Active Directory.
+
+ User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person’s administrative role in the domain.
+
+ For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group.
+
+ You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](user-rights-assignment.md).
+
+- Assign permissions to security groups for resources.
+
+ Permissions are different than user rights. Permissions are assigned to the security group for the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups, such as the Account Operators group or the Domain Admins group.
+
+ Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory, and the user receives the permissions that are defined for that group.
+
+Like distribution groups, security groups can be used as an email entity. Sending an email message to the group sends the message to all the members of the group.
+
+### Group scope
+
+Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The scope of the group defines where the group can be granted permissions. The following three group scopes are defined by Active Directory:
+
+- Universal
+
+- Global
+
+- Domain Local
+
+**Note**
+In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed.
+
+
+
+The following table lists the three group scopes and more information about each scope for a security group.
+
+**Group scopes**
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Universal |
+Accounts from any domain in the same forest
+Global groups from any domain in the same forest
+Other Universal groups from any domain in the same forest |
+Can be converted to Domain Local scope
+Can be converted to Global scope if the group does not contain any other Universal groups |
+On any domain in the same forest or trusting forests |
+Other Universal groups in the same forest
+Domain Local groups in the same forest or trusting forests
+Local groups on computers in the same forest or trusting forests |
+
+
+Global |
+Accounts from the same domain
+Other Global groups from the same domain |
+Can be converted to Universal scope if the group is not a member of any other global group |
+On any domain in the same forest, or trusting domains or forests |
+Universal groups from any domain in the same forest
+Other Global groups from the same domain
+Domain Local groups from any domain in the same forest, or from any trusting domain |
+
+
+Domain Local |
+Accounts from any domain or any trusted domain
+Global groups from any domain or any trusted domain
+Universal groups from any domain in the same forest
+Other Domain Local groups from the same domain
+Accounts, Global groups, and Universal groups from other forests and from external domains |
+Can be converted to Universal scope if the group does not contain any other Domain Local groups |
+Within the same domain |
+Other Domain Local groups from the same domain
+Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs |
+
+
+
+
+
+
+### Special identity groups
+
+Special identities are generally referred to as groups. Special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. Some of these groups include Creator Owner, Batch, and Authenticated User.
+
+For information about all the special identity groups, see [Special Identities](special-identities.md).
+
+## Default security groups
+
+
+Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles.
+
+Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain.
+
+When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group for any shared resources.
+
+Default groups are located in the **Builtin** container and in the **Users** container in Active Directory Users and Computers. The **Builtin** container includes groups that are defined with the Domain Local scope. The **Users** includes contains groups that are defined with Global scope and groups that are defined with Domain Local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains.
+
+Some of the administrative groups that are listed in this topic and all members of these groups are protected by a background process that periodically checks for and applies a specific security descriptor. This descriptor is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings.
+
+The security descriptor is present on the **AdminSDHolder** object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the **AdminSDHolder** object so that it will be applied consistently. Be careful when you make these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts.
+
+### Active Directory default security groups by operating system version
+
+The following tables provide descriptions of the default groups that are located in the **Builtin** and **Users** containers in each operating system.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+[Access Control Assistance Operators](#bkmk-acasstops) |
+Yes |
+Yes |
+ |
+ |
+
+
+[Account Operators](#bkmk-accountoperators) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Administrators](#bkmk-admins) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Backup Operators](#bkmk-backupoperators) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Certificate Service DCOM Access](#bkmk-certificateservicedcomaccess) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Cert Publishers](#bkmk-certpublishers) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers) |
+Yes |
+Yes |
+ |
+ |
+
+
+[Cryptographic Operators](#bkmk-cryptographicoperators) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Distributed COM Users](#bkmk-distributedcomusers) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[DnsUpdateProxy](#bkmk-dnsupdateproxy) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[DnsAdmins](#bkmk-dnsadmins) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Domain Admins](#bkmk-domainadmins) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Domain Computers](#bkmk-domaincomputers) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Domain Controllers](#bkmk-domaincontrollers) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Domain Guests](#bkmk-domainguests) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Domain Users](#bkmk-domainusers) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Enterprise Admins](#bkmk-entadmins) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Enterprise Read-only Domain Controllers](#bkmk-entrodc) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Event Log Readers](#bkmk-eventlogreaders) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Group Policy Creators Owners](#bkmk-gpcreatorsowners) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Guests](#bkmk-guests) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Hyper-V Administrators](#bkmk-hypervadministrators) |
+Yes |
+Yes |
+ |
+ |
+
+
+[IIS_IUSRS](#bkmk-iis-iusrs) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Network Configuration Operators](#bkmk-networkcfgoperators) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Performance Log Users](#bkmk-perflogusers) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Performance Monitor Users](#bkmk-perfmonitorusers) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Print Operators](#bkmk-printoperators) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Protected Users](#bkmk-protectedusers) |
+Yes |
+ |
+ |
+ |
+
+
+[RAS and IAS Servers](#bkmk-rasandias) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[RDS Endpoint Servers](#bkmk-rdsendpointservers) |
+Yes |
+Yes |
+ |
+ |
+
+
+[RDS Management Servers](#bkmk-rdsmanagementservers) |
+Yes |
+Yes |
+ |
+ |
+
+
+[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers) |
+Yes |
+Yes |
+ |
+ |
+
+
+[Read-only Domain Controllers](#bkmk-rodc) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Remote Desktop Users](#bkmk-remotedesktopusers) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Remote Management Users](#bkmk-remotemanagementusers) |
+Yes |
+Yes |
+ |
+ |
+
+
+[Replicator](#bkmk-replicator) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Schema Admins](#bkmk-schemaadmins) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Server Operators](#bkmk-serveroperators) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Terminal Server License Servers](#bkmk-terminalserverlic) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Users](#bkmk-users) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[Windows Authorization Access Group](#bkmk-winauthaccess) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
+[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-) |
+Yes |
+Yes |
+ |
+ |
+
+
+
+
+
+
+### Access Control Assistance Operators
+
+Members of this group can remotely query authorization attributes and permissions for resources on the computer.
+
+The Access Control Assistance Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-579 |
+
+
+Type |
+BuiltIn Local |
+
+
+Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None
+ |
+
+
+
+
+
+
+### Account Operators
+
+The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
+
+Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the [Administrators](#bkmk-admins), [Server Operators](#bkmk-serveroperators), [Account Operators](#bkmk-accountoperators), [Backup Operators](#bkmk-backupoperators), or [Print Operators](#bkmk-printoperators) groups. Members of this group cannot modify user rights.
+
+The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+**Note**
+By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
+
+
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-548 |
+
+
+Type |
+BuiltIn Local |
+
+
+Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight |
+
+
+
+
+
+
+### Administrators
+
+Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.
+
+The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+**Note**
+The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.
+
+Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.
+
+
+
+This security group includes the following changes since Windows Server 2008:
+
+- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md).
+
+- [Remove computer from docking station](remove-computer-from-docking-station.md) was removed in Windows Server 2012 R2.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-544 |
+
+
+Type |
+BuiltIn Local |
+
+
+Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
+
+Default members |
+Administrator, Domain Admins, Enterprise Admins |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege
+[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight
+[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
+[Allow log on through Remote Desktop Services](allow-log-on-through-remote-desktop-services.md): SeRemoteInteractiveLogonRight
+[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege
+[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege
+[Change the system time](change-the-system-time.md): SeSystemTimePrivilege
+[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege
+[Create a pagefile](create-a-pagefile.md): SeCreatePagefilePrivilege
+[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege
+[Create symbolic links](create-symbolic-links.md): SeCreateSymbolicLinkPrivilege
+[Debug programs](debug-programs.md): SeDebugPrivilege
+[Enable computer and user accounts to be trusted for delegation](enable-computer-and-user-accounts-to-be-trusted-for-delegation.md): SeEnableDelegationPrivilege
+[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege
+[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege
+[Increase scheduling priority](increase-scheduling-priority.md): SeIncreaseBasePriorityPrivilege
+[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege
+[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight
+[Manage auditing and security log](manage-auditing-and-security-log.md): SeSecurityPrivilege
+[Modify firmware environment values](modify-firmware-environment-values.md): SeSystemEnvironmentPrivilege
+[Perform volume maintenance tasks](perform-volume-maintenance-tasks.md): SeManageVolumePrivilege
+[Profile system performance](profile-system-performance.md): SeSystemProfilePrivilege
+[Profile single process](profile-single-process.md): SeProfileSingleProcessPrivilege
+[Remove computer from docking station](remove-computer-from-docking-station.md): SeUndockPrivilege
+[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege
+[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege
+[Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md): SeTakeOwnershipPrivilege |
+
+
+
+
+
+
+### Allowed RODC Password Replication Group
+
+The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.
+
+The Allowed RODC Password Replication group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-571 |
+
+
+Type |
+Domain local |
+
+
+Default container |
+CN=Users DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Backup Operators
+
+Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.
+
+The Backup Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-551 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
+[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege
+[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight
+[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege
+[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege |
+
+
+
+
+
+
+### Certificate Service DCOM Access
+
+Members of this group are allowed to connect to certification authorities in the enterprise.
+
+The Certificate Service DCOM Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-<domain>-574 |
+
+
+Type |
+Domain Local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Cert Publishers
+
+Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.
+
+The Cert Publishers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-517 |
+
+
+Type |
+Domain Local |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Cloneable Domain Controllers
+
+Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
+
+For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](https://technet.microsoft.com/library/hh831734.aspx).
+
+This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-522 |
+
+
+Type |
+Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Cryptographic Operators
+
+Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.
+
+The Cryptographic Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group was introduced in Windows Vista Service Pack 1, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-569 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Denied RODC Password Replication Group
+
+Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller.
+
+The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication Group supersedes the [Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl).
+
+This security group includes the following changes since Windows Server 2008:
+
+- Windows Server 2012 changed the default members to include [Cert Publishers](#bkmk-certpublishers).
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-572 |
+
+
+Type |
+Domain local |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+[Cert Publishers](#bkmk-certpublishers)
+[Domain Admins](#bkmk-domainadmins)
+[Domain Controllers](#bkmk-domaincontrollers)
+[Enterprise Admins](#bkmk-entadmins)
+Group Policy Creator Owners
+krbtgt
+[Read-only Domain Controllers](#bkmk-rodc)
+[Schema Admins](#bkmk-schemaadmins) |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+ |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Distributed COM Users
+
+Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+
+The Distributed COM Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-562 |
+
+
+Type |
+Builtin Local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### DnsUpdateProxy
+
+Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.
+
+However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.
+
+For information, see [DNS Record Ownership and the DnsUpdateProxy Group](http://technet.microsoft.com/library/dd334715.aspx).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-1103 |
+
+
+Type |
+Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### DnsAdmins
+
+Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
+
+For more information about security and DNS, see [DNSSEC in Windows Server 2012](https://technet.microsoft.com/library/dn593694(v=ws.11).aspx).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-1102 |
+
+
+Type |
+Domain local |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Domain Admins
+
+Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
+
+The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain.
+
+The Domain Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-512 |
+
+
+Type |
+Domain Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+Administrator |
+
+
+Default member of |
+[Administrators](#bkmk-admins)
+[Denied RODC Password ReplicationGroup](#bkmk-deniedrodcpwdrepl) |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+See [Administrators](#bkmk-admins)
+See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+
+
+
+
+### Domain Computers
+
+This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group.
+
+The Domain Computers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-515 |
+
+
+Type |
+Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+All computers joined to the domain, excluding domain controllers |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Yes (but not required) |
+
+
+Safe to delegate management of this group to non-Service admins? |
+Yes |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Domain Controllers
+
+The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group.
+
+The Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-516 |
+
+
+Type |
+Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+Computer accounts for all domain controllers of the domain |
+
+
+Default member of |
+[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+No |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Domain Guests
+
+The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.
+
+The Domain Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-514 |
+
+
+Type |
+Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+Guest |
+
+
+Default member of |
+[Guests](#bkmk-guests) |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Can be moved out but it is not recommended |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+See [Guests](#bkmk-guests) |
+
+
+
+
+
+
+### Domain Users
+
+The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group.
+
+By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer).
+
+The Domain Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-513 |
+
+
+Type |
+Domain Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+Administrator
+krbtgt |
+
+
+Default member of |
+[Users](#bkmk-users) |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+See [Users](#bkmk-users) |
+
+
+
+
+
+
+### Enterprise Admins
+
+The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains.
+
+By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account.
+
+The Enterprise Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<root domain>-519 |
+
+
+Type |
+Universal (if Domain is in Native-Mode) else Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+Administrator |
+
+
+Default member of |
+[Administrators](#bkmk-admins)
+[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+See [Administrators](#bkmk-admins)
+See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+
+
+
+
+### Enterprise Read-Only Domain Controllers
+
+Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
+
+Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it.
+
+For more information, see [What Is an RODC?](https://technet.microsoft.com/library/cc771030.aspx).
+
+The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-498 |
+
+
+Type |
+Universal |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+ |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Event Log Readers
+
+Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.
+
+The Event Log Readers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-573 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Group Policy Creators Owners
+
+This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
+
+For information about other features you can use with this security group, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx).
+
+The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<domain>-520 |
+
+
+Type |
+Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+Administrator |
+
+
+Default member of |
+[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+No |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+
+
+
+
+### Guests
+
+Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account.
+
+When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the **%userprofile%** directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting **Do not logon users with temporary profiles** when it is enabled. This setting is located under the following path:
+
+Computer Configuration\\Administrative Templates\\System\\User Profiles
+
+**Note**
+A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
+
+The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled.
+
+
+
+The Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-546 |
+
+
+Type |
+Builtin Local |
+
+
+Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
+
+Default members |
+Guest |
+
+
+Default member of |
+[Domain Guests](#bkmk-domainguests)
+Guest |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Hyper-V Administrators
+
+Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
+
+**Note**
+Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
+
+
+
+This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-578 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+No |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### IIS\_IUSRS
+
+IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS.
+
+For more information, see [Understanding Built-In User and Group Accounts in IIS 7](http://www.iis.net/learn/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-568 |
+
+
+Type |
+BuiltIn Local |
+
+
+Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
+
+Default members |
+IUSR |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+ |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Incoming Forest Trust Builders
+
+Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account.
+
+To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.
+
+**Note**
+This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+
+
+
+For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](http://technet.microsoft.com/library/f5c70774-25cd-4481-8b7a-3d65c86e69b1).
+
+The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+**Note**
+This group cannot be renamed, deleted, or moved.
+
+
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-557 |
+
+
+Type |
+BuiltIn local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Network Configuration Operators
+
+Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features:
+
+- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers.
+
+- Rename the LAN connections or remote access connections that are available to all the users.
+
+- Enable or disable a LAN connection.
+
+- Modify the properties of all of remote access connections of users.
+
+- Delete all the remote access connections of users.
+
+- Rename all the remote access connections of users.
+
+- Issue **ipconfig**, **ipconfig /release**, or **ipconfig /renew** commands.
+
+- Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card.
+
+**Note**
+This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+
+
+
+The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+**Note**
+This group cannot be renamed, deleted, or moved.
+
+
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-556 |
+
+
+Type |
+BuiltIn local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+Yes |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Performance Log Users
+
+Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group:
+
+- Can use all the features that are available to the Performance Monitor Users group.
+
+- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right.
+
+ **Warning**
+ If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
+
+
+
+- Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
+
+For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](log-on-as-a-batch-job.md) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
+
+**Note**
+This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+
+
+
+The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+**Note**
+This account cannot be renamed, deleted, or moved.
+
+
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-559 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+Yes |
+
+
+Default User Rights |
+[Log on as a batch job](log-on-as-a-batch-job.md): SeBatchLogonRight |
+
+
+
+
+
+
+### Performance Monitor Users
+
+Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways.
+
+Specifically, members of this security group:
+
+- Can use all the features that are available to the Users group.
+
+- Can view real-time performance data in Performance Monitor.
+
+ Can change the Performance Monitor display properties while viewing data.
+
+- Cannot create or modify Data Collector Sets.
+
+ **Warning**
+ You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
+
+
+
+**Note**
+This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
+
+
+
+The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-558 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+Yes |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Pre–Windows 2000 Compatible Access
+
+Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.
+
+**Warning**
+This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+
+
+
+The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-554 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+If you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members. |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight
+[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege |
+
+
+
+
+
+
+### Print Operators
+
+Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.
+
+This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.
+
+The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](https://technet.microsoft.com/library/jj190062(v=ws.11).aspx).
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-550 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
+[Load and unload device drivers](load-and-unload-device-drivers.md): SeLoadDriverPrivilege
+[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege |
+
+
+
+
+
+
+### Protected Users
+
+Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes.
+
+This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group.
+
+This domain-related, global group triggers non-configurable protection on devices and host computers running Windows Server 2012 R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.
+
+Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.
+
+- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1, so the device fails to authenticate to a domain when the account is a member of the Protected User group.
+
+- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite.
+
+- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
+
+- The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again.
+
+The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](https://technet.microsoft.com/library/dn466518.aspx).
+
+The following table specifies the properties of the Protected Users group.
+
+
+
+
+
+
+
+
+
+
+
+Well-known SID/RID |
+S-1-5-21-<domain>-525 |
+
+
+Type |
+Domain Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-service admins? |
+No |
+
+
+Default user rights |
+None |
+
+
+
+
+
+
+### RAS and IAS Servers
+
+Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
+
+The RAS and IAS Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-553 |
+
+
+Type |
+Domain local |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+Yes |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### RDS Endpoint Servers
+
+Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
+
+For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](https://technet.microsoft.com/library/mt718499.aspx).
+
+This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-553 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### RDS Management Servers
+
+Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
+
+This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-577 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### RDS Remote Access Servers
+
+Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group.
+
+For more information, see [Host desktops and apps in Remote Desktop Services](https://technet.microsoft.com/library/mt718499.aspx).
+
+This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-575 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Remote Desktop Users
+
+The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+
+The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-555 |
+
+
+Type |
+Builtin Local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+Yes |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Read-Only Domain Controllers
+
+This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
+
+Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
+
+- Read-only AD DS database
+
+- Unidirectional replication
+
+- Credential caching
+
+- Administrator role separation
+
+- Read-only Domain Name System (DNS)
+
+For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx).
+
+This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-521 |
+
+
+Type |
+ |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+
+
+
+
+### Remote Management Users
+
+Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
+
+The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands.
+
+For more information, see [What's New in MI?](https://msdn.microsoft.com/library/jj819828(v=vs.85).aspx) and [About WMI](http://msdn.microsoft.com/library/aa384642.aspx).
+
+This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-580 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Replicator
+
+Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.
+
+**Important**
+In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
+
+However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
+
+- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](http://msdn.microsoft.com/library/windows/desktop/ff384840.aspx)
+- [DFS Namespaces and DFS Replication Overview](https://technet.microsoft.com/library/jj127250(v=ws.11).aspx)
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-552 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Schema Admins
+
+Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode.
+
+The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema.
+
+The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory.
+
+For more information, see [What Is the Active Directory Schema?: Active Directory](http://technet.microsoft.com/library/cc784826.aspx).
+
+The Schema Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-<root domain>-518 |
+
+
+Type |
+Universal (if Domain is in Native-Mode) else Global |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+Administrator |
+
+
+Default member of |
+[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) |
+
+
+
+
+
+
+### Server Operators
+
+Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
+
+By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
+
+The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-549 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+Yes |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight
+[Back up files and directories](back-up-files-and-directories.md): SeBackupPrivilege
+[Change the system time](change-the-system-time.md): SeSystemTimePrivilege
+[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege
+[Force shutdown from a remote system](force-shutdown-from-a-remote-system.md): SeRemoteShutdownPrivilege
+[Restore files and directories](restore-files-and-directories.md): Restore files and directories SeRestorePrivilege
+[Shut down the system](shut-down-the-system.md): SeShutdownPrivilege |
+
+
+
+
+
+
+### Terminal Server License Servers
+
+Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+
+For more information about this security group, see [Terminal Services License Server Security Group Configuration](http://technet.microsoft.com/library/cc775331.aspx).
+
+The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+**Note**
+This group cannot be renamed, deleted, or moved.
+
+
+
+This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services was replaced by Remote Desktop Services in Windows Server 2008 R2.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-561 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to delegate management of this group to non-Service admins? |
+Yes |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Users
+
+Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
+
+Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved.
+
+The Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+This security group includes the following changes since Windows Server 2008:
+
+- In Windows Server 2008 R2, INTERACTIVE was added to the default members list.
+
+- In Windows Server 2012, the default **Member Of** list changed from Domain Users to none.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-545 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+Authenticated Users
+[Domain Users](#bkmk-domainusers)
+INTERACTIVE |
+
+
+Default member of |
+Domain Users (this membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.) |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+### Windows Authorization Access Group
+
+Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
+
+The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+**Note**
+This group cannot be renamed, deleted, or moved.
+
+
+
+This security group has not changed since Windows Server 2008.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-560 |
+
+
+Type |
+Builtin local |
+
+
+Default container |
+CN=Builtin, DC=<domain>, DC= |
+
+
+Default members |
+Enterprise Domain Controllers |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Cannot be moved |
+
+
+Safe to delegate management of this group to non-Service admins? |
+Yes |
+
+
+Default user rights |
+None |
+
+
+
+
+
+
+### WinRMRemoteWMIUsers\_
+
+In Windows 8 and in Windows Server 2012, a **Share** tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.
+
+The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+- If the file share is hosted on a server that is running a supported version of the operating system:
+
+ - You must be a member of the WinRMRemoteWMIUsers\_\_ group or the BUILTIN\\Administrators group.
+
+ - You must have Read permissions to the file share.
+
+- If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012:
+
+ - You must be a member of the BUILTIN\\Administrators group.
+
+ - You must have Read permissions to the file share.
+
+In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions.
+
+**Note**
+The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
+
+
+
+This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-21-<domain>-1000 |
+
+
+Type |
+Domain local |
+
+
+Default container |
+CN=Users, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Yes |
+
+
+Safe to delegate management of this group to non-Service admins? |
+ |
+
+
+Default User Rights |
+None |
+
+
+
+
+## See also
+
+- [Security Principals](security-principals.md)
+
+- [Special Identities](special-identities.md)
+
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
index eb028e5f03..5f10d77fb7 100644
--- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
+++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
@@ -1,6 +1,6 @@
---
-title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10)
-description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker.
+title: Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality (Windows 10)
+description: Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker.
ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
keywords: EDP, Enterprise Data Protection, protected apps, protected app list
ms.prod: w10
@@ -10,7 +10,7 @@ ms.sitesec: library
author: eross-msft
---
-# Add multiple apps to your enterprise data protection (EDP) Protected Apps list
+# Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality
**Applies to:**
- Windows 10 Insider Preview
@@ -18,7 +18,7 @@ author: eross-msft
[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
+Add multiple apps to your enterprise data protection (EDP) allowed app list at the same time, by using the Microsoft Intune Custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
**Important**
Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index c415733140..812c222e48 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -12,6 +12,13 @@ author: brianlic-msft
# Change history for Keep Windows 10 secure
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
+## July 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
+
+
## June 2016
|New or changed topic | Description |
@@ -19,6 +26,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
+| [Windows security baselines](windows-security-baselines.md) | New |
## May 2016
diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md
index 798d6ebec4..17b58ff4b3 100644
--- a/windows/keep-secure/create-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-edp-policy-using-intune.md
@@ -47,7 +47,6 @@ The steps to add your apps are based on the type of app it is; either a Universa
>**Important**
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
-
>**Note**
If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
**To add a UWP app**
@@ -83,6 +82,7 @@ The steps to add your apps are based on the type of app it is; either a Universa
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
+
**To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md
index fa412028a7..9fd513eda2 100644
--- a/windows/keep-secure/create-edp-policy-using-sccm.md
+++ b/windows/keep-secure/create-edp-policy-using-sccm.md
@@ -1,6 +1,6 @@
---
title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
-description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
ms.prod: w10
@@ -15,28 +15,14 @@ author: eross-msft
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
-- System Center Configuration Manager (version 1511 or later)
+- System Center Configuration Manager (version 1605 Tech Preview or later)
[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+System Center Configuration Manager (version 1605 Tech Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
-## In this topic:
-- [Add an EDP policy](#add-an-edp-policy)
-
-- [Choose which apps can access your enterprise data](#choose-which-apps-can-access-your-enterprise-data)
-
-- [Manage the EDP protection level for your enterprise data](#manage-the-edp-protection-level-for-your-enterprise-data)
-
-- [Define your enterprise-managed identity domains](#define-your-enterprise-managed-identity-domains)
-
-- [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data)
-
-- [Choose your optional EDP-related settings](#choose-your-optional-EDP-related-settings)
-
-- [Review your configuration choices in the Summary screen](#review-your-configuration-choices-in-the-summary-screen)
-
-- [Deploy the EDP policy](#deploy-the-edp-policy)
+>**Important**
+If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions.
## Add an EDP policy
After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
@@ -66,60 +52,124 @@ The **Create Configuration Item Wizard** starts.
-6. On the **Device Settings** screen, click **Enterprise Data Protection**, and then click **Next**.
+6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**.
-The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization.
+The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization.
-## Choose which apps can access your enterprise data
-During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations.
+### Add app rules to your policy
+During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Classic Windows application.
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
-**Important**
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data leaks during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
+>**Important**
+EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
-**To add a UWP app**
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
-1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
+**To add a store app**
-2. Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them by following these steps.
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
- **To find the Publisher and Product name values for Microsoft Store apps without installing them**
+ 
- 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
- 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
- 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
+ Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
- The API runs and opens a text editor with the app details.
+4. Pick **Store App** from the **Rule template** drop-down list.
- ``` json
+ The box changes to show the store app rule options.
+
+5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
+
+1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+
+ >**Note**
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+
+ The API runs and opens a text editor with the app details.
+
+ ``` json
{
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ "packageIdentityName": "Microsoft.Office.OneNote",
+ "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ }
+ ```
+
+4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
+ ```json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
- 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of the **Add app** box, and then click **OK**.
-
**Important**
If you don’t see the **Product Name** box, it could mean that your tenant is not on the latest build and that you need to wait until it's upgraded. Same applies if you see the **AppId** box. The **AppId** box has been removed in the latest build and should disappear (along with any entries) when your tenant is upgraded.
-
**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
- ```
+ >**Note**
+ Your PC and phone must be on the same wireless network.
+
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7. Start the app for which you're looking for the publisher and product name values.
+
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
+ ```json
{
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
- 
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
-**To add a Classic Windows application**
+**To add a desktop app to your policy**
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
-1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
-
A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
+ 
-2. Click **Desktop App**, pick the options you want (see table), and then click **OK**.
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
+
+ Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
+
+4. Pick **Desktop App** from the **Rule template** drop-down list.
+
+ The box changes to show the desktop app rule options.
+
+5. Pick the options you want to include for the app rule (see table), and then click **OK**.
@@ -139,21 +189,21 @@ The steps to add your apps are based on the type of app it is; either a Universa
| All files for the specified product, signed by the named publisher. |
- | Publisher, Product Name, and File Name selected |
+ Publisher, Product Name, and Binary name selected |
Any version of the named file or package for the specified product, signed by the named publisher. |
- | Publisher, Product Name, File Name, and File Version, Exactly, selected |
- Specified version of the named file or package for the specified product, signed by the named publisher. |
-
-
- | Publisher, Product Name, File Name, and File Version, And above selected |
+ Publisher, Product Name, Binary name, and File Version, and above, selected |
Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
- | Publisher, Product Name, File Name, and File Version, And below selected |
+ Publisher, Product Name, Binary name, and File Version, And below selected |
Specified version or older releases of the named file or package for the specified product, signed by the named publisher. |
+
+ | Publisher, Product Name, Binary name, and File Version, Exactly selected |
+ Specified version of the named file or package for the specified product, signed by the named publisher. |
+
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
@@ -172,43 +222,166 @@ Path Publisher
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
-
+#### Add an AppLocker policy file
+For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content.
-## Manage the EDP-protection level for your enterprise data
-After you've added the apps you want to protect with EDP, you'll need to apply an app management mode.
+**To create an app rule and xml file using the AppLocker tool**
+1. Open the Local Security Policy snap-in (SecPol.msc).
+
+2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+ 
+
+3. Right-click in the right-hand pane, and then click **Create New Rule**.
+
+ The **Create Packaged app Rules** wizard appears.
+
+4. On the **Before You Begin** page, click **Next**.
+
+ 
+
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+
+ 
+
+6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+
+ 
+
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos.
+
+ 
+
+8. On the updated **Publisher** page, click **Create**.
+
+ 
+
+9. Review the Local Security Policy snap-in to make sure your rule is correct.
+
+ 
+
+10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
+
+ The **Export policy** box opens, letting you export and save your new policy as XML.
+
+ 
+
+11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+
+ The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
+
+ **Example XML file**
+ This is the XML file that AppLocker creates for Microsoft Photos.
+
+ ```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager.
+
+**To import your Applocker policy file app rule using 1System Center Configuration Manager**
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
+
+3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
+
+ Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
+
+4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
+
+ The box changes to let you import your AppLocker XML policy file.
+
+5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
+
+ The file is imported and the apps are added to your **App Rules** list.
+
+#### Exempt apps from EDP restrictions
+If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+
+**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
+
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
+
+3. Click **Exempt** from the **Enterprise data protection mode** drop-down list.
+
+ Be aware that when you exempt apps, they’re allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
+
+4. Fill out the rest of the app rule info, based on the type of rule you’re adding:
+
+ - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
+
+ - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
+
+ - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
+
+5. Click **OK**.
+
+### Manage the EDP-protection level for your enterprise data
+After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
+
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
|Mode |Description |
|-----|------------|
-|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. |
+|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything. |
-|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.
-After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
+|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
+|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.
After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
-## Define your enterprise-managed identity domains
-Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
+### Define your enterprise-managed identity domains
+Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
-You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
+**To add your corporate identity**
-
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-**To add your primary domain**
+ 
-- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.
-If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-## Choose where apps can access enterprise data
-After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
+There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-**To specify where your protected apps can find and send enterprise data on the network**
+>**Important**
+- Every EDP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+ The **Add or edit corporate network definition** box appears.
+
+2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+ 
-1. Add additional network locations your apps can access by clicking **Add**, and then choosing your location type, including:
| Network location type |
@@ -216,65 +389,145 @@ After you've added a management level to your protected apps, you'll need to dec
Description |
- | Enterprise Cloud Domain |
- contoso.sharepoint.com,proxy1.contoso.com|
office.com|proxy2.contoso.com |
- Specify the cloud resources traffic to restrict to your protected apps. For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the | delimiter. Include the "|" delimiter just before the "|" if you don’t use proxies. For example: [URL,Proxy]|[URL,Proxy]. |
+ Enterprise Cloud Resources |
+ **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com |
+ Specify the cloud resources to be treated as corporate and protected by EDP. For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` |
- | Enterprise Network Domain |
- domain1.contoso.com,domain2.contoso.com |
- Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the "," delimiter. This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks. |
+ Enterprise Network Domain Names (Required) |
+ corp.contoso.com,region.contoso.com |
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
- | Enterprise Proxy Server |
- domain1.contoso.com:80;domain2.contoso.com:137 |
- Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the ";" delimiter. This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants. |
+ Enterprise Proxy Servers |
+ proxy.contoso.com:80;proxy2.contoso.com:137 |
+ Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. |
- | Enterprise Internal Proxy Server |
- proxy1.contoso.com;proxy2.contoso.com |
- Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the ";" delimiter. |
+ Enterprise Internal Proxy Servers |
+ contoso.internalproxy1.com;contoso.internalproxy2.com |
+ Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
- | Enterprise IPv4 Range |
- **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254 |
- Specify the addresses for a valid IPv4 value range within your intranet. If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges. |
+ Enterprise IPv4 Range (Required) |
+ **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 |
+ Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
| Enterprise IPv6 Range |
- **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Specify the addresses for a valid IPv6 value range within your intranet. If you are adding a single range, you can enter the starting and ending addresses into your management system’s UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the "-" delimiter between start and end of a range, and the "," delimiter to separate ranges. |
-
+ **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
+ Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
+
+
+ | Neutral Resources |
+ sts.contoso.com,sts.contoso2.com |
+ Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
+
- 
+3. Add as many locations as you need, and then click **OK**.
-2. Add as many locations as you need, and then click **OK**.
-The **Add or Edit Enterprise Network Locations box** closes.
+ The **Add or edit corporate network definition** box closes.
-3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.
-Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+4. Decide if you want to Windows to look for additional network settings.
-## Choose your optional EDP-related settings
+ 
+
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+ - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+
+ For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
+
+ 
+
+#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP
+If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
+
+>**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
+
+**To manually create an EFS DRA certificate**
+1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
+2. Run this command:
+
+ `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create.
+
+3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
+
+ The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
+
+ **Important**
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
+
+4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
+
+**To verify your data recovery certificate is correctly set up on an EDP client computer**
+1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP.
+
+2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
+
+ `cipher /c `
Where `` is the name of the file you created in Step 1.
+
+3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
+
+**To recover your data using the EFS DRA certificate in a test environment**
+1. Copy your EDP-encrypted file to a location where you have admin access.
+
+2. Install the EFSDRA.pfx file, using your password.
+
+3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
+
+ `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx.
+
+### Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.
-**To add your optional settings**
-- Choose to set any or all of the optional EDP-related settings:
+
- - **Block the user from decrypting data that was created or edited by the apps configured above.** Clicking **No**, or leaving the setting blank, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **Yes** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
+**To set your optional settings**
+1. Choose to set any or all of the optional settings:
- - **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
+ - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
+
+ - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
+
+ - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
- 
+ - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are:
+
+ - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked.
+
+ - **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked.
-## Review your configuration choices in the Summary screen
+ - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
+
+ - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+
+ - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+
+ - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+ - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+
+ - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+
+2. After you pick all of the settings you want to include, click **Summary**.
+
+### Review your configuration choices in the Summary screen
After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
**To view the Summary screen**
-- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
-A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
+
+ 
+
+ A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
- 
## Deploy the EDP policy
After you’ve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
@@ -283,15 +536,6 @@ After you’ve created your EDP policy, you'll need to deploy it to your organiz
- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
## Related topics
-- [System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
+- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
-- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
-
-
-
-
-
-
-
-
-
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md
index f98d7216ea..90d7c6aa3a 100644
--- a/windows/keep-secure/device-guard-deployment-guide.md
+++ b/windows/keep-secure/device-guard-deployment-guide.md
@@ -57,7 +57,7 @@ AppLocker and Device Guard should run side-by-side in your organization, which o
**Device Guard with Credential Guard**
-Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Microsoft will be releasing details about these additional mitigations in the future.
+Although Credential Guard is not a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against credential theft. Similar to virtualization-based protection of kernel mode code integrity, Credential Guard leverages hypervisor technology to protect domain credentials. This mitigation is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Credential Guard, organizations can gain additional protection against such threats. For information about how to deploy Credential Guard to your Windows 10 Enterprise clients, see the [Enable Credential Guard](#enable-cg) section. In addition to the client-side enablement of Credential Guard, organizations can deploy mitigations at both the CA and domain controller level to help prevent credential theft. Refer to the [Credential Guard](credential-guard.md) documentation for guidance on these additional mitigations.
**Unified manageability**
@@ -752,7 +752,7 @@ To modify the policy rule options of an existing code integrity policy, use the
You can set several rule options within a code integrity policy. Table 2 lists each rule and its high-level meaning.
-Table 2. Code integrity policy - policy rule options
+#### Table 2. Code integrity policy - policy rule options
| Rule option | Description |
|------------ | ----------- |
@@ -769,15 +769,15 @@ Table 2. Code integrity policy - policy rule options
| **10 Enabled:Boot Audit on Failure** | Used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as low as the hash of each binary and as high as a PCA certificate. File rule levels are specified both when you create a new code integrity policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, code integrity policies combine their file rules. Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Device Guard deployment scenario.
-Table 3. Code integrity policy - file rule levels
+#### Table 3. Code integrity policy - file rule levels
| Rule level | Description |
|----------- | ----------- |
| **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. |
-| **SignedVersion** | This combines the publisher rule with a file version number. This option allows anything from the specified publisher, with a file version at or above the specified version number, to run. |
+| **SignedVersion** | This combines the publisher rule with a version number. This option allows anything from the specified publisher, with a version at or above the specified version number, to run. |
| **Publisher** | This is a combination of the PCA certificate and the common name (CN) on the leaf certificate. In the scenario that a PCA certificate is used to sign multiple companies’ applications (such as VeriSign), this rule level allows organizations to trust the PCA certificate but only for the company whose name is on the leaf certificate (for example, Intel for device drivers). This level trusts a certificate with a long validity period but only when combined with a trusted leaf certificate. |
-| **FilePublisher** | This is a combination of the publisher file rule level and the SignedVersion rule level. Any signed file from the trusted publisher that is the specified version or newer is trusted. |
+| **FilePublisher** | This is a combination of “FileName” plus “Publisher” (PCA certificate with CN of leaf) plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than PCA certificates, so additional administrative overhead is associated with updating the code integrity policy when these certificates expire. |
| **PcaCertificate** | Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, because the scan does not validate anything above the presented signature by going online or checking local root stores. |
| **RootCertificate** | Currently unsupported. |
diff --git a/windows/keep-secure/dynamic-access-control.md b/windows/keep-secure/dynamic-access-control.md
new file mode 100644
index 0000000000..643a78aa1c
--- /dev/null
+++ b/windows/keep-secure/dynamic-access-control.md
@@ -0,0 +1,139 @@
+---
+title: Dynamic Access Control Overview (Windows 10)
+description: Dynamic Access Control Overview
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Dynamic Access Control Overview
+
+**Applies to**
+- Windows Server 2016
+
+This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
+
+Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
+
+For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS).
+
+Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.
+
+Features and concepts associated with Dynamic Access Control include:
+
+- [Central access rules](#bkmk-rules)
+
+- [Central access policies](#bkmk-policies)
+
+- [Claims](#bkmk-claims)
+
+- [Expressions](#bkmk-expressions2)
+
+- [Proposed permissions](#bkmk-permissions2)
+
+### Central access rules
+
+A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy.
+
+If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements.
+
+### Central access policies
+
+Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to:
+
+- Identify and mark the files that contain the PII.
+
+- Identify the group of HR members who are allowed to view the PII information.
+
+- Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization.
+
+Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders.
+
+### Claims
+
+A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:
+
+- **User claims** Active Directory attributes that are associated with a specific user.
+
+- **Device claims** Active Directory attributes that are associated with a specific computer object.
+
+- **Resource attributes** Global resource properties that are marked for use in authorization decisions and published in Active Directory.
+
+Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.
+
+### Expressions
+
+Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).
+
+Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments.
+
+### Proposed permissions
+
+Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.
+
+Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes.
+
+## Additional changes
+
+
+Additional enhancements in the supported versions of Windows that support Dynamic Access Control include:
+
+### Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups.
+
+By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control.
+
+### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.
+
+Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**.
+
+### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.
+
+Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**.
+
+### Support in Active Directory to store user and device claims, resource properties, and central access policy objects.
+
+### Support for using Group Policy to deploy central access policy objects.
+
+The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: **Computer Configuration\\Policies\\ Windows Settings\\Security Settings\\File System\\Central Access Policy**.
+
+### Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing
+
+You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under **Advanced Audit Policy Configuration** in the **Security Settings** of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network.
+
+### Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts
+
+You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims:
+
+- **Value-based filtering** Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest.
+
+- **Claim type-based filtering** Filters are based on the type of claim, rather than the value of the claim. You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest.
+
+- **Claim type-based transformation** Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both.
+
+## Software requirements
+
+
+Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices must use domain controllers in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions:
+
+- Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server.
+
+- Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control.
+
+For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows:
+
+- **Always provide claims** Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.
+
+- **Supported** When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control.
+
+If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level.
+
+If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests.
+
+If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level.
+
+A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
+
+## See also
+
+- [Access control overview](access-control.md)
diff --git a/windows/keep-secure/event-1102.md b/windows/keep-secure/event-1102.md
index ed03fdf472..388c844391 100644
--- a/windows/keep-secure/event-1102.md
+++ b/windows/keep-secure/event-1102.md
@@ -70,7 +70,7 @@ This event generates every time Windows Security audit log was cleared.
- **Security ID** \[Type = SID\]**:** SID of account that cleared the system security audit log. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that cleared the system security audit log.
diff --git a/windows/keep-secure/event-4611.md b/windows/keep-secure/event-4611.md
index 4cd9e414e5..a60837e067 100644
--- a/windows/keep-secure/event-4611.md
+++ b/windows/keep-secure/event-4611.md
@@ -75,7 +75,7 @@ You typically see these events during operating system startup or user logon and
- **Security ID** \[Type = SID\]**:** SID of account that registered the trusted logon process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the trusted logon process.
diff --git a/windows/keep-secure/event-4616.md b/windows/keep-secure/event-4616.md
index 3be067d588..c1a78f4055 100644
--- a/windows/keep-secure/event-4616.md
+++ b/windows/keep-secure/event-4616.md
@@ -82,7 +82,7 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
diff --git a/windows/keep-secure/event-4624.md b/windows/keep-secure/event-4624.md
index 3cb4f0c190..69598d3991 100644
--- a/windows/keep-secure/event-4624.md
+++ b/windows/keep-secure/event-4624.md
@@ -115,7 +115,7 @@ This event generates when a logon session is created (on destination machine). I
- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon.
@@ -175,7 +175,7 @@ This event generates when a logon session is created (on destination machine). I
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
diff --git a/windows/keep-secure/event-4625.md b/windows/keep-secure/event-4625.md
index 9a040ff053..a615f8b796 100644
--- a/windows/keep-secure/event-4625.md
+++ b/windows/keep-secure/event-4625.md
@@ -89,7 +89,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
@@ -125,7 +125,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
diff --git a/windows/keep-secure/event-4626.md b/windows/keep-secure/event-4626.md
index 83fa8fe837..68599c7060 100644
--- a/windows/keep-secure/event-4626.md
+++ b/windows/keep-secure/event-4626.md
@@ -85,7 +85,7 @@ This event generates on the computer to which the logon was performed (target co
- **Security ID** \[Type = SID\]**:** SID of account that reported information about claims. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about claims.
@@ -121,7 +121,7 @@ This event generates on the computer to which the logon was performed (target co
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
diff --git a/windows/keep-secure/event-4627.md b/windows/keep-secure/event-4627.md
index 811fd6f830..88500872dc 100644
--- a/windows/keep-secure/event-4627.md
+++ b/windows/keep-secure/event-4627.md
@@ -80,7 +80,7 @@ Multiple events are generated if the group membership information cannot fit in
- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it.
@@ -116,7 +116,7 @@ Multiple events are generated if the group membership information cannot fit in
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
diff --git a/windows/keep-secure/event-4634.md b/windows/keep-secure/event-4634.md
index 10b678d329..d84431bf79 100644
--- a/windows/keep-secure/event-4634.md
+++ b/windows/keep-secure/event-4634.md
@@ -75,7 +75,7 @@ It may be positively correlated with a “[4624](event-4624.md): An account was
- **Security ID** \[Type = SID\]**:** SID of account that was logged off. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was logged off.
diff --git a/windows/keep-secure/event-4647.md b/windows/keep-secure/event-4647.md
index 16537024f3..21155852f6 100644
--- a/windows/keep-secure/event-4647.md
+++ b/windows/keep-secure/event-4647.md
@@ -74,7 +74,7 @@ It may be positively correlated with a “[4624](event-4624.md): An account was
- **Security ID** \[Type = SID\]**:** SID of account that requested the “logoff” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “logoff” operation.
diff --git a/windows/keep-secure/event-4648.md b/windows/keep-secure/event-4648.md
index 0f371abb75..48250044e9 100644
--- a/windows/keep-secure/event-4648.md
+++ b/windows/keep-secure/event-4648.md
@@ -82,7 +82,7 @@ It is also a routine event which periodically occurs during normal operating sys
- **Security ID** \[Type = SID\]**:** SID of account that requested the new logon session with explicit credentials. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the new logon session with explicit credentials.
diff --git a/windows/keep-secure/event-4656.md b/windows/keep-secure/event-4656.md
index b7e3893812..7c7116e953 100644
--- a/windows/keep-secure/event-4656.md
+++ b/windows/keep-secure/event-4656.md
@@ -93,7 +93,7 @@ This event shows that access was requested, and the results of the request, but
- **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object.
diff --git a/windows/keep-secure/event-4657.md b/windows/keep-secure/event-4657.md
index 5b669ccb0d..31aa191a81 100644
--- a/windows/keep-secure/event-4657.md
+++ b/windows/keep-secure/event-4657.md
@@ -80,7 +80,7 @@ This event generates only if “Set Value" auditing is set in registry key’s [
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify registry value” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify registry value” operation.
diff --git a/windows/keep-secure/event-4658.md b/windows/keep-secure/event-4658.md
index 3de6b3da02..9dd8b57d2e 100644
--- a/windows/keep-secure/event-4658.md
+++ b/windows/keep-secure/event-4658.md
@@ -76,7 +76,7 @@ Typically this event is needed if you need to know how long the handle to the ob
- **Security ID** \[Type = SID\]**:** SID of account that requested the “close object’s handle” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “close object’s handle” operation.
diff --git a/windows/keep-secure/event-4660.md b/windows/keep-secure/event-4660.md
index 901bc15ae8..3b0fccc294 100644
--- a/windows/keep-secure/event-4660.md
+++ b/windows/keep-secure/event-4660.md
@@ -79,7 +79,7 @@ The advantage of this event is that it’s generated only during real delete ope
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
diff --git a/windows/keep-secure/event-4661.md b/windows/keep-secure/event-4661.md
index 278c77f651..6485f5b65a 100644
--- a/windows/keep-secure/event-4661.md
+++ b/windows/keep-secure/event-4661.md
@@ -84,7 +84,7 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
- **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object.
diff --git a/windows/keep-secure/event-4662.md b/windows/keep-secure/event-4662.md
index 83640072e0..3dd3acf69f 100644
--- a/windows/keep-secure/event-4662.md
+++ b/windows/keep-secure/event-4662.md
@@ -84,7 +84,7 @@ You will get one 4662 for each operation type which was performed.
- **Security ID** \[Type = SID\]**:** SID of account that requested the operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the operation.
diff --git a/windows/keep-secure/event-4663.md b/windows/keep-secure/event-4663.md
index 46cdac8cb0..0ba031b8a9 100644
--- a/windows/keep-secure/event-4663.md
+++ b/windows/keep-secure/event-4663.md
@@ -87,7 +87,7 @@ The main difference with “[4656](event-4656.md): A handle to an object was req
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to access an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to access an object.
diff --git a/windows/keep-secure/event-4664.md b/windows/keep-secure/event-4664.md
index a62808d16d..f25e16f565 100644
--- a/windows/keep-secure/event-4664.md
+++ b/windows/keep-secure/event-4664.md
@@ -71,7 +71,7 @@ This event generates when an NTFS hard link was successfully created.
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to create the hard link. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to create the hard link.
diff --git a/windows/keep-secure/event-4670.md b/windows/keep-secure/event-4670.md
index a7de5be046..61af502eb4 100644
--- a/windows/keep-secure/event-4670.md
+++ b/windows/keep-secure/event-4670.md
@@ -80,7 +80,7 @@ Before this event can generate, certain ACEs might need to be set in the object
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change object’s permissions” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change object’s permissions” operation.
diff --git a/windows/keep-secure/event-4672.md b/windows/keep-secure/event-4672.md
index bf0fff94de..fba1851afe 100644
--- a/windows/keep-secure/event-4672.md
+++ b/windows/keep-secure/event-4672.md
@@ -97,7 +97,7 @@ You typically will see many of these events in the event log, because every logo
- **Security ID** \[Type = SID\]**:** SID of account to which special privileges were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account to which special privileges were assigned.
diff --git a/windows/keep-secure/event-4673.md b/windows/keep-secure/event-4673.md
index 5282a6658e..6ef7b29b77 100644
--- a/windows/keep-secure/event-4673.md
+++ b/windows/keep-secure/event-4673.md
@@ -77,7 +77,7 @@ Failure event generates when service call attempt fails.
- **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation.
diff --git a/windows/keep-secure/event-4674.md b/windows/keep-secure/event-4674.md
index 41518d4e2b..d4a8792d03 100644
--- a/windows/keep-secure/event-4674.md
+++ b/windows/keep-secure/event-4674.md
@@ -80,7 +80,7 @@ Failure event generates when operation attempt fails.
- **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation.
diff --git a/windows/keep-secure/event-4675.md b/windows/keep-secure/event-4675.md
index dc8a19e120..ef1b726917 100644
--- a/windows/keep-secure/event-4675.md
+++ b/windows/keep-secure/event-4675.md
@@ -19,7 +19,7 @@ This event generates when SIDs were filtered for specific Active Directory trust
See more information about SID filtering here: .
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
There is no example of this event in this document.
diff --git a/windows/keep-secure/event-4688.md b/windows/keep-secure/event-4688.md
index b152e305fb..d7d29f4334 100644
--- a/windows/keep-secure/event-4688.md
+++ b/windows/keep-secure/event-4688.md
@@ -95,7 +95,7 @@ This event generates every time a new process starts.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create process” operation.
@@ -119,7 +119,7 @@ This event generates every time a new process starts.
- **Security ID** \[Type = SID\] \[Version 2\]**:** SID of target account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\] \[Version 2\]**:** the name of the target account.
diff --git a/windows/keep-secure/event-4689.md b/windows/keep-secure/event-4689.md
index e5f97fe698..bbfbbe6382 100644
--- a/windows/keep-secure/event-4689.md
+++ b/windows/keep-secure/event-4689.md
@@ -71,7 +71,7 @@ This event generates every time a process has exited.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “terminate process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “terminate process” operation.
diff --git a/windows/keep-secure/event-4690.md b/windows/keep-secure/event-4690.md
index d7ac11d773..3ca6589561 100644
--- a/windows/keep-secure/event-4690.md
+++ b/windows/keep-secure/event-4690.md
@@ -72,7 +72,7 @@ This event generates if an attempt was made to duplicate a handle to an object.
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to duplicate a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to duplicate a handle to an object.
diff --git a/windows/keep-secure/event-4691.md b/windows/keep-secure/event-4691.md
index ba22553755..cd0e7d930c 100644
--- a/windows/keep-secure/event-4691.md
+++ b/windows/keep-secure/event-4691.md
@@ -75,7 +75,7 @@ These events are generated for [ALPC Ports](https://msdn.microsoft.com/en-us/lib
- **Security ID** \[Type = SID\]**:** SID of account that requested an access to the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested an access to the object.
diff --git a/windows/keep-secure/event-4692.md b/windows/keep-secure/event-4692.md
index aba10585e3..4bd3aec488 100644
--- a/windows/keep-secure/event-4692.md
+++ b/windows/keep-secure/event-4692.md
@@ -82,7 +82,7 @@ Failure event generates when a Master Key backup operation fails for some reason
- **Security ID** \[Type = SID\]**:** SID of account that requested backup operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation.
diff --git a/windows/keep-secure/event-4693.md b/windows/keep-secure/event-4693.md
index 3134110a5c..c3563c431a 100644
--- a/windows/keep-secure/event-4693.md
+++ b/windows/keep-secure/event-4693.md
@@ -79,7 +79,7 @@ Failure event generates when a Master Key restore operation fails for some reaso
- **Security ID** \[Type = SID\]**:** SID of account that requested the “recover” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “recover” operation.
diff --git a/windows/keep-secure/event-4696.md b/windows/keep-secure/event-4696.md
index e4746f74c9..ced7a1d990 100644
--- a/windows/keep-secure/event-4696.md
+++ b/windows/keep-secure/event-4696.md
@@ -78,7 +78,7 @@ This event generates every time a process runs using the non-current access toke
- **Security ID** \[Type = SID\]**:** SID of account that requested the “assign token to process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “assign token to process” operation.
@@ -120,7 +120,7 @@ This event generates every time a process runs using the non-current access toke
- **Security ID** \[Type = SID\]**:** SID of account through which the security token will be assigned to the new process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account through which the security token will be assigned to the new process.
diff --git a/windows/keep-secure/event-4697.md b/windows/keep-secure/event-4697.md
index 0213aa9f0a..2493207abb 100644
--- a/windows/keep-secure/event-4697.md
+++ b/windows/keep-secure/event-4697.md
@@ -73,7 +73,7 @@ This event generates when new service was installed in the system.
- **Security ID** \[Type = SID\]**:** SID of account that was used to install the service. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was used to install the service.
diff --git a/windows/keep-secure/event-4698.md b/windows/keep-secure/event-4698.md
index 5d522281cb..495d00ad2f 100644
--- a/windows/keep-secure/event-4698.md
+++ b/windows/keep-secure/event-4698.md
@@ -70,7 +70,7 @@ This event generates every time a new scheduled task is created.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create scheduled task” operation.
diff --git a/windows/keep-secure/event-4699.md b/windows/keep-secure/event-4699.md
index a1c58890d6..885f708f76 100644
--- a/windows/keep-secure/event-4699.md
+++ b/windows/keep-secure/event-4699.md
@@ -70,7 +70,7 @@ This event generates every time a scheduled task was deleted.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete scheduled task” operation.
diff --git a/windows/keep-secure/event-4700.md b/windows/keep-secure/event-4700.md
index fa5a54c164..97ec3d2bcf 100644
--- a/windows/keep-secure/event-4700.md
+++ b/windows/keep-secure/event-4700.md
@@ -70,7 +70,7 @@ This event generates every time a scheduled task is enabled.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable scheduled task” operation.
diff --git a/windows/keep-secure/event-4701.md b/windows/keep-secure/event-4701.md
index 5c1cafe14f..7997ce6cf3 100644
--- a/windows/keep-secure/event-4701.md
+++ b/windows/keep-secure/event-4701.md
@@ -70,7 +70,7 @@ This event generates every time a scheduled task is disabled.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable scheduled task” operation.
diff --git a/windows/keep-secure/event-4702.md b/windows/keep-secure/event-4702.md
index 3d0071fd39..0fb4d69eea 100644
--- a/windows/keep-secure/event-4702.md
+++ b/windows/keep-secure/event-4702.md
@@ -70,7 +70,7 @@ This event generates every time scheduled task was updated/changed.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change/update scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change/update scheduled task” operation.
diff --git a/windows/keep-secure/event-4703.md b/windows/keep-secure/event-4703.md
index bdce298519..154f3a9fe6 100644
--- a/windows/keep-secure/event-4703.md
+++ b/windows/keep-secure/event-4703.md
@@ -80,7 +80,7 @@ Token privileges provide the ability to take certain system-level actions that y
- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable” or “disable” operation for **Target Account** privileges. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable” or “disable” operation for **Target Account** privileges.
@@ -102,7 +102,7 @@ Token privileges provide the ability to take certain system-level actions that y
- **Security ID** \[Type = SID\]**:** SID of account for which privileges were enabled or disabled. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which privileges were enabled or disabled.
diff --git a/windows/keep-secure/event-4704.md b/windows/keep-secure/event-4704.md
index ee98fd4712..234edaa3ac 100644
--- a/windows/keep-secure/event-4704.md
+++ b/windows/keep-secure/event-4704.md
@@ -72,7 +72,7 @@ You will see unique event for every user.
- **Security ID** \[Type = SID\]**:** SID of account that made a change to local user right policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local user right policy.
diff --git a/windows/keep-secure/event-4705.md b/windows/keep-secure/event-4705.md
index 7a5f1008fc..007bdc4ec3 100644
--- a/windows/keep-secure/event-4705.md
+++ b/windows/keep-secure/event-4705.md
@@ -72,7 +72,7 @@ You will see unique event for every user.
- **Security ID** \[Type = SID\]**:** SID of account that made a change to local user right policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local user right policy.
diff --git a/windows/keep-secure/event-4706.md b/windows/keep-secure/event-4706.md
index c6eba5f6a8..3eb6bdda15 100644
--- a/windows/keep-secure/event-4706.md
+++ b/windows/keep-secure/event-4706.md
@@ -76,7 +76,7 @@ This event is generated only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create domain trust” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create domain trust” operation.
diff --git a/windows/keep-secure/event-4707.md b/windows/keep-secure/event-4707.md
index 9a77188b80..011e640b52 100644
--- a/windows/keep-secure/event-4707.md
+++ b/windows/keep-secure/event-4707.md
@@ -72,7 +72,7 @@ This event is generated only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove domain trust” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove domain trust” operation.
diff --git a/windows/keep-secure/event-4713.md b/windows/keep-secure/event-4713.md
index f87013f4a6..482ad0768e 100644
--- a/windows/keep-secure/event-4713.md
+++ b/windows/keep-secure/event-4713.md
@@ -71,7 +71,7 @@ This event is generated only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that made a change to Kerberos policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to Kerberos policy.
diff --git a/windows/keep-secure/event-4715.md b/windows/keep-secure/event-4715.md
index d0e5dd0ef3..fea15f35d7 100644
--- a/windows/keep-secure/event-4715.md
+++ b/windows/keep-secure/event-4715.md
@@ -72,7 +72,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change local audit policy security descriptor (SACL)” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change local audit policy security descriptor (SACL)” operation.
diff --git a/windows/keep-secure/event-4716.md b/windows/keep-secure/event-4716.md
index 373d14519b..8140c94b16 100644
--- a/windows/keep-secure/event-4716.md
+++ b/windows/keep-secure/event-4716.md
@@ -76,7 +76,7 @@ This event is generated only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify domain trust settings” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify domain trust settings” operation.
diff --git a/windows/keep-secure/event-4717.md b/windows/keep-secure/event-4717.md
index dbe74fada2..476501f806 100644
--- a/windows/keep-secure/event-4717.md
+++ b/windows/keep-secure/event-4717.md
@@ -72,7 +72,7 @@ You will see unique event for every user if logon user rights were granted to mu
- **Security ID** \[Type = SID\]**:** SID of account that made a change to local logon right user policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local logon right user policy.
diff --git a/windows/keep-secure/event-4718.md b/windows/keep-secure/event-4718.md
index 44f5fc4624..af30328c64 100644
--- a/windows/keep-secure/event-4718.md
+++ b/windows/keep-secure/event-4718.md
@@ -72,7 +72,7 @@ You will see unique event for every user if logon user rights were removed for m
- **Security ID** \[Type = SID\]**:** SID of account that made a change to local logon right user policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local logon right user policy.
diff --git a/windows/keep-secure/event-4719.md b/windows/keep-secure/event-4719.md
index 7a274992c8..69b248ec50 100644
--- a/windows/keep-secure/event-4719.md
+++ b/windows/keep-secure/event-4719.md
@@ -74,7 +74,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **Security ID** \[Type = SID\]**:** SID of account that made a change to local audit policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local audit policy.
diff --git a/windows/keep-secure/event-4720.md b/windows/keep-secure/event-4720.md
index 157b9b01a3..d333e12f03 100644
--- a/windows/keep-secure/event-4720.md
+++ b/windows/keep-secure/event-4720.md
@@ -92,7 +92,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create user account” operation.
diff --git a/windows/keep-secure/event-4722.md b/windows/keep-secure/event-4722.md
index 6c96fd0b4a..37b03dbe77 100644
--- a/windows/keep-secure/event-4722.md
+++ b/windows/keep-secure/event-4722.md
@@ -75,7 +75,7 @@ For computer accounts, this event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable account” operation.
diff --git a/windows/keep-secure/event-4723.md b/windows/keep-secure/event-4723.md
index 8c23919260..cf74611ba8 100644
--- a/windows/keep-secure/event-4723.md
+++ b/windows/keep-secure/event-4723.md
@@ -82,7 +82,7 @@ Typically you will see 4723 events with the same **Subject\\Security ID** and **
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to change Target’s Account password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to change Target’s Account password.
diff --git a/windows/keep-secure/event-4724.md b/windows/keep-secure/event-4724.md
index 977955100e..f0257228f4 100644
--- a/windows/keep-secure/event-4724.md
+++ b/windows/keep-secure/event-4724.md
@@ -81,7 +81,7 @@ For local accounts, a Failure event generates if the new password fails to meet
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to reset Target’s Account password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to reset Target’s Account password.
diff --git a/windows/keep-secure/event-4725.md b/windows/keep-secure/event-4725.md
index 7dacfe0813..b5926a2941 100644
--- a/windows/keep-secure/event-4725.md
+++ b/windows/keep-secure/event-4725.md
@@ -75,7 +75,7 @@ For computer accounts, this event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “disable account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “disable account” operation.
diff --git a/windows/keep-secure/event-4726.md b/windows/keep-secure/event-4726.md
index ab110e118d..b27daa7dd0 100644
--- a/windows/keep-secure/event-4726.md
+++ b/windows/keep-secure/event-4726.md
@@ -74,7 +74,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete user account” operation.
diff --git a/windows/keep-secure/event-4731.md b/windows/keep-secure/event-4731.md
index 0f6116aca5..b92e02d280 100644
--- a/windows/keep-secure/event-4731.md
+++ b/windows/keep-secure/event-4731.md
@@ -76,7 +76,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create group” operation.
diff --git a/windows/keep-secure/event-4732.md b/windows/keep-secure/event-4732.md
index f688280574..41cf2a4a08 100644
--- a/windows/keep-secure/event-4732.md
+++ b/windows/keep-secure/event-4732.md
@@ -80,7 +80,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
- **Security ID** \[Type = SID\]**:** SID of account that requested the “add member to the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add member to the group” operation.
diff --git a/windows/keep-secure/event-4733.md b/windows/keep-secure/event-4733.md
index b2de4567ac..40629bb96c 100644
--- a/windows/keep-secure/event-4733.md
+++ b/windows/keep-secure/event-4733.md
@@ -80,7 +80,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove member from the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove member from the group” operation.
diff --git a/windows/keep-secure/event-4734.md b/windows/keep-secure/event-4734.md
index 023be2969c..120da30815 100644
--- a/windows/keep-secure/event-4734.md
+++ b/windows/keep-secure/event-4734.md
@@ -74,7 +74,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete group” operation.
diff --git a/windows/keep-secure/event-4735.md b/windows/keep-secure/event-4735.md
index b6dac600b9..928905449d 100644
--- a/windows/keep-secure/event-4735.md
+++ b/windows/keep-secure/event-4735.md
@@ -84,7 +84,7 @@ From 4735 event you can get information about changes of **sAMAccountName** and
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group” operation.
diff --git a/windows/keep-secure/event-4738.md b/windows/keep-secure/event-4738.md
index 98f22cb17c..f2992c4a97 100644
--- a/windows/keep-secure/event-4738.md
+++ b/windows/keep-secure/event-4738.md
@@ -99,7 +99,7 @@ Some changes do not invoke a 4738 event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change user account” operation.
diff --git a/windows/keep-secure/event-4739.md b/windows/keep-secure/event-4739.md
index b5873a99e3..8b692f1ea3 100644
--- a/windows/keep-secure/event-4739.md
+++ b/windows/keep-secure/event-4739.md
@@ -102,7 +102,7 @@ This event generates when one of the following changes was made to local compute
- **Security ID** \[Type = SID\]**:** SID of account that made a change to specific local policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to specific local policy.
diff --git a/windows/keep-secure/event-4740.md b/windows/keep-secure/event-4740.md
index 7ab01449c8..7e35c73f98 100644
--- a/windows/keep-secure/event-4740.md
+++ b/windows/keep-secure/event-4740.md
@@ -73,7 +73,7 @@ For user accounts, this event generates on domain controllers, member servers, a
- **Security ID** \[Type = SID\]**:** SID of account that performed the lockout operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the lockout operation.
diff --git a/windows/keep-secure/event-4741.md b/windows/keep-secure/event-4741.md
index 52d8a70a84..ed9cddfc2c 100644
--- a/windows/keep-secure/event-4741.md
+++ b/windows/keep-secure/event-4741.md
@@ -94,7 +94,7 @@ This event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create Computer object” operation.
diff --git a/windows/keep-secure/event-4742.md b/windows/keep-secure/event-4742.md
index b09dba8333..9f318856ed 100644
--- a/windows/keep-secure/event-4742.md
+++ b/windows/keep-secure/event-4742.md
@@ -105,7 +105,7 @@ You might see this event without any changes inside, that is, where all **Change
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change Computer object” operation.
diff --git a/windows/keep-secure/event-4743.md b/windows/keep-secure/event-4743.md
index 42f7e90f14..beaa8afbe9 100644
--- a/windows/keep-secure/event-4743.md
+++ b/windows/keep-secure/event-4743.md
@@ -74,7 +74,7 @@ This event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete Computer object” operation.
diff --git a/windows/keep-secure/event-4749.md b/windows/keep-secure/event-4749.md
index 321a4a3e52..d2c6a567d6 100644
--- a/windows/keep-secure/event-4749.md
+++ b/windows/keep-secure/event-4749.md
@@ -76,7 +76,7 @@ This event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create group” operation.
diff --git a/windows/keep-secure/event-4750.md b/windows/keep-secure/event-4750.md
index 17f5d8eb84..206195ae89 100644
--- a/windows/keep-secure/event-4750.md
+++ b/windows/keep-secure/event-4750.md
@@ -84,7 +84,7 @@ From 4750 event you can get information about changes of **sAMAccountName** and
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group” operation.
diff --git a/windows/keep-secure/event-4751.md b/windows/keep-secure/event-4751.md
index ea37165fce..8f224051a1 100644
--- a/windows/keep-secure/event-4751.md
+++ b/windows/keep-secure/event-4751.md
@@ -80,7 +80,7 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou
- **Security ID** \[Type = SID\]**:** SID of account that requested the “add member to the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add member to the group” operation.
diff --git a/windows/keep-secure/event-4752.md b/windows/keep-secure/event-4752.md
index 28d38b44a5..d9ef0f8d52 100644
--- a/windows/keep-secure/event-4752.md
+++ b/windows/keep-secure/event-4752.md
@@ -78,7 +78,7 @@ For every removed member you will get separate 4752 event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove member from the group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove member from the group” operation.
diff --git a/windows/keep-secure/event-4753.md b/windows/keep-secure/event-4753.md
index 5cc018f286..c8375231e2 100644
--- a/windows/keep-secure/event-4753.md
+++ b/windows/keep-secure/event-4753.md
@@ -74,7 +74,7 @@ This event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete group” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete group” operation.
diff --git a/windows/keep-secure/event-4764.md b/windows/keep-secure/event-4764.md
index e5bcc13c9a..3942742122 100644
--- a/windows/keep-secure/event-4764.md
+++ b/windows/keep-secure/event-4764.md
@@ -76,7 +76,7 @@ This event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change group type” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change group type” operation.
diff --git a/windows/keep-secure/event-4767.md b/windows/keep-secure/event-4767.md
index a189b84db0..7eb768b001 100644
--- a/windows/keep-secure/event-4767.md
+++ b/windows/keep-secure/event-4767.md
@@ -73,7 +73,7 @@ For user accounts, this event generates on domain controllers, member servers, a
- **Security ID** \[Type = SID\]**:** SID of account that performed the unlock operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the unlock operation.
diff --git a/windows/keep-secure/event-4768.md b/windows/keep-secure/event-4768.md
index edcc1952bc..48c81eea57 100644
--- a/windows/keep-secure/event-4768.md
+++ b/windows/keep-secure/event-4768.md
@@ -104,7 +104,7 @@ This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “
- **NULL SID** – this value shows in [4768](event-4768.md) Failure events.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
**Service Information:**
diff --git a/windows/keep-secure/event-4769.md b/windows/keep-secure/event-4769.md
index ecb3b28900..e41de7fd26 100644
--- a/windows/keep-secure/event-4769.md
+++ b/windows/keep-secure/event-4769.md
@@ -112,7 +112,7 @@ You will typically see many Failure events with **Failure Code** “**0x20**”,
- **NULL SID** – this value shows in Failure events.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
**Network Information:**
diff --git a/windows/keep-secure/event-4770.md b/windows/keep-secure/event-4770.md
index 1c353eb67f..65966234c0 100644
--- a/windows/keep-secure/event-4770.md
+++ b/windows/keep-secure/event-4770.md
@@ -98,7 +98,7 @@ This event generates only on domain controllers.
- **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was renewed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
**Network Information:**
diff --git a/windows/keep-secure/event-4771.md b/windows/keep-secure/event-4771.md
index ae81985175..233040c8f3 100644
--- a/windows/keep-secure/event-4771.md
+++ b/windows/keep-secure/event-4771.md
@@ -81,7 +81,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
For example: CONTOSO\\dadmin or CONTOSO\\WIN81$.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name:** \[Type = UnicodeString\]**:** the name of account, for which (TGT) ticket was requested. Computer account name ends with **$** character.
diff --git a/windows/keep-secure/event-4781.md b/windows/keep-secure/event-4781.md
index 34064992de..fa151fbb39 100644
--- a/windows/keep-secure/event-4781.md
+++ b/windows/keep-secure/event-4781.md
@@ -77,7 +77,7 @@ For computer accounts, this event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that performed the “change account name” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the “change account name” operation.
diff --git a/windows/keep-secure/event-4782.md b/windows/keep-secure/event-4782.md
index 6d0804b3b3..2c04b9ab81 100644
--- a/windows/keep-secure/event-4782.md
+++ b/windows/keep-secure/event-4782.md
@@ -72,7 +72,7 @@ Typically **“Subject\\Security ID”** is the SYSTEM account.
- **Security ID** \[Type = SID\]**:** SID of account that requested hash migration operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested hash migration operation.
diff --git a/windows/keep-secure/event-4793.md b/windows/keep-secure/event-4793.md
index 079c4317df..ea2cc8090b 100644
--- a/windows/keep-secure/event-4793.md
+++ b/windows/keep-secure/event-4793.md
@@ -79,7 +79,7 @@ Note that starting with Microsoft SQL Server 2005, the “SQL Server password po
- **Security ID** \[Type = SID\]**:** SID of account that requested Password Policy Checking API operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested Password Policy Checking API operation.
diff --git a/windows/keep-secure/event-4794.md b/windows/keep-secure/event-4794.md
index c3ce16e165..131254b61b 100644
--- a/windows/keep-secure/event-4794.md
+++ b/windows/keep-secure/event-4794.md
@@ -72,7 +72,7 @@ This event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to set Directory Services Restore Mode administrator password. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to set Directory Services Restore Mode administrator password.
diff --git a/windows/keep-secure/event-4798.md b/windows/keep-secure/event-4798.md
index 3423f5319b..3d3ddee0ce 100644
--- a/windows/keep-secure/event-4798.md
+++ b/windows/keep-secure/event-4798.md
@@ -73,7 +73,7 @@ This event generates when a process enumerates a user's security-enabled local g
- **Security ID** \[Type = SID\]**:** SID of account that requested the “enumerate user's security-enabled local groups” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enumerate user's security-enabled local groups” operation.
diff --git a/windows/keep-secure/event-4799.md b/windows/keep-secure/event-4799.md
index 2084212f59..686f00f99f 100644
--- a/windows/keep-secure/event-4799.md
+++ b/windows/keep-secure/event-4799.md
@@ -75,7 +75,7 @@ This event doesn't generate when group members were enumerated using Active Dire
- **Security ID** \[Type = SID\]**:** SID of account that requested the “enumerate security-enabled local group members” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enumerate security-enabled local group members” operation.
diff --git a/windows/keep-secure/event-4800.md b/windows/keep-secure/event-4800.md
index 3eb3482649..30cddc53d4 100644
--- a/windows/keep-secure/event-4800.md
+++ b/windows/keep-secure/event-4800.md
@@ -69,7 +69,7 @@ This event is generated when a workstation was locked.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “lock workstation” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “lock workstation” operation.
diff --git a/windows/keep-secure/event-4801.md b/windows/keep-secure/event-4801.md
index b0b69a6e24..274fd1ba5c 100644
--- a/windows/keep-secure/event-4801.md
+++ b/windows/keep-secure/event-4801.md
@@ -69,7 +69,7 @@ This event is generated when workstation was unlocked.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “unlock workstation” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “unlock workstation” operation.
diff --git a/windows/keep-secure/event-4802.md b/windows/keep-secure/event-4802.md
index 691f558b08..ebce359a9c 100644
--- a/windows/keep-secure/event-4802.md
+++ b/windows/keep-secure/event-4802.md
@@ -69,7 +69,7 @@ This event is generated when screen saver was invoked.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “invoke screensaver” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “invoke screensaver” operation.
diff --git a/windows/keep-secure/event-4803.md b/windows/keep-secure/event-4803.md
index 8cfb6407c8..62ffc7f753 100644
--- a/windows/keep-secure/event-4803.md
+++ b/windows/keep-secure/event-4803.md
@@ -69,7 +69,7 @@ This event is generated when screen saver was dismissed.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “dismiss screensaver” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “dismiss screensaver” operation.
diff --git a/windows/keep-secure/event-4817.md b/windows/keep-secure/event-4817.md
index c1bc5e42d5..7980c341af 100644
--- a/windows/keep-secure/event-4817.md
+++ b/windows/keep-secure/event-4817.md
@@ -75,7 +75,7 @@ Separate events will be generated for “Registry” and “File system” polic
- **Security ID** \[Type = SID\]**:** SID of account that made a change to Global Object Access Auditing policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to Global Object Access Auditing policy.
diff --git a/windows/keep-secure/event-4818.md b/windows/keep-secure/event-4818.md
index f219c35d82..aad25bb594 100644
--- a/windows/keep-secure/event-4818.md
+++ b/windows/keep-secure/event-4818.md
@@ -76,7 +76,7 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy
- **Security ID** \[Type = SID\]**:** SID of account that made an access request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an access request.
diff --git a/windows/keep-secure/event-4819.md b/windows/keep-secure/event-4819.md
index b9311464ea..5ef9d2b4dc 100644
--- a/windows/keep-secure/event-4819.md
+++ b/windows/keep-secure/event-4819.md
@@ -76,7 +76,7 @@ For example, it generates when a new [Central Access Policy](https://technet.mic
- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policies on the machine. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policies on the machine.
diff --git a/windows/keep-secure/event-4826.md b/windows/keep-secure/event-4826.md
index fd9ab17f16..989ba1f6e1 100644
--- a/windows/keep-secure/event-4826.md
+++ b/windows/keep-secure/event-4826.md
@@ -82,7 +82,7 @@ This event is always logged regardless of the "Audit Other Policy Change Events"
- **Security ID** \[Type = SID\]**:** SID of account that reported this event. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. Always “S-1-5-18” for this event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported this event. Always “-“ for this event.
diff --git a/windows/keep-secure/event-4865.md b/windows/keep-secure/event-4865.md
index 90f686c80b..fc96c3a543 100644
--- a/windows/keep-secure/event-4865.md
+++ b/windows/keep-secure/event-4865.md
@@ -79,7 +79,7 @@ This event is generated only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “add a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add a trusted forest information entry” operation.
diff --git a/windows/keep-secure/event-4866.md b/windows/keep-secure/event-4866.md
index 1fc701f4d1..45e828eb01 100644
--- a/windows/keep-secure/event-4866.md
+++ b/windows/keep-secure/event-4866.md
@@ -79,7 +79,7 @@ This event is generated only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove a trusted forest information entry” operation.
diff --git a/windows/keep-secure/event-4867.md b/windows/keep-secure/event-4867.md
index 57fc10f7da..376f18a47f 100644
--- a/windows/keep-secure/event-4867.md
+++ b/windows/keep-secure/event-4867.md
@@ -81,7 +81,7 @@ This event contains new values only, it doesn’t contains old values and it doe
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify/change a trusted forest information entry” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify/change a trusted forest information entry” operation.
diff --git a/windows/keep-secure/event-4904.md b/windows/keep-secure/event-4904.md
index 85d903d952..a3d21b731a 100644
--- a/windows/keep-secure/event-4904.md
+++ b/windows/keep-secure/event-4904.md
@@ -74,7 +74,7 @@ You can typically see this event during system startup, if specific roles (Inter
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to register a security event source. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to register a security event source.
diff --git a/windows/keep-secure/event-4905.md b/windows/keep-secure/event-4905.md
index 1bc58fabcc..0cb79afd08 100644
--- a/windows/keep-secure/event-4905.md
+++ b/windows/keep-secure/event-4905.md
@@ -74,7 +74,7 @@ You typically see this event if specific roles were removed, for example, Intern
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to unregister a security event source. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to unregister a security event source.
diff --git a/windows/keep-secure/event-4907.md b/windows/keep-secure/event-4907.md
index 0867cad21e..a7c610e28a 100644
--- a/windows/keep-secure/event-4907.md
+++ b/windows/keep-secure/event-4907.md
@@ -78,7 +78,7 @@ This event doesn't generate for Active Directory objects.
- **Security ID** \[Type = SID\]**:** SID of account that made a change to object’s auditing settings. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to object’s auditing settings.
diff --git a/windows/keep-secure/event-4908.md b/windows/keep-secure/event-4908.md
index c76f86b814..dfe71ca9a8 100644
--- a/windows/keep-secure/event-4908.md
+++ b/windows/keep-secure/event-4908.md
@@ -73,7 +73,7 @@ More information about Special Groups auditing can be found here:
**Special Groups** \[Type = UnicodeString\]**:** contains current list of SIDs (groups or accounts) which are members of Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
“HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Audit\\SpecialGroups” registry value contains current list of SIDs which are included in Special Groups:
diff --git a/windows/keep-secure/event-4911.md b/windows/keep-secure/event-4911.md
index 20a174c857..173c322a13 100644
--- a/windows/keep-secure/event-4911.md
+++ b/windows/keep-secure/event-4911.md
@@ -78,7 +78,7 @@ Resource attributes for file or folder can be changed, for example, using Window
- **Security ID** \[Type = SID\]**:** SID of account that changed the resource attributes of the file system object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the resource attributes of the file system object.
diff --git a/windows/keep-secure/event-4912.md b/windows/keep-secure/event-4912.md
index bc9856672a..269bdcd27d 100644
--- a/windows/keep-secure/event-4912.md
+++ b/windows/keep-secure/event-4912.md
@@ -75,7 +75,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **Security ID** \[Type = SID\]**:** SID of account that made a change to per-user audit policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to per-user audit policy.
diff --git a/windows/keep-secure/event-4913.md b/windows/keep-secure/event-4913.md
index 96a27d5f9f..bab7781b60 100644
--- a/windows/keep-secure/event-4913.md
+++ b/windows/keep-secure/event-4913.md
@@ -78,7 +78,7 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi
- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object.
diff --git a/windows/keep-secure/event-4964.md b/windows/keep-secure/event-4964.md
index 96d32ccc21..6c989c94e3 100644
--- a/windows/keep-secure/event-4964.md
+++ b/windows/keep-secure/event-4964.md
@@ -97,7 +97,7 @@ This event occurs when an account that is a member of any defined [Special Group
- **Security ID** \[Type = SID\]**:** SID of account that requested logon for **New Logon** account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested logon for **New Logon** account.
diff --git a/windows/keep-secure/event-4985.md b/windows/keep-secure/event-4985.md
index f9737372fc..914a8b1dfe 100644
--- a/windows/keep-secure/event-4985.md
+++ b/windows/keep-secure/event-4985.md
@@ -73,7 +73,7 @@ This is an informational event from file system [Transaction Manager](https://ms
- **Security ID** \[Type = SID\]**:** SID of account through which the state of the transaction was changed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the state of the transaction.
diff --git a/windows/keep-secure/event-5058.md b/windows/keep-secure/event-5058.md
index b8b0f16ef4..0f645ddfd2 100644
--- a/windows/keep-secure/event-5058.md
+++ b/windows/keep-secure/event-5058.md
@@ -81,7 +81,7 @@ You can see these events, for example, during certificate renewal or export oper
- **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key file operation.
diff --git a/windows/keep-secure/event-5059.md b/windows/keep-secure/event-5059.md
index 3a1b397f62..f07301148a 100644
--- a/windows/keep-secure/event-5059.md
+++ b/windows/keep-secure/event-5059.md
@@ -78,7 +78,7 @@ This event generates when a cryptographic key is exported or imported using a [K
- **Security ID** \[Type = SID\]**:** SID of account that requested key migration operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key migration operation.
diff --git a/windows/keep-secure/event-5061.md b/windows/keep-secure/event-5061.md
index 886a4d7aba..47baeb41ab 100644
--- a/windows/keep-secure/event-5061.md
+++ b/windows/keep-secure/event-5061.md
@@ -78,7 +78,7 @@ This event generates when a cryptographic operation (open key, create key, creat
- **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested specific cryptographic operation.
diff --git a/windows/keep-secure/event-5136.md b/windows/keep-secure/event-5136.md
index 3350dca361..7ff77e2c64 100644
--- a/windows/keep-secure/event-5136.md
+++ b/windows/keep-secure/event-5136.md
@@ -83,7 +83,7 @@ For a change operation you will typically see two 5136 events for one action, wi
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify object” operation.
diff --git a/windows/keep-secure/event-5137.md b/windows/keep-secure/event-5137.md
index 892245d530..6811c8a0cf 100644
--- a/windows/keep-secure/event-5137.md
+++ b/windows/keep-secure/event-5137.md
@@ -77,7 +77,7 @@ This event only generates if the parent object has a particular entry in its [SA
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create object” operation.
diff --git a/windows/keep-secure/event-5138.md b/windows/keep-secure/event-5138.md
index 84e80ff027..74f1c3211e 100644
--- a/windows/keep-secure/event-5138.md
+++ b/windows/keep-secure/event-5138.md
@@ -78,7 +78,7 @@ This event only generates if the container to which the Active Directory object
- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** name of account that requested that the object be undeleted or restored.
diff --git a/windows/keep-secure/event-5139.md b/windows/keep-secure/event-5139.md
index 7399a33b15..e596740636 100644
--- a/windows/keep-secure/event-5139.md
+++ b/windows/keep-secure/event-5139.md
@@ -78,7 +78,7 @@ This event only generates if the destination object has a particular entry in it
- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “move object” operation.
diff --git a/windows/keep-secure/event-5140.md b/windows/keep-secure/event-5140.md
index be40b7a2d5..44b1805626 100644
--- a/windows/keep-secure/event-5140.md
+++ b/windows/keep-secure/event-5140.md
@@ -79,7 +79,7 @@ This event generates once per session, when first access attempt was made.
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
diff --git a/windows/keep-secure/event-5141.md b/windows/keep-secure/event-5141.md
index 238b70281d..6ead5872b1 100644
--- a/windows/keep-secure/event-5141.md
+++ b/windows/keep-secure/event-5141.md
@@ -78,7 +78,7 @@ This event only generates if the deleted object has a particular entry in its [S
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
diff --git a/windows/keep-secure/event-5142.md b/windows/keep-secure/event-5142.md
index 418a6387f7..b9b90bbcae 100644
--- a/windows/keep-secure/event-5142.md
+++ b/windows/keep-secure/event-5142.md
@@ -70,7 +70,7 @@ This event generates every time network share object was added.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “add network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add network share object” operation.
diff --git a/windows/keep-secure/event-5143.md b/windows/keep-secure/event-5143.md
index 30c4977b0c..1ed2dbad97 100644
--- a/windows/keep-secure/event-5143.md
+++ b/windows/keep-secure/event-5143.md
@@ -79,7 +79,7 @@ This event generates every time network share object was modified.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify network share object” operation.
diff --git a/windows/keep-secure/event-5144.md b/windows/keep-secure/event-5144.md
index d74e6e0c0e..ae5d2876a3 100644
--- a/windows/keep-secure/event-5144.md
+++ b/windows/keep-secure/event-5144.md
@@ -70,7 +70,7 @@ This event generates every time a network share object is deleted.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete network share object” operation.
diff --git a/windows/keep-secure/event-5145.md b/windows/keep-secure/event-5145.md
index 1370cc6fe1..5982d03bce 100644
--- a/windows/keep-secure/event-5145.md
+++ b/windows/keep-secure/event-5145.md
@@ -79,7 +79,7 @@ This event generates every time network share object (file or folder) was access
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
diff --git a/windows/keep-secure/event-5168.md b/windows/keep-secure/event-5168.md
index 44c9fe20cc..dd270b6b5f 100644
--- a/windows/keep-secure/event-5168.md
+++ b/windows/keep-secure/event-5168.md
@@ -75,7 +75,7 @@ It often happens because of NTLMv1 or LM protocols usage from client side when
- **Security ID** \[Type = SID\]**:** SID of account for which SPN check operation was failed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which SPN check operation was failed.
diff --git a/windows/keep-secure/event-5376.md b/windows/keep-secure/event-5376.md
index 16034db84c..0b315361cf 100644
--- a/windows/keep-secure/event-5376.md
+++ b/windows/keep-secure/event-5376.md
@@ -72,7 +72,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that performed the backup operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the backup operation.
diff --git a/windows/keep-secure/event-5377.md b/windows/keep-secure/event-5377.md
index c50b35c2f4..48cda08bc0 100644
--- a/windows/keep-secure/event-5377.md
+++ b/windows/keep-secure/event-5377.md
@@ -72,7 +72,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that performed the restore operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that performed the restore operation.
diff --git a/windows/keep-secure/event-5378.md b/windows/keep-secure/event-5378.md
index 066229425a..ed01eb2676 100644
--- a/windows/keep-secure/event-5378.md
+++ b/windows/keep-secure/event-5378.md
@@ -74,7 +74,7 @@ It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc22
- **Security ID** \[Type = SID\]**:** SID of account that requested credentials delegation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested credentials delegation.
diff --git a/windows/keep-secure/event-5888.md b/windows/keep-secure/event-5888.md
index 4e35780a9c..cb5a4a5432 100644
--- a/windows/keep-secure/event-5888.md
+++ b/windows/keep-secure/event-5888.md
@@ -73,7 +73,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify/change object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify/change object” operation.
diff --git a/windows/keep-secure/event-5889.md b/windows/keep-secure/event-5889.md
index 7e24a156f3..a49c9b83d0 100644
--- a/windows/keep-secure/event-5889.md
+++ b/windows/keep-secure/event-5889.md
@@ -73,7 +73,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
diff --git a/windows/keep-secure/event-5890.md b/windows/keep-secure/event-5890.md
index 896689a521..3618c15b54 100644
--- a/windows/keep-secure/event-5890.md
+++ b/windows/keep-secure/event-5890.md
@@ -73,7 +73,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su
- **Security ID** \[Type = SID\]**:** SID of account that requested the “add object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “add object” operation.
diff --git a/windows/keep-secure/event-6416.md b/windows/keep-secure/event-6416.md
index 9f93d86eb0..3b770a8e88 100644
--- a/windows/keep-secure/event-6416.md
+++ b/windows/keep-secure/event-6416.md
@@ -87,7 +87,7 @@ This event generates, for example, when a new external device is connected or en
- **Security ID** \[Type = SID\]**:** SID of account that registered the new device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the new device.
diff --git a/windows/keep-secure/event-6419.md b/windows/keep-secure/event-6419.md
index b874b2ea54..9dffec1741 100644
--- a/windows/keep-secure/event-6419.md
+++ b/windows/keep-secure/event-6419.md
@@ -77,7 +77,7 @@ This event doesn’t mean that device was disabled.
- **Security ID** \[Type = SID\]**:** SID of account that made the request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made the request.
diff --git a/windows/keep-secure/event-6420.md b/windows/keep-secure/event-6420.md
index ec339814ea..0ff9a1dab6 100644
--- a/windows/keep-secure/event-6420.md
+++ b/windows/keep-secure/event-6420.md
@@ -75,7 +75,7 @@ This event generates every time specific device was disabled.
- **Security ID** \[Type = SID\]**:** SID of account that disabled the device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that disabled the device.
diff --git a/windows/keep-secure/event-6421.md b/windows/keep-secure/event-6421.md
index ea9ce9c6a5..cf2110f150 100644
--- a/windows/keep-secure/event-6421.md
+++ b/windows/keep-secure/event-6421.md
@@ -77,7 +77,7 @@ This event doesn’t mean that device was enabled.
- **Security ID** \[Type = SID\]**:** SID of account that made the request. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made the request.
diff --git a/windows/keep-secure/event-6422.md b/windows/keep-secure/event-6422.md
index fb59fad3bf..c0eec81d34 100644
--- a/windows/keep-secure/event-6422.md
+++ b/windows/keep-secure/event-6422.md
@@ -75,7 +75,7 @@ This event generates every time specific device was enabled.
- **Security ID** \[Type = SID\]**:** SID of account that enabled the device. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that enabled the device.
diff --git a/windows/keep-secure/event-6423.md b/windows/keep-secure/event-6423.md
index 09e75dc4cd..0e43d751c3 100644
--- a/windows/keep-secure/event-6423.md
+++ b/windows/keep-secure/event-6423.md
@@ -77,7 +77,7 @@ Device installation restriction group policies are located here: **\\Computer Co
- **Security ID** \[Type = SID\]**:** SID of account that forbids the device installation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
+> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](security-identifiers.md).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that forbids the device installation.
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
index 9f8709dce5..1a19780713 100644
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
@@ -110,8 +110,8 @@ You can also enable email scanning using the following PowerShell parameter:
2. Type **Set-MpPreference -DisableEmailScanning $false**.
Read more about this in:
-- • [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
-- • [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
+- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
+- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
## Manage archive scans in Windows Defender
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample1.gif b/windows/keep-secure/images/adlocalaccounts-proc1-sample1.gif
new file mode 100644
index 0000000000..fb60cd5599
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample1.gif differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample2.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample2.png
new file mode 100644
index 0000000000..93e5e8e098
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample2.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample3.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample3.png
new file mode 100644
index 0000000000..7aad6b6a7b
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample3.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample4.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample4.png
new file mode 100644
index 0000000000..2b6c1394b9
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample4.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample5.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample5.png
new file mode 100644
index 0000000000..65508e5cf4
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample5.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample6.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample6.png
new file mode 100644
index 0000000000..4653a66f29
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample6.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc1-sample7.png b/windows/keep-secure/images/adlocalaccounts-proc1-sample7.png
new file mode 100644
index 0000000000..b4e379a357
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc1-sample7.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample1.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample1.png
new file mode 100644
index 0000000000..c725fd4f55
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample1.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample2.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample2.png
new file mode 100644
index 0000000000..999303a2d6
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample2.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample3.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample3.png
new file mode 100644
index 0000000000..b80fc69397
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample3.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample4.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample4.png
new file mode 100644
index 0000000000..412f425ccf
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample4.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample5.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample5.png
new file mode 100644
index 0000000000..b80fc69397
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample5.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample6.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample6.png
new file mode 100644
index 0000000000..b2f6d3e1e2
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample6.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc2-sample7.png b/windows/keep-secure/images/adlocalaccounts-proc2-sample7.png
new file mode 100644
index 0000000000..8dda5403cf
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc2-sample7.png differ
diff --git a/windows/keep-secure/images/adlocalaccounts-proc3-sample1.png b/windows/keep-secure/images/adlocalaccounts-proc3-sample1.png
new file mode 100644
index 0000000000..e96b26abe1
Binary files /dev/null and b/windows/keep-secure/images/adlocalaccounts-proc3-sample1.png differ
diff --git a/windows/keep-secure/images/authorizationandaccesscontrolprocess.gif b/windows/keep-secure/images/authorizationandaccesscontrolprocess.gif
new file mode 100644
index 0000000000..d8a4d99dd2
Binary files /dev/null and b/windows/keep-secure/images/authorizationandaccesscontrolprocess.gif differ
diff --git a/windows/keep-secure/images/edp-sccm-add-network-domain.png b/windows/keep-secure/images/edp-sccm-add-network-domain.png
new file mode 100644
index 0000000000..505a3ca5fe
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-add-network-domain.png differ
diff --git a/windows/keep-secure/images/edp-sccm-addapplockerfile.png b/windows/keep-secure/images/edp-sccm-addapplockerfile.png
new file mode 100644
index 0000000000..36d4508747
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-addapplockerfile.png differ
diff --git a/windows/keep-secure/images/edp-sccm-adddesktopapp.png b/windows/keep-secure/images/edp-sccm-adddesktopapp.png
index 5ceed9bc66..18b1970f81 100644
Binary files a/windows/keep-secure/images/edp-sccm-adddesktopapp.png and b/windows/keep-secure/images/edp-sccm-adddesktopapp.png differ
diff --git a/windows/keep-secure/images/edp-sccm-additionalsettings.png b/windows/keep-secure/images/edp-sccm-additionalsettings.png
new file mode 100644
index 0000000000..3bd31c8e27
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-additionalsettings.png differ
diff --git a/windows/keep-secure/images/edp-sccm-adduniversalapp.png b/windows/keep-secure/images/edp-sccm-adduniversalapp.png
index bd5009afdc..cd8b78c72d 100644
Binary files a/windows/keep-secure/images/edp-sccm-adduniversalapp.png and b/windows/keep-secure/images/edp-sccm-adduniversalapp.png differ
diff --git a/windows/keep-secure/images/edp-sccm-appmgmt.png b/windows/keep-secure/images/edp-sccm-appmgmt.png
index 0a9d23f405..52a6ef5fd9 100644
Binary files a/windows/keep-secure/images/edp-sccm-appmgmt.png and b/windows/keep-secure/images/edp-sccm-appmgmt.png differ
diff --git a/windows/keep-secure/images/edp-sccm-corp-identity.png b/windows/keep-secure/images/edp-sccm-corp-identity.png
new file mode 100644
index 0000000000..940d60acf1
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-corp-identity.png differ
diff --git a/windows/keep-secure/images/edp-sccm-devicesettings.png b/windows/keep-secure/images/edp-sccm-devicesettings.png
index 3056cc1c96..1573ef06d7 100644
Binary files a/windows/keep-secure/images/edp-sccm-devicesettings.png and b/windows/keep-secure/images/edp-sccm-devicesettings.png differ
diff --git a/windows/keep-secure/images/edp-sccm-dra.png b/windows/keep-secure/images/edp-sccm-dra.png
new file mode 100644
index 0000000000..d823ecb78d
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-dra.png differ
diff --git a/windows/keep-secure/images/edp-sccm-generalscreen.png b/windows/keep-secure/images/edp-sccm-generalscreen.png
index 788cef4b8a..e0013f5b2d 100644
Binary files a/windows/keep-secure/images/edp-sccm-generalscreen.png and b/windows/keep-secure/images/edp-sccm-generalscreen.png differ
diff --git a/windows/keep-secure/images/edp-sccm-network-domain.png b/windows/keep-secure/images/edp-sccm-network-domain.png
new file mode 100644
index 0000000000..0fff54b6d2
Binary files /dev/null and b/windows/keep-secure/images/edp-sccm-network-domain.png differ
diff --git a/windows/keep-secure/images/edp-sccm-optsettings.png b/windows/keep-secure/images/edp-sccm-optsettings.png
index d786610c07..65365356da 100644
Binary files a/windows/keep-secure/images/edp-sccm-optsettings.png and b/windows/keep-secure/images/edp-sccm-optsettings.png differ
diff --git a/windows/keep-secure/images/edp-sccm-primarydomain2.png b/windows/keep-secure/images/edp-sccm-primarydomain2.png
deleted file mode 100644
index 5cb9990baf..0000000000
Binary files a/windows/keep-secure/images/edp-sccm-primarydomain2.png and /dev/null differ
diff --git a/windows/keep-secure/images/edp-sccm-summaryscreen.png b/windows/keep-secure/images/edp-sccm-summaryscreen.png
index 2e9d7b138b..2cbb827d7a 100644
Binary files a/windows/keep-secure/images/edp-sccm-summaryscreen.png and b/windows/keep-secure/images/edp-sccm-summaryscreen.png differ
diff --git a/windows/keep-secure/images/edp-sccm-supportedplat.png b/windows/keep-secure/images/edp-sccm-supportedplat.png
index dc72f15692..7add4926a9 100644
Binary files a/windows/keep-secure/images/edp-sccm-supportedplat.png and b/windows/keep-secure/images/edp-sccm-supportedplat.png differ
diff --git a/windows/keep-secure/images/intune-applocker-before-begin.png b/windows/keep-secure/images/intune-applocker-before-begin.png
new file mode 100644
index 0000000000..3f6a79c8d6
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-before-begin.png differ
diff --git a/windows/keep-secure/images/intune-applocker-permissions.png b/windows/keep-secure/images/intune-applocker-permissions.png
new file mode 100644
index 0000000000..901c861793
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-permissions.png differ
diff --git a/windows/keep-secure/images/intune-applocker-publisher-with-app.png b/windows/keep-secure/images/intune-applocker-publisher-with-app.png
new file mode 100644
index 0000000000..29f08e03f0
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-publisher-with-app.png differ
diff --git a/windows/keep-secure/images/intune-applocker-publisher.png b/windows/keep-secure/images/intune-applocker-publisher.png
new file mode 100644
index 0000000000..42da98610a
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-publisher.png differ
diff --git a/windows/keep-secure/images/intune-applocker-select-apps.png b/windows/keep-secure/images/intune-applocker-select-apps.png
new file mode 100644
index 0000000000..38ba06d474
Binary files /dev/null and b/windows/keep-secure/images/intune-applocker-select-apps.png differ
diff --git a/windows/keep-secure/images/intune-local-security-export.png b/windows/keep-secure/images/intune-local-security-export.png
new file mode 100644
index 0000000000..56b27c2387
Binary files /dev/null and b/windows/keep-secure/images/intune-local-security-export.png differ
diff --git a/windows/keep-secure/images/intune-local-security-snapin-updated.png b/windows/keep-secure/images/intune-local-security-snapin-updated.png
new file mode 100644
index 0000000000..d794b8976c
Binary files /dev/null and b/windows/keep-secure/images/intune-local-security-snapin-updated.png differ
diff --git a/windows/keep-secure/images/intune-local-security-snapin.png b/windows/keep-secure/images/intune-local-security-snapin.png
new file mode 100644
index 0000000000..492f3fc50a
Binary files /dev/null and b/windows/keep-secure/images/intune-local-security-snapin.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample1.png b/windows/keep-secure/images/localaccounts-proc1-sample1.png
new file mode 100644
index 0000000000..e70fa02c92
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample1.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample2.png b/windows/keep-secure/images/localaccounts-proc1-sample2.png
new file mode 100644
index 0000000000..085993f92c
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample2.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample3.png b/windows/keep-secure/images/localaccounts-proc1-sample3.png
new file mode 100644
index 0000000000..282cdb729d
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample3.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample4.png b/windows/keep-secure/images/localaccounts-proc1-sample4.png
new file mode 100644
index 0000000000..89fc916400
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample4.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample5.png b/windows/keep-secure/images/localaccounts-proc1-sample5.png
new file mode 100644
index 0000000000..d8d5af1336
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample5.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc1-sample6.png b/windows/keep-secure/images/localaccounts-proc1-sample6.png
new file mode 100644
index 0000000000..ba3f15f597
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc1-sample6.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample1.png b/windows/keep-secure/images/localaccounts-proc2-sample1.png
new file mode 100644
index 0000000000..2d44e29e1b
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc2-sample1.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample2.png b/windows/keep-secure/images/localaccounts-proc2-sample2.png
new file mode 100644
index 0000000000..89136d1ba0
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc2-sample2.png differ
diff --git a/windows/keep-secure/images/localaccounts-proc2-sample3.png b/windows/keep-secure/images/localaccounts-proc2-sample3.png
new file mode 100644
index 0000000000..f2d3a7596b
Binary files /dev/null and b/windows/keep-secure/images/localaccounts-proc2-sample3.png differ
diff --git a/windows/keep-secure/images/security-identifider-architecture.jpg b/windows/keep-secure/images/security-identifider-architecture.jpg
new file mode 100644
index 0000000000..cd7d341065
Binary files /dev/null and b/windows/keep-secure/images/security-identifider-architecture.jpg differ
diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md
index b605acb372..c400267003 100644
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@@ -27,6 +27,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
+| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
diff --git a/windows/keep-secure/local-accounts.md b/windows/keep-secure/local-accounts.md
new file mode 100644
index 0000000000..3e94ade971
--- /dev/null
+++ b/windows/keep-secure/local-accounts.md
@@ -0,0 +1,495 @@
+---
+title: Local Accounts (Windows 10)
+description: Local Accounts
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Local Accounts
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller.
+
+**Did you mean…**
+
+- [Active Directory Accounts](active-directory-accounts.md)
+
+- [Microsoft Accounts](microsoft-accounts.md)
+
+## About local user accounts
+
+
+Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users.
+
+This topic describes the following:
+
+- [Default local user accounts](#sec-default-accounts)
+
+ - [Administrator account](#sec-administrator)
+
+ - [Guest Account](#sec-guest)
+
+ - [HelpAssistant account (installed by using a Remote Assistance session)](#sec-helpassistant)
+
+- [Default local system accounts](#sec-localsystem)
+
+- [How to manage local accounts](#sec-manage-accounts)
+
+ - [Restrict and protect local accounts with administrative rights](#sec-restrict-protect-accounts)
+
+ - [Enforce local account restrictions for remote access](#sec-enforce-account-restrictions)
+
+ - [Deny network logon to all local Administrator accounts](#sec-deny-network-logon)
+
+ - [Create unique passwords for local accounts with administrative rights](#sec-create-unique-passwords)
+
+For information about security principals, see [Security Principals](security-principals.md).
+
+## Default local user accounts
+
+
+The default local user accounts are built-in accounts that are created automatically when you install the Windows Server operating system on a stand-alone server or member server. The **Applies To** list at the beginning of this article designates the Windows operating systems to which this topic applies.
+
+After the Windows Server operating system is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources.
+
+Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this topic.
+
+The default local user accounts that are provided include the Administrator account, Guest account and HelpAssistant account. Each of these default local user accounts is described in the following sections.
+
+### Administrator account
+
+The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the installation for all Windows Server operating systems, and for Windows client operating systems.
+
+For Windows Server operating systems, the Administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. The Administrator account can also be used take control of local resources at any time simply by changing the user rights and permissions.
+
+The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.
+
+The default Administrator account is initially installed differently for Windows Server operating systems, and the Windows client operating systems. The following table provides a comparison.
+
+| Default restriction | Windows Server operating systems | Windows client operating systems |
+|---------------------|----------------------------------|----------------------------------|
+| Administrator account is disabled on installation | No | Yes |
+| Administrator account is set up on first sign-in | Yes | No, keep disabled |
+| Administrator account is used to set up the local server or client computer | Yes | No, use a local user account with **Run as administrator** to obtain administrative rights |
+| Administrator account requires a strong password when it is enabled | Yes | Yes |
+| Administrator account can be disabled, locked out, or renamed | Yes | Yes |
+
+In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
+
+In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#sec-administrator-security).
+
+**Account group membership**
+
+By default, the Administrator account is installed as a member of the Administrators group on the server. It is a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer.
+
+The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed or disabled.
+
+**Security considerations**
+
+Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to to the server or client computer.
+
+You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see [Disable or activate a local user account](http://technet.microsoft.com/library/cc732112.aspx) and [Rename a local user account](http://technet.microsoft.com/library/cc725595.aspx).
+
+As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see [Run a program with administrative credentials](https://technet.microsoft.com/en-us/library/cc732200.aspx).
+
+In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.
+
+In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx).
+
+**Note**
+Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
+
+
+
+**Important**
+Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
+
+
+
+### Guest account
+
+The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
+
+**Account group membership**
+
+By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
+
+**Security considerations**
+
+When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
+
+When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](shut-down-the-system.md) user right.
+
+In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
+
+### HelpAssistant account (installed by using a Remote Assistance session)
+
+The default HelpAssistant account is enabled when a Windows Remote Assistance session is run. The Windows Remote Assistance session can be used to connect from the server to another computer running the Windows operating system. For solicited remote assistance, a user initiates a Windows Remote Assistance session, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance.
+
+After the user’s invitation for a Windows Remote Assistance session is accepted, the default HelpAssistant account is automatically created. The HelpAssistant account provides limited access to the computer to the person who provides assistance. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. The HelpAssistant account is automatically deleted after there are no Remote Assistance requests are pending.
+
+The security identifiers (SIDs) that pertain to the default HelpAssistant account include:
+
+- SID: S-1-5-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled.
+
+- SID: S-1-5-14, display name Remote Interactive Logon. This group includes all users who sign in to the computer by using Remote Desktop Connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+
+In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default.
+
+## Default local system accounts
+
+
+The system account and the Administrator account of the Administrators group have the same file rights and permissions, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The system account was designed for that purpose. It is an internal account that does not show up in User Manager, it cannot be added to any groups, and it cannot have user rights assigned to it.
+
+On the other hand, the system account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the system account is granted Full Control permissions to all files on an NTFS volume. Here the system account has the same functional rights and permissions as the Administrator account.
+
+**Note**
+To grant the account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file, but we do not recommend removing them.
+
+
+
+## How to manage local user accounts
+
+
+The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC), a collection of administrative tools that you can use to manage a single local or remote computer. For more information about creating and managing local user accounts, see [Manage Local Users](http://technet.microsoft.com/library/cc731899.aspx).
+
+You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner.
+
+You cannot use Local Users and Groups to view local users and groups after a member server is used as a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.
+
+**Note**
+You use Active Directory Users and Computers to manage users and groups in Active Directory.
+
+
+
+### Restrict and protect local accounts with administrative rights
+
+An administrator can use a number of approaches to prevent malicious users from using stolen credentials, such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights; this is also called "lateral movement".
+
+The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks, for example, to browse the Internet, send email, or use a word processor. When you want to perform an administrative task, for example, to install a new program or to change a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
+
+The other approaches that can be used to restrict and protect user accounts with administrative rights include:
+
+- Enforce local account restrictions for remote access.
+
+- Deny network logon to all local Administrator accounts.
+
+- Create unique passwords for local accounts with administrative rights.
+
+Each of these approaches is described in the following sections.
+
+**Note**
+These approaches do not apply if all administrative local accounts are disabled.
+
+
+
+### Enforce local account restrictions for remote access
+
+The User Account Control (UAC) is a security feature in Windows that has been in use in Windows Server 2008 and in Windows Vista, and the operating systems to which the **Applies To** list refers. UAC enables you to stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change how often UAC notifies you.
+
+UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command.
+
+In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
+
+For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
+
+For more information about UAC, see [User Account Control](user-account-control-overview.md).
+
+The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
+
+
+
+
+
+
+
+
+
+No. |
+Setting |
+Detailed Description |
+
+
+ |
+Policy location |
+Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
+
+
+1 |
+Policy name |
+[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md) |
+
+
+ |
+Policy setting |
+Enabled |
+
+
+2 |
+Policy location |
+Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
+
+
+ |
+Policy name |
+[User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md) |
+
+
+ |
+Policy setting |
+Enabled |
+
+
+3 |
+Registry key |
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
+
+
+ |
+Registry value name |
+LocalAccountTokenFilterPolicy |
+
+
+ |
+Registry value type |
+DWORD |
+
+
+ |
+Registry value data |
+0 |
+
+
+
+
+
+
+**To enforce local account restrictions for remote access**
+
+1. Start the **Group Policy Management** Console (GPMC).
+
+2. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
+
+3. In the console tree, right-click **Group Policy Objects**, and > **New**.
+
+ 
+
+4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
+
+ 
+
+5. In the details pane, right-click <**gpo\_name**>, and > **Edit**.
+
+ 
+
+6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following:
+
+ 1. Navigate to the Computer Configuration\\Policies\\Windows Settings, and > **Security Options**.
+
+ 2. Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**.
+
+ 3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**.
+
+7. Ensure that the local account restrictions are applied to network interfaces by doing the following:
+
+ 1. Navigate to Computer Configuration\\Preferences and Windows Settings, and > **Registry**.
+
+ 2. Right-click **Registry**, and > **New** > **Registry Item**.
+
+ 
+
+ 3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
+
+ 4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**.
+
+ 5. Click (**…**), browse to the following location for **Key Path** > **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**.
+
+ 6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**.
+
+ 7. In the **Value type** box, from the drop-down list, select **REG\_DWORD** to change the value.
+
+ 8. In the **Value data** box, ensure that the value is set to **0**.
+
+ 9. Verify this configuration, and > **OK**.
+
+ 
+
+8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
+
+ 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path.
+
+ 2. Right-click the **Workstations** OU, and > **Link an existing GPO**.
+
+ 
+
+ 3. Select the GPO that you just created, and > **OK**.
+
+9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
+
+10. Create links to all other OUs that contain workstations.
+
+11. Create links to all other OUs that contain servers.
+
+### Deny network logon to all local Administrator accounts
+
+Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that the credentials for local accounts that are stolen from a compromised operating system cannot be used to compromise additional computers that use the same credentials.
+
+**Note**
+In order to perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
+
+
+
+The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.
+
+
+
+
+
+
+
+
+
+No. |
+Setting |
+Detailed Description |
+
+
+ |
+Policy location |
+Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
+
+
+1 |
+Policy name |
+[Deny access to this computer from the network](deny-access-to-this-computer-from-the-network.md) |
+
+
+ |
+Policy setting |
+User name of the default Administrator account
+(Might be renamed through policy.) |
+
+
+2 |
+Policy location |
+Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
+
+
+ |
+Policy name |
+[Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md) |
+
+
+ |
+Policy setting |
+User name of the default Administrator account
+(Might be renamed through policy). |
+
+
+
+
+
+
+**To deny network logon to all local administrator accounts**
+
+1. Start the **Group Policy Management** Console (GPMC).
+
+2. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO).
+
+3. In the console tree, right-click **Group Policy Objects**, and > **New**.
+
+4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer.
+
+ 
+
+5. In the details pane, right-click <**gpo\_name**>, and > **Edit**.
+
+ 
+
+6. Configure the user rights to deny network logons for administrative local accounts as follows:
+
+ 1. Navigate to the Computer Configuration\\Policies\\Windows Settings, and > **User Rights Assignment**.
+
+ 2. Double-click **Deny access to this computer from the network**, and > **Define these policy settings**.
+
+ 3. Click **Add User or Group**, type the name of the default Administrator account, and > **OK**. The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
+
+ 
+
+ **Important**
+ In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolved to a name that is underlined, includes a computer name, or includes the domain, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator to prevent blocking domain accounts in that group.
+
+
+
+ 4. For any additional local accounts in the Administrators group on all of the workstations that you are configuring, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as described in the previous step, and then click **OK**.
+
+7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
+
+ 1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**.
+
+ 2. Double-click **Deny log on through Remote Desktop Services**, and then select **Define these settings**.
+
+ 3. Click **Add User or Group**, type the user name of the default Administrator account, and > **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
+
+ **Important**
+ In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolves to a name that is underlined or includes a domain name, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator because this also blocks domain accounts in that group.
+
+
+
+ 4. For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and > **OK**.
+
+8. Link the GPO to the first **Workstations** OU as follows:
+
+ 1. Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path.
+
+ 2. Right-click the **Workstations** OU, and > **Link an existing GPO**.
+
+ 3. Select the GPO that you just created, and > **OK**.
+
+9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
+
+10. Create links to all other OUs that contain workstations.
+
+11. Create links to all other OUs that contain servers.
+
+ **Note**
+ You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
+
+
+
+### Create unique passwords for local accounts with administrative rights
+
+Passwords should be unique per individual account. While this is generally true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments.
+
+Passwords that are left unchanged or changed synchronously to keep them identical add a significant risk for organizations. Randomizing the passwords mitigates "pass-the-hash" attacks by using different passwords for local accounts, which hampers the ability of malicious users to use password hashes of those accounts to compromise other computers.
+
+Passwords can be randomized by:
+
+- Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools.
+
+- Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator account’s password via GPO](http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789).
+
+ **Note**
+ This tool is not supported by Microsoft. There are some important considerations to make before deploying this tool because this tool requires client-side extensions and schema extensions to support password generation and storage.
+
+
+
+- Create and implement a custom script or solution to randomize local account passwords.
+
+## See also
+
+
+The following resources provide additional information about technologies that are related to local accounts.
+
+- [Security Principals](security-principals.md)
+
+- [Security Identifiers](security-identifiers.md)
+
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/microsoft-accounts.md b/windows/keep-secure/microsoft-accounts.md
new file mode 100644
index 0000000000..910e6fac1f
--- /dev/null
+++ b/windows/keep-secure/microsoft-accounts.md
@@ -0,0 +1,160 @@
+---
+title: Microsoft Accounts (Windows 10)
+description: Microsoft Accounts
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Microsoft Accounts
+
+**Applies to**
+- Windows 10
+
+This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
+
+Microsoft sites, services, and properties such as Windows Live, MSN, Xbox LIVE, Zune, Windows Phone, and computers running Windows 10, Windows 8.1, Windows 8, and Windows RT use a Microsoft account as a mean of identifying users. Microsoft account is the name for what was previously called Windows Live ID. It has user-defined secrets associated with it, and it consists of a unique email address and a password.
+
+There are some benefits and considerations when using Microsoft accounts in the enterprise. For more information, see [Microsoft account in the enterprise](#bkmk-msaccountintheenterprise) later in this topic.
+
+When a user signs in with a Microsoft account, their device is connected to cloud services, and many of the settings, preferences, and apps associated with that user account can roam between devices.
+
+**Note**
+This content applies to the operating system versions that are designated in the **Applies To** list at the beginning of this topic.
+
+
+
+## How a Microsoft account works
+
+
+The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Windows Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
+
+When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
+
+**Important**
+Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
+
+
+
+### How Microsoft accounts are created
+
+To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. If a user tries to create multiple Microsoft accounts with the same IP address, they are stopped.
+
+Microsoft accounts are not designed to be created in batches, for example, for a group of domain users within your enterprise.
+
+There are two methods for creating a Microsoft account:
+
+- **Use an existing email address**.
+
+ Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal password.
+
+- **Sign up for a Microsoft email address**.
+
+ Users can sign up for an email account with Microsoft's webmail services. This account can be used to sign in to websites that are enabled to use Microsoft accounts.
+
+### How the Microsoft account information is safeguarded
+
+Credential information is encrypted twice. The first encryption is based on the account’s password. Credentials are encrypted again when they are sent across the Internet. The data that is stored is not available to other Microsoft or non-Microsoft services.
+
+- **Strong password is required**.
+
+ Blank passwords are not allowed.
+
+ For more information, see [Microsoft Account Security Overview](http://www.microsoft.com/account/security/default.aspx).
+
+- **Secondary proof of identity is required**.
+
+ Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings.
+
+- **All user profile data is encrypted on the client before it is transmitted to the cloud**.
+
+ User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. All data and settings that leave a device are transmitted through the TLS/SSL protocol.
+
+**Microsoft account security information is added**.
+
+Users can add security information to their Microsoft accounts through the **Accounts** interface on computers running the supported versions of Windows. This feature allows the user to update the security information that they provided when they created their accounts. This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date.
+
+## The Microsoft account in the enterprise
+
+
+Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages.
+
+- **Download Windows Store apps**:
+
+ If your enterprise chooses to distribute software through the Windows Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
+
+- **Single sign-on**:
+
+ Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Windows Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Windows Store apps or websites, so that these credentials roam across any devices running these supported versions.
+
+- **Personalized settings synchronization**:
+
+ Users can associate their most commonly used operating-system settings with a Microsoft account. These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device.
+
+- **App synchronization**:
+
+ Windows Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
+
+- **Integrated social media services**:
+
+ Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as SkyDrive, Facebook, and Flickr.
+
+### Managing the Microsoft account in the domain
+
+Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. You should address the following considerations before you allow the use of these account types in your enterprise:
+
+- [Restrict the use of the Microsoft account](#bkmk-restrictuse)
+
+- [Configure connected accounts](#bkmk-cfgconnectedaccounts)
+
+- [Provision Microsoft accounts in the enterprise](#bkmk-provisionaccounts)
+
+- [Audit account activity](#bkmk-audit)
+
+- [Perform password resets](#bkmk-passwordresets)
+
+- [Restrict app installation and usage](#bkmk-restrictappinstallationandusage)
+
+### Restrict the use of the Microsoft account
+
+If employees are allowed to join the domain with their personal devices, they might expect to connect to enterprise resources by using their Microsoft accounts. If you want to prevent any use of Microsoft accounts within your enterprise, you can configure the local security policy setting [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md). However, this setting can prevent the users from signing in to their Windows devices with their Microsoft accounts (if they had set them up to do so) when they are joined to the domain.
+
+The default for this setting is **Disabled**, which enables users to use their Microsoft accounts on devices that are joined to your domain. Other options in the setting can:
+
+1. Prevent users from creating new Microsoft accounts on a computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
+
+2. Prevent users with an existing Microsoft account from signing in to Windows. Selecting this option might make it impossible for an existing administrator to sign in to a computer and manage the system.
+
+### Configure connected accounts
+
+Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices.
+
+Users can disconnect a Microsoft account from their domain account at any time as follows: In **PC settings**, tap or click **Users**, tap or click **Disconnect**, and then tap or click **Finish**.
+
+**Note**
+Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
+
+
+
+### Provision Microsoft accounts in the enterprise
+
+Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.
+
+### Audit account activity
+
+Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. But this association does not restrict the user from disconnecting the account or disjoining from the domain. It is not possible to audit the activity of accounts that are not associated with your domain.
+
+### Perform password resets
+
+Only the owner of the Microsoft account can change the password. Passwords can be changed in the [Microsoft account sign-in portal](https://login.live.com).
+
+### Restrict app installation and usage
+
+Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](applocker-overview.md) and [Packaged Apps and Packaged App Installer Rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
+## See also
+
+- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](https://technet.microsoft.com/library/jj884082(v=ws.11).aspx)
+
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md
index 0ca5b7cbd1..119659b070 100644
--- a/windows/keep-secure/overview-create-edp-policy.md
+++ b/windows/keep-secure/overview-create-edp-policy.md
@@ -1,6 +1,6 @@
---
title: Create an enterprise data protection (EDP) policy (Windows 10)
-description: Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+description: Microsoft Intune and System Center Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.prod: w10
ms.mktglfcycl: explore
@@ -17,13 +17,13 @@ author: eross-msft
[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-Microsoft Intune and System Center Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
+Microsoft Intune and System Center Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
-|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1511 or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |Configuration Manager (version 1605 Technical Preview or later) helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
index 1603119340..8f09a2e896 100644
--- a/windows/keep-secure/protect-enterprise-data-using-edp.md
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -2,7 +2,7 @@
title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-keywords: EDP, enterprise data protection
+keywords: EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -18,34 +18,34 @@ author: eross-msft
[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise-aware version of a rights management mail client.
+Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
## Prerequisites
You’ll need this software to run EDP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
-|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager (version 1511 or later)
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager (version 1605 Tech Preview or later)
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## How EDP works
EDP helps address your everyday challenges in the enterprise. Including:
-- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
+- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
-- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
+- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
-- Helping to maintain the ownership and control of your enterprise data.
+- Helping to maintain the ownership and control of your enterprise data.
-- Helping control the network and data access and data sharing for apps that aren’t enterprise-aware.
+- Helping control the network and data access and data sharing for apps that aren’t enterprise aware.
### EDP-protection modes
You can set EDP to 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
-|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
|Off |EDP is turned off and doesn't help to protect or audit your data.After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
@@ -60,20 +60,32 @@ EDP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
- - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to Block, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+ - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your EDP management-mode.
You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
+ - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that aren’t on this list are blocked from accessing your enterprise network resources and your EDP-protected data.
+ You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
- - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
+ - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list.
- - **Data encryption at rest.** EDP helps protect enterprise data on local files and on removable media.
Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
+ - **Continuous data encryption.** EDP helps protect enterprise data on local files and on removable media.
+ Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
- - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+ - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption.
- **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
- **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
**Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+## Current limitations with EDP
+EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems.
+
+Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds.
+
+|EDP scenario |Without Azure Rights Management |Workaround |
+|-------------|--------------------------------|-----------|
+|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
+|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.
For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution.
+
## Next steps
After deciding to use EDP in your enterprise, you need to:
diff --git a/windows/keep-secure/security-identifiers.md b/windows/keep-secure/security-identifiers.md
new file mode 100644
index 0000000000..72f2b8e95b
--- /dev/null
+++ b/windows/keep-secure/security-identifiers.md
@@ -0,0 +1,279 @@
+---
+title: Security identifiers (Windows 10)
+description: Security identifiers
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Security identifiers
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
+
+## What are security identifiers?
+
+A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.
+
+Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group.
+
+Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
+
+In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems.
+
+SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
+
+The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic.
+
+## How security identifiers work
+
+Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused.
+
+The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services.
+
+For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise.
+
+SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals.
+
+## Security identifier architecture
+
+A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
+
+
+
+The individual values of a SID are described in the following table.
+
+| Comment | Description |
+| - | - |
+| Revision | Indicates the version of the SID structure that is used in a particular SID. |
+| Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). |
+| Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. |
+
+The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation:
+```
+S-R-X-Y1-Y2-Yn-1-Yn
+```
+
+In this notation, the components of a SID are represented as shown in the following table.
+
+| Comment | Description |
+| - | - |
+| S | Indicates that the string is a SID |
+| R | Indicates the revision level |
+| X | Indicates the identifier authority value |
+| Y | Represents a series of subauthority values, where *n* is the number of values |
+
+The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Y*n*-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier.
+
+The last item in the series of subauthority values (-Y*n*) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier.
+
+For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:
+
+```
+S-1-5-32-544
+```
+
+This SID has four components:
+
+- A revision level (1)
+
+- An identifier authority value (5, NT Authority)
+
+- A domain identifier (32, Builtin)
+
+- A relative identifier (544, Administrators)
+
+SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain **Builtin**, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one.
+
+Built-in accounts and groups need to be distinguished from one another within the scope of the **Builtin** domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the **Builtin** domain has a SID with a final value of 544.
+
+In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\\Domain Admins):
+
+```
+S-1-5-21-1004336348-1177238915-682003330-512
+```
+
+The SID for Contoso\\Domain Admins has:
+
+- A revision level (1)
+
+- An identifier authority (5, NT Authority)
+
+- A domain identifier (21-1004336348-1177238915-682003330, Contoso)
+
+- A relative identifier (512, Domain Admins)
+
+The SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512.
+
+## Relative identifier allocation
+
+When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again.
+
+In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.
+
+The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master.
+
+Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier.
+
+## Security identifiers and globally unique identifiers
+
+When a new domain user or group account is created, Active Directory stores the account's SID in the **ObjectSID** property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its **ObjectGUID** property.
+
+Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by **ObjectGUID** might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the **ObjectGUID** property never changes. When an object is assigned a GUID, it keeps that value for life.
+
+If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes.
+
+When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the **ObjectSID** property. Before the new value is written to the property, the previous value is copied to another property of a User object, **SIDHistory**. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the **ObjectSID** property, and another value is added to the list of old SIDs in **SIDHistory**. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in **SIDHistory**), can allow or deny the user access.
+
+If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others.
+
+However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The **SIDHistory** property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID.
+
+## Well-known SIDs
+
+The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups.
+
+There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems.
+
+The following table lists the universal well-known SIDs.
+
+| Value | Universal Well-Known SID | Identifies |
+| - | - | - |
+| S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known.|
+| S-1-1-0 | World | A group that includes all users. |
+| S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. |
+| S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. |
+| S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
+| S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
+| S-1-3-2 | Creator Owner Server | |
+| S-1-3-3 | Creator Group Server | |
+| S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. |
+| S-1-4 | Non-unique Authority | A SID that represents an identifier authority. |
+| S-1-5 | NT Authority | A SID that represents an identifier authority. |
+| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.|
+
+The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the **Applies To** list.
+
+| Identifier Authority | Value | SID String Prefix |
+| - | - | - |
+| SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 |
+| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
+| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
+| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
+
+The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
+
+| Relative Identifier Authority | Value | Identifier Authority |
+| - | - | - |
+| SECURITY_NULL_RID | 0 | S-1-0 |
+| SECURITY_WORLD_RID | 0 | S-1-1 |
+| SECURITY_LOCAL_RID | 0 | S-1-2 |
+| SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 |
+| SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 |
+
+The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. The following table lists the well-known SIDs.
+
+| SID | Display Name | Description |
+| - | - | - |
+| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.|
+| S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.|
+| S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. |
+| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.|
+| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.|
+| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.|
+| S-1-5-5- *X *- *Y * | Logon Session| The *X * and *Y * values for these SIDs uniquely identify a particular logon session.|
+| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.|
+| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName *, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName * (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
+| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
+| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
+| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|
+| S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
This group includes authenticated security principals from any trusted domain, not only the current domain.|
+| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.|
+| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
+| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
+| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
+| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.|
+| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
+| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
+| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
+| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.|
+| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.|
+| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.|
+| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.|
+| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.|
+| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.|
+| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.|
+| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.|
+| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.|
+| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.|
+| S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. |
+| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.|
+| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.|
+| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.|
+| Users | S-1-5-32-545| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
+| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.|
+| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
+| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.|
+| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.|
+| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.|
+| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
+| S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.|
+| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client|
+| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.|
+| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.|
+| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
+| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
+| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
+| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.|
+| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.|
+| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.|
+| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.|
+| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.|
+| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.|
+| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.|
+| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.|
+
+The following RIDs are relative to each domain.
+
+| RID | Identifies |
+| - | - |
+| DOMAIN_USER_RID_ADMIN | The administrative user account in a domain. |
+| DOMAIN_USER_RID_GUEST| The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.|
+| DOMAIN_GROUP_RID_USERS | A group that contains all user accounts in a domain. All users are automatically added to this group.|
+| DOMAIN_GROUP_RID_GUESTS | The group Guest account in a domain.|
+| DOMAIN_GROUP_RID_COMPUTERS | The Domain Computer group. All computers in the domain are members of this group.|
+| DOMAIN_GROUP_RID_CONTROLLERS | The Domain Controller group. All domain controllers in the domain are members of this group.|
+| DOMAIN_GROUP_RID_CERT_ADMINS | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.|
+| DOMAIN_GROUP_RID_SCHEMA_ADMINS | The schema administrators' group. Members of this group can modify the Active Directory schema.|
+| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.|
+| DOMAIN_GROUP_RID_POLICY_ADMINS| The policy administrators' group.|
+
+The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups.
+
+
+| RID | Identifies |
+| - | - |
+| DOMAIN_ALIAS_RID_ADMINS | Administrators of the domain.|
+| DOMAIN_ALIAS_RID_USERS | All users in the domain.|
+| DOMAIN_ALIAS_RID_GUESTS | Guests of the domain.|
+| DOMAIN_ALIAS_RID_POWER_USERS | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.|
+| DOMAIN_ALIAS_RID_BACKUP_OPS | A local group that is used to control the assignment of file backup-and-restore user rights.|
+| DOMAIN_ALIAS_RID_REPLICATOR | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.|
+| DOMAIN_ALIAS_RID_RAS_SERVERS | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.|
+
+## Changes in security identifier's functionality
+
+The following table describes changes in SID implementation in the Windows operating systems that are designated in the list.
+
+| Change | Operating system version | Description and resources |
+| - | - | - |
+| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
+| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
+
+## See also
+
+- [Access Control Overview](access-control.md)
diff --git a/windows/keep-secure/security-principals.md b/windows/keep-secure/security-principals.md
new file mode 100644
index 0000000000..8bf4f7abd7
--- /dev/null
+++ b/windows/keep-secure/security-principals.md
@@ -0,0 +1,143 @@
+---
+title: Security Principals (Windows 10)
+description: Security Principals
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Security Principals
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals.
+
+## What are security principals?
+
+
+Security principals are any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security principal is represented in the operating system by a unique security identifier (SID).
+
+The following content applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic.
+
+## How security principals work
+
+
+Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Each security principal is assigned a unique identifier, which it retains for its entire lifetime. Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local computer.
+
+### Authorization and access control components
+
+The following diagram illustrates the Windows authorization and access control process. In this diagram, the subject (a process that is initiated by a user) attempts to access an object, such as a shared folder. The information in the user’s access token is compared to the access control entries (ACEs) in the object’s security descriptor, and the access decision is made. The SIDs of security principals are used in the user’s access token and in the ACEs in the object’s security descriptor.
+
+**Authorization and access control process**
+
+
+
+Security principals are closely related to the following components and technologies:
+
+- [Security identifiers](#bkmk-sids)
+
+- [Access tokens](#bkmk-accesstokens)
+
+- [Security descriptors and access control lists](#bkmk-sdandacls)
+
+- [Permissions](#bkmk-permissions)
+
+### Security identifiers
+
+Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
+
+A SID is a value of variable length that is used to uniquely identify a security principal that represents any entity that can be authenticated by the system. These entities include a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each security principal is automatically assigned a SID when it is created. The SID is stored in a security database. When a SID is used as the unique identifier for a user or group, it can never be used to identify another user or group.
+
+Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
+
+In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and the World SIDs identify groups that includes all users. Well-known SIDs have values that remain constant across all operating systems.
+
+### Access tokens
+
+An access token is a protected object that contains information about the identity and user rights that are associated with a user account.
+
+When a user signs in interactively or tries to make a network connection to a computer running Windows, the sign-in process authenticates the user’s credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token (in this case, the primary access token). This includes the SIDs that are returned by the sign-in process and a list of user rights that are assigned by the local security policy to the user and to the user’s security groups.
+
+After the LSA creates the primary access token, a copy of the access token is attached to every thread and process that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires user rights, the operating system checks the access token that is associated with the thread to determine the level of authorization.
+
+There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread.
+
+### Security descriptors and access control lists
+
+A security descriptor is a data structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs:
+
+- A discretionary access control list (DACL), which identifies the users and groups who are allowed or denied access
+
+- A system access control list (SACL), which controls how access is audited
+
+You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined.
+
+### Permissions
+
+Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Permissions are expressed in the security architecture as access control entries (ACEs). Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows is called discretionary access control.
+
+Permissions are different from user rights in that permissions are attached to objects, and user rights apply to user accounts. Administrators can assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
+
+On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
+
+For information about which user rights are available and how they can be implemented, see [User Rights Assignment](user-rights-assignment.md).
+
+### Security context in authentication
+
+A user account enables a user to sign in to computers, networks, and domains with an identity that can be authenticated by the computer, network, or domain.
+
+In Windows, any user, service, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in.
+
+To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer’s identity and then defines the computer’s security context just as it would for a user’s security principal.
+
+This security context defines the identity and capabilities of a user or service on a particular computer, or of a user, service, group or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, service, or computer on that resource.
+
+The security context of a user or computer can vary from one computer to another, such as when a user authenticates to a server or a workstation other than the user’s primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain.
+
+## Accounts and security groups
+
+
+Accounts and security groups that are created in an Active Directory domain are stored in the Active Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resources.
+
+Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are stored in and managed by the Security Accounts Manager (SAM) on the local computer.
+
+### User accounts
+
+A user account uniquely identifies a person who is using a computer system. The account signals the system to enforce the appropriate authorization to allow or deny that user access to resources. User accounts can be created in Active Directory and on local computers, and administrators use them to:
+
+- Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
+
+- Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource.
+
+- Audit the actions that are carried out on a user account.
+
+Windows and the Windows Server operating systems have built-in user accounts, or you can create user accounts to meet the requirements of your organization.
+
+### Security groups
+
+A security group is a collection of user accounts, computer accounts, and other groups of accounts that can be managed as a single unit from a security perspective. In Windows operating systems, there are several built-in security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, you can (and, typically, will) create a security group for each unique combination of security requirements that applies to multiple users in your organization.
+
+Groups can be Active Directory-based or local to a particular computer:
+
+- Active Directory security groups are used to manage rights and permissions to domain resources.
+
+- Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You use local groups to manage rights and permissions only to resources on the local computer.
+
+By using security groups to manage access control, you can:
+
+- Simplify administration. You can assign a common set of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each account individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier.
+
+- Implement a role-based access-control model. You can use this model to grant permissions by using groups with different scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal.
+
+- Minimize the size of access control lists (ACLs) and speed security checking. A security group has its own SID; therefore, the group SID can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify access to a resource, the ACL of that resource can become unmanageably large, and the time that is needed for the system to check permissions to the resource can become unacceptable.
+
+For descriptions and settings information about the domain security groups that are defined in Active Directory, see [Active Directory Security Groups](active-directory-security-groups.md).
+
+For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md).
+
+## See also
+
+- [Access Control Overview](access-control.md)
\ No newline at end of file
diff --git a/windows/keep-secure/security-technologies.md b/windows/keep-secure/security-technologies.md
index 19a6af38ba..8bd5183126 100644
--- a/windows/keep-secure/security-technologies.md
+++ b/windows/keep-secure/security-technologies.md
@@ -15,6 +15,7 @@ Learn more about the different security technologies that are available in Windo
| Topic | Description |
|-|-|
+| [Access control](access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [AppLocker](applocker-overview.md)| This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.|
| [BitLocker](bitlocker-overview.md)| This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.|
| [Encrypted Hard Drive](encrypted-hard-drive.md) | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
diff --git a/windows/keep-secure/service-accounts.md b/windows/keep-secure/service-accounts.md
new file mode 100644
index 0000000000..e326562c98
--- /dev/null
+++ b/windows/keep-secure/service-accounts.md
@@ -0,0 +1,109 @@
+---
+title: Service Accounts (Windows 10)
+description: Service Accounts
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Service Accounts
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts.
+
+## Overview
+
+
+A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell.
+
+This topic contains information about the following types of service accounts:
+
+- [Standalone managed service accounts](#bkmk-standalonemanagedserviceaccounts)
+
+- [Group managed service accounts](#bkmk-groupmanagedserviceaccounts)
+
+- [Virtual accounts](#bkmk-virtualserviceaccounts)
+
+### Standalone managed service accounts
+
+A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts.
+
+To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group managed service account. For more information, see [Group Managed Service Accounts Overview](https://technet.microsoft.com/library/hh831782(v=ws.11).aspx).
+
+In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
+
+- You can create a class of domain accounts that can be used to manage and maintain services on local computers.
+
+- Unlike domain accounts in which administrators must reset manually passwords, the network passwords for these accounts are automatically reset.
+
+- You do not have to complete complex SPN management tasks to use managed service accounts.
+
+- Administrative tasks for managed service accounts can be delegated to non-administrators.
+
+### Software requirements
+
+Managed service accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
+
+### Group managed service accounts
+
+Group managed service accounts are an extension of the standalone managed service accounts, which were introduced in Windows Server 2008 R2. These are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators.
+
+The group managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password.
+
+The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group managed service account.
+
+### Practical applications
+
+Group managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group managed service account solution, services can be configured for the group managed service account principal, and the password management is handled by the operating system.
+
+By using a group managed service account, services or service administrators do not need to manage password synchronization between service instances. The group managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
+
+Failover clusters do not support group managed service account s. However, services that run on top of the Cluster service can use a group managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group managed service account or standalone managed service accounts.
+
+### Software requirements
+
+Group managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements.
+
+A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group managed service accounts.
+
+A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) should always be explicitly configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail.
+
+**Note**
+Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](http://technet.microsoft.com/library/dd560670(WS.10).aspx).
+
+
+
+Group managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012.
+
+### Virtual accounts
+
+Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration:
+
+- The virtual account is automatically managed.
+
+- The virtual account can access the network in a domain environment.
+
+- No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\\<SERVICENAME>.
+
+Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$.
+
+For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](http://technet.microsoft.com/library/dd548356.aspx).
+
+### Software requirements
+
+Virtual accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
+
+## See also
+
+
+The following table provides links to additional resources that are related to standalone managed service accounts, group managed service accounts, and virtual accounts.
+
+| Content type | References |
+|---------------|-------------|
+| **Product evaluation** | [What's New for Managed Service Accounts](https://technet.microsoft.com/library/hh831451(v=ws.11).aspx)
[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
+| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
+| **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
\ No newline at end of file
diff --git a/windows/keep-secure/special-identities.md b/windows/keep-secure/special-identities.md
new file mode 100644
index 0000000000..2e3aa71e3e
--- /dev/null
+++ b/windows/keep-secure/special-identities.md
@@ -0,0 +1,1011 @@
+---
+title: Special Identities (Windows 10)
+description: Special Identities
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+---
+
+# Special Identities
+
+**Applies to**
+- Windows Server 2016
+
+This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
+
+Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:
+
+- Assign user rights to security groups in Active Directory.
+
+- Assign permissions to security groups for the purpose of accessing resources.
+
+Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
+
+Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource.
+
+For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md).
+
+The special identity groups are described in the following tables.
+
+- [Anonymous Logon](#bkmk-anonymouslogon)
+
+- [Authenticated User](#bkmk-authenticateduser)
+
+- [Batch](#bkmk-batch)
+
+- [Creator Group](#bkmk-creatorgroup)
+
+- [Creator Owner](#bkmk-creatorowner)
+
+- [Dialup](#bkmk-dialup)
+
+- [Digest Authentication](#bkmk-digestauth)
+
+- [Enterprise Domain Controllers](#bkmk-entdcs)
+
+- [Everyone](#bkmk-everyone)
+
+- [Interactive](#bkmk-interactive)
+
+- [Local Service](#bkmk-localservice)
+
+- [LocalSystem](#bkmk-localsystem)
+
+- [Network](#bkmk-network)
+
+- [Network Service](#bkmk-networkservice)
+
+- [NTLM Authentication](#bkmk-ntlmauth)
+
+- [Other Organization](#bkmk-otherorganization)
+
+- [Principal Self](#bkmk-principalself)
+
+- [Remote Interactive Logon](#bkmk-remoteinteractivelogon)
+
+- [Restricted](#bkmk-restrictedcode)
+
+- [SChannel Authentication](#bkmk-schannelauth)
+
+- [Service](#bkmk-service)
+
+- [Terminal Server User](#bkmk-terminalserveruser)
+
+- [This Organization](#bkmk-thisorg)
+
+- [Window Manager\\Window Manager Group](#bkmk-windowmanager)
+
+## Anonymous Logon
+
+
+Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-7 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Authenticated Users
+
+
+Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-11 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight
+[Add workstations to domain](add-workstations-to-domain.md): SeMachineAccountPrivilege
+[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege |
+
+
+
+
+
+
+## Batch
+
+
+Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-3 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Creator Group
+
+
+The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory.
+
+A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-3-1 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Creator Owner
+
+
+The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-3-0 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Dialup
+
+
+Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-1 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Digest Authentication
+
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-64-21 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Enterprise Domain Controllers
+
+
+This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-9 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights Assignment |
+[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight
+[Allow log on locally](allow-log-on-locally.md): SeInteractiveLogonRight |
+
+
+
+
+
+
+## Everyone
+
+
+All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
+
+On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).
+
+Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-1-0 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+[Access this computer from the network](access-this-computer-from-the-network.md): SeNetworkLogonRight
+[Act as part of the operating system](act-as-part-of-the-operating-system.md): SeTcbPrivilege
+[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege |
+
+
+
+
+
+
+## Interactive
+
+
+Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-4 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Local Service
+
+
+The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-19 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default user rights |
+[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege
+[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege
+[Change the system time](change-the-system-time.md): SeSystemtimePrivilege
+[Change the time zone](change-the-time-zone.md): SeTimeZonePrivilege
+[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege
+[Generate security audits](generate-security-audits.md): SeAuditPrivilege
+[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege
+[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege |
+
+
+
+
+
+
+## LocalSystem
+
+
+This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-18 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Network
+
+
+This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-2 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Network Service
+
+
+The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-20 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+[Adjust memory quotas for a process](adjust-memory-quotas-for-a-process.md): SeIncreaseQuotaPrivilege
+[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege
+[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege
+[Generate security audits](generate-security-audits.md): SeAuditPrivilege
+[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege
+[Restore files and directories](restore-files-and-directories.md): SeRestorePrivilege
+[Replace a process level token](replace-a-process-level-token.md): SeAssignPrimaryTokenPrivilege |
+
+
+
+
+
+
+## NTLM Authentication
+
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-64-10 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Other Organization
+
+
+This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-1000 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Principal Self
+
+
+This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-10 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Remote Interactive Logon
+
+
+This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-14 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Restricted
+
+
+Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-12 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## SChannel Authentication
+
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-64-14 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Service
+
+
+Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-6 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+[Create global objects](create-global-objects.md): SeCreateGlobalPrivilege
+[Impersonate a client after authentication](impersonate-a-client-after-authentication.md): SeImpersonatePrivilege |
+
+
+
+
+
+
+## Terminal Server User
+
+
+Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-13 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## This Organization
+
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-15 |
+
+
+Object Class |
+Foreign Security Principal |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+None |
+
+
+
+
+
+
+## Window Manager\\Window Manager Group
+
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+ |
+
+
+Object Class |
+ |
+
+
+Default Location in Active Directory |
+cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
+
+
+Default User Rights |
+[Bypass traverse checking](bypass-traverse-checking.md): SeChangeNotifyPrivilege
+[Increase a process working set](increase-a-process-working-set.md): SeIncreaseWorkingSetPrivilege |
+
+
+
+
+## See also
+
+- [Active Directory Security Groups](active-directory-security-groups.md)
+
+- [Security Principals](security-principals.md)
+
+- [Access Control Overview](access-control.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
new file mode 100644
index 0000000000..e81dff792a
--- /dev/null
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
@@ -0,0 +1,43 @@
+---
+title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
+description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
+keywords: scan, command line, mpcmdrun, defender
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: iaanw
+---
+
+# Use PowerShell cmdlets to configure and run Windows Defender
+
+**Applies to:**
+
+- Windows 10
+
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
+
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic.
+
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
+
+> **Note:** PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+
+PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
+
+
+**Use Windows Defender PowerShell cmdlets**
+
+1. Click **Start**, type **powershell**, and press **Enter**.
+2. Click **Windows PowerShell** to open the interface.
+ > **Note:** You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+3. Enter the command and parameters.
+
+To open online help for any of the cmdlets type the following:
+
+```text
+Get-Help -Online
+```
+Omit the `-online` parameter to get locally cached help.
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
index 2dc00afede..0f5d4d28f0 100644
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-in-windows-10.md
@@ -19,7 +19,7 @@ This topic provides an overview of Windows Defender, including a list of system
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
-Take advantage of Windows Defender by configuring the settings and definitions using the following tools:
+Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings
- Windows Server Update Services (WSUS) for definitions
diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md
new file mode 100644
index 0000000000..d9f379c2a6
--- /dev/null
+++ b/windows/keep-secure/windows-security-baselines.md
@@ -0,0 +1,62 @@
+---
+title: Windows security baselines (Windows 10)
+description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Windows security baselines
+
+Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
+
+We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
+
+## What are security baselines?
+
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
+customers.
+
+## Why are security baselines needed?
+
+Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
+
+For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 4,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
+
+In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
+
+To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
+
+ ## How can you use security baselines?
+
+ You can use security baselines to:
+
+ - Ensure that user and device configuration settings are compliant with the baseline.
+ - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
+
+ ## Where can I get the security baselines?
+
+ Here's a list of security baselines that are currently available.
+
+ > **Note:** If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
+
+### Windows 10 security baselines
+
+ - [Windows 10, Version 1511 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799381)
+ - [Windows 10, Version 1507 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799380)
+
+
+### Windows Server security baselines
+
+ - [Windows Server 2012 R2 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799382)
+
+## How can I monitor security baseline deployments?
+
+Microsoft’s Operation Management Services (OMS) helps you monitor security baseline deployments across your servers. To find out more, check out [Operations Management Suite](https://aka.ms/omssecscm).
+
+You can use [System Center Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager) to monitor security baseline deployments on client devices within your organization.
+
\ No newline at end of file
diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md
index 9a7fe85b18..4c43c597ce 100644
--- a/windows/manage/TOC.md
+++ b/windows/manage/TOC.md
@@ -28,7 +28,7 @@
### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
## [Configure devices without MDM](configure-devices-without-mdm.md)
-## [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md)
+## [Windows 10 servicing options](introduction-to-windows-10-servicing.md)
## [Application development for Windows as a service](application-development-for-windows-as-a-service.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md
index d58572c900..ca7d24b2a2 100644
--- a/windows/manage/app-inventory-managemement-windows-store-for-business.md
+++ b/windows/manage/app-inventory-managemement-windows-store-for-business.md
@@ -23,7 +23,7 @@ The **Inventory** page in Windows Store for Business shows all apps in your inve
All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
-
+
Store for Business shows this info for each app in your inventory:
@@ -168,13 +168,13 @@ For each app in your inventory, you can view and manage license details. This gi
2. Click **Manage**, and then choose **Inventory**.
-3. Click the ellipses for and app, and then choose **View license details**.
+3. Click the ellipses for an app, and then choose **View license details**.
- 
+ 
You'll see the names of people in your organization who have installed the app and are using one of the licenses.
- 
+ 
On **Assigned licenses**, you can do several things:
@@ -190,9 +190,9 @@ For each app in your inventory, you can view and manage license details. This gi
**To assign an app to more people**
- - Click Assign to people, type the email address for the employee that you're assigning the app to, and click **Assign**.
+ - Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**.
- 
+ 
Store for Business updates the list of assigned licenses.
@@ -200,7 +200,7 @@ For each app in your inventory, you can view and manage license details. This gi
- Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
- 
+ 
Store for Business updates the list of assigned licenses.
diff --git a/windows/manage/distribute-apps-from-your-private-store.md b/windows/manage/distribute-apps-from-your-private-store.md
index c81973c29f..500ff0c7b4 100644
--- a/windows/manage/distribute-apps-from-your-private-store.md
+++ b/windows/manage/distribute-apps-from-your-private-store.md
@@ -23,29 +23,29 @@ You can make an app available in your private store when you acquire the app, or
**To acquire an app and make it available in your private store**
-1. Sign in to the Store for Business.
+1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
2. Click an app and then click **Get the app** to acquire the app for your organization.
3. You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.**
- 
+ 
It will take approximately twelve hours before the app is available in the private store.
**To make an app in inventory available in your private store**
-1. Sign in to the Store for Business.
+1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
- 
+ 
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
- 
+ 
The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
diff --git a/windows/manage/distribute-apps-with-management-tool.md b/windows/manage/distribute-apps-with-management-tool.md
index 484fa6b93b..102b4d6d01 100644
--- a/windows/manage/distribute-apps-with-management-tool.md
+++ b/windows/manage/distribute-apps-with-management-tool.md
@@ -48,14 +48,14 @@ If your vendor doesn’t support the ability to synchronize applications from th
This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices.
-
+
## Distribute online-licensed apps
This diagram shows how you can use a management tool to distribute an online-licensed app to employees in your organization. Once synchronized from Store for Business, management tools use the Windows Management framework to distribute applications to devices. For Online licensed applications, the management tool calls back in to Store for Business management services to assign an application prior to issuing the policy to install the application.
-
+
## Related topics
diff --git a/windows/plan/images/fig1-deferupgrades.png b/windows/manage/images/fig1-deferupgrades.png
similarity index 100%
rename from windows/plan/images/fig1-deferupgrades.png
rename to windows/manage/images/fig1-deferupgrades.png
diff --git a/windows/plan/images/fig2-deploymenttimeline.png b/windows/manage/images/fig2-deploymenttimeline.png
similarity index 100%
rename from windows/plan/images/fig2-deploymenttimeline.png
rename to windows/manage/images/fig2-deploymenttimeline.png
diff --git a/windows/plan/images/fig3-overlaprelease.png b/windows/manage/images/fig3-overlaprelease.png
similarity index 100%
rename from windows/plan/images/fig3-overlaprelease.png
rename to windows/manage/images/fig3-overlaprelease.png
diff --git a/windows/manage/index.md b/windows/manage/index.md
index fa16723bc3..570fd79769 100644
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@@ -57,7 +57,7 @@ Learn about managing and updating Windows 10.
Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise. |
-[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) |
+[Windows 10 servicing options](introduction-to-windows-10-servicing.md) |
This article describes the new servicing options available in Windows 10, Windows 10 Mobile, and Windows 10 IoT Core (IoT Core) and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. |
diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md
index 0325ebfeac..8e531b3827 100644
--- a/windows/manage/introduction-to-windows-10-servicing.md
+++ b/windows/manage/introduction-to-windows-10-servicing.md
@@ -10,27 +10,46 @@ ms.pagetype: security, servicing
author: greg-lindsay
---
-# Windows 10 servicing options for updates and upgrades
+# Windows 10 servicing options
**Applies to**
- Windows 10
- Windows 10 IoT Core (IoT Core)
-This article describes the new servicing options available in Windows 10 and IoT Core and how they enable enterprises to keep their devices current with the latest feature upgrades. It also covers related topics, such as how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles.
+This article provides detailed information about new servicing options available in Windows 10 and IoT Core. It also provides information on how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. Before reading this article, you should understand the new Windows 10 servicing model. For an overview of this servicing model, see: [Windows 10 servicing overview](../plan/windows-10-servicing-options.md).
For Windows 10 current version numbers by servicing option see: [Windows 10 release information](https://technet.microsoft.com/en-us/windows/mt679505.aspx).
-
-**Note**
-Several of the figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes.
-## Introduction
+## Key terminology
-In enterprise IT environments, the desire to provide users with the latest technologies needs to be balanced with the need for manageability and cost control. In the past, many enterprises managed their Windows deployments homogeneously and performed large-scale upgrades to new releases of Windows (often in parallel with large-scale hardware upgrades) about every three to six years. Today, the rapid evolution of Windows as a platform for device-like experiences is causing businesses to rethink their upgrade strategies. Especially with the release of Windows 10, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows. For example, during the development of Windows 10, Microsoft:
-- Streamlined the Windows product engineering and release cycle so that Microsoft can deliver the features, experiences, and functionality customers want, more quickly than ever.
-- Created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership.
-- Implemented new servicing options – referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) – that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible.
+The following terms are used When discussing the new Windows 10 servicing model:
-The remainder of this article provides additional information about each of these areas. This article also provides an overview of the planning implications of the three Windows 10 servicing options (summarized in Table 1) so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project.
+
+
+ | **Term** |
+ **Description** |
+
+
+ | Upgrade |
+ A new Windows 10 release that contains additional features and capabilities, released two to three times per year. |
+
+
+ | Update |
+ Packages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature. |
+
+
+ | Branch |
+ The windows servicing branch is one of four choices: Windows Insider, Current Branch, Current Branch for Business, or Long-Term Servicing Branch. Branches are determined by the frequency with which the computer is configured to receive feature updates. |
+
+
+ | Ring |
+ A ring is a groups of PCs that are all on the same branch and have the same update settings. Rings can be used internally by organizations to better control the upgrade rollout process. |
+
+
+
+## Windows 10 servicing
+
+The following table provides an overview of the planning implications of the three Windows 10 servicing options so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project.
Table 1. Windows 10 servicing options
@@ -91,7 +110,7 @@ At the end of each approximately four month period, Microsoft executes a set of
Although Windows 10 will enable IT administrators to defer installation of new feature upgrades using Windows Update, enterprises may also want additional control over how and when Windows Update installs releases. With this need in mind, Microsoft [announced Windows Update for Business](http://go.microsoft.com/fwlink/p/?LinkId=624798) in May of 2015. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing releases. This article will be updated with additional information about the role of Windows Update for Business in servicing Windows 10 devices as it becomes available.
-## Windows 10 servicing options
+## Windows 10 servicing branches
Historically, because of the length of time between releases of new Windows versions, and the relatively low number of enterprise devices that were upgraded to newer versions of Windows during their deployment lifetimes, most IT administrators defined servicing as installing the updates that Microsoft published every month. Looking forward, because Microsoft will be publishing new feature upgrades on a continual basis, *servicing* will also include (on some portion of an enterprise's devices) installing new feature upgrades as they become available.
In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to:
@@ -100,6 +119,144 @@ In fact, when planning to deploy Windows 10 on a device, one of the most import
- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb).
The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices.
+## Current Branch versus Current Branch for Business
+
+When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded.
+
+The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM).
+
+
+
+Figure 1. Configure the **Defer upgrades** setting
+
+Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period.
+
+For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later.
+
+With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager.
+
+For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015.
+
+With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10.
+
+Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule:
+
+- Begin your evaluation process with the Windows Insider Program releases.
+- Perform initial pilot deployments by using the Current Branch.
+- Expand to broad deployment after the Current Branch for Business is available.
+- Complete deployments by using that release in advance of the availability of the next Current Branch.
+
+
+
+Figure 2. Deployment timeline
+
+Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release:
+
+
+
+Figure 3. Overlapping releases
+
+As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall.
+
+## Long-Term Servicing Branch
+
+For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS.
+
+These LTSB images can be used to upgrade existing machines or to create new custom images.
+
+Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps.
+
+As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC – or even for a majority of them.
+
+## Windows Insider Program
+
+During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process.
+
+To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account.
+
+Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation.
+
+## Switching between branches
+
+During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
+
+
+
+
+
+
+
+
+
+
+
+
+| Windows Insider Program |
+Current Branch |
+Wait for the final Current Branch release. |
+
+
+ |
+Current Branch for Business |
+Not directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle. |
+
+
+ |
+Long-Term Servicing Branch |
+Not directly possible (requires wipe-and-load). |
+
+
+| Current Branch |
+Insider |
+Use the Settings app to enroll the device in the Windows Insider Program. |
+
+
+ |
+Current Branch for Business |
+Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release. |
+
+
+ |
+Long-Term Servicing Branch |
+Not directly possible (requires wipe-and-load). |
+
+
+| Current Branch for Business |
+Insider |
+Use the Settings app to enroll the device in the Windows Insider Program. |
+
+
+ |
+Current Branch |
+Disable the Defer upgrade setting, or move the PC to a target group or flight that will receive the latest Current Branch release. |
+
+
+ |
+Long-Term Servicing Branch |
+Not directly possible (requires wipe-and-load). |
+
+
+| Long-Term Servicing Branch |
+Insider |
+Use media to upgrade to the latest Windows Insider Program build. |
+
+
+ |
+Current Branch |
+Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.) |
+
+
+ |
+Current Branch for Business |
+Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build. |
+
+
+
+
## Plan for Windows 10 deployment
The remainder of this article focuses on the description of the three options outlined above, and their planning implications, in more detail. In practice, IT administrators have to focus on two areas when planning a Windows 10 device deployment:
@@ -111,19 +268,21 @@ The content that follows will provide IT administrators with the context needed
**How Microsoft releases Windows 10 feature upgrades**
-When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 1) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations.
+>Some figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes.
-
+When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 4) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations.
-Figure 1. Feature upgrades and servicing branches
+
-In all cases, Microsoft creates a servicing branch (referred to in Figure 1 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 1 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years.
+Figure 4. Feature upgrades and servicing branches
-As shown in Figure 2, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades.
+In all cases, Microsoft creates a servicing branch (referred to in Figure 4 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 4 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years.
-
+As shown in Figure 5, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades.
-Figure 2. Producing feature upgrades from servicing branches
+
+
+Figure 5. Producing feature upgrades from servicing branches
Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch \#1 again to *republish* updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users.
@@ -131,15 +290,15 @@ Concurrently, Microsoft also changes the way the feature upgrade is published in
**How Microsoft publishes the Windows 10 Enterprise LTSB Edition**
-If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 2 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way.
+If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 5 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way.
**How Microsoft releases Windows 10 servicing updates**
-As shown in Figure 3, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation.
+As shown in Figure 6, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation.
-
+
-Figure 3. Producing servicing updates from servicing branches
+Figure 6. Producing servicing updates from servicing branches
**Release installation alternatives**
@@ -162,24 +321,24 @@ Because there is a one-to-one mapping between servicing options and servicing br
Although Microsoft is currently planning to release approximately two to three feature upgrades per year, the actual frequency and timing of releases will vary. Because the servicing lifetimes of feature upgrades typically end when the servicing lifetimes of other, subsequent feature upgrades begin, the lengths of servicing lifetimes will also vary.
-
+
-Figure 4. Example release cadence across multiple feature upgrades
+Figure 7. Example release cadence across multiple feature upgrades
To show the variability of servicing lifetimes, and show the paths that feature upgrade installations will take when Windows Update and Windows Server Update Services are used for deployments, Figure 4 contains three feature upgrade releases (labeled *X*, *Y*, and *Z*) and their associated servicing branches. The time period between publishing X and Y is four months, and the time period between publishing Y and Z is six months. X and Z have long-term servicing support, and Y has shorter-term servicing support only.
-The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 4 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning.
+The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 7 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning.
To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions.
###
**Immediate feature upgrade installation with Current Branch (CB) servicing**
-As shown in Figure 5, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation.
+As shown in Figure 8, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation.
-
+
-Figure 5. Immediate installation with Current Branch Servicing
+Figure 8. Immediate installation with Current Branch Servicing
The role of Servicing Branch \#1 during the CB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *immediate* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBs*. The Windows 10 editions that support servicing from CBs are Home, Pro, Education, and Enterprise. The Current Branch designation is intended to reflect the fact that devices serviced using this approach will be kept as current as possible with respect to the latest Windows 10 feature upgrade release.
Windows 10 Home supports Windows Update for release deployment. Windows 10 editions (Pro, Education, and Enterprise) support Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
@@ -191,11 +350,11 @@ It is important to note that devices serviced from CBs must install two to three
###
**Deferred feature upgrade installation with Current Branch for Business (CBB) servicing**
-As shown in Figure 6, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation.
+As shown in Figure 9, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation.
-
+
-Figure 6. Deferred installation with Current Branch for Business Servicing
+Figure 9. Deferred installation with Current Branch for Business Servicing
The role of Servicing Branch \#1 during the CBB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *deferred* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBBs*. The Windows 10 editions that support servicing from CBBs are Pro, Education, and Enterprise. The Current Branch for Business designation is intended to reflect the fact that many businesses require IT administrators to test feature upgrades prior to deployment, and servicing devices from CBBs is a pragmatic solution for businesses with testing constraints to remain as current as possible.
Windows 10 (Pro, Education, and Enterprise editions) support release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
@@ -208,11 +367,11 @@ Microsoft designed Windows 10 servicing lifetime policies so that CBBs will rec
**Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing**
-As shown in Figure 7, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section).
+As shown in Figure 10, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section).
-
+
-Figure 7. Servicing updates only using LTSB Servicing
+Figure 10. Servicing updates only using LTSB Servicing
The role of LTSBs is to produce servicing updates for devices running Windows 10 configured to install servicing updates only. Devices configured this way are referred to as being *serviced from LTSBs*. The Long-Term Servicing Branch designation is intended to reflect the fact that this servicing option is intended for scenarios where changes to software running on devices must be limited to essential updates (such as those for security vulnerabilities and other important issues) for the duration of deployments.
Windows 10 Enterprise LTSB supports release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems:
diff --git a/windows/manage/manage-access-to-private-store.md b/windows/manage/manage-access-to-private-store.md
index 47ddaea3ef..8e2f813d33 100644
--- a/windows/manage/manage-access-to-private-store.md
+++ b/windows/manage/manage-access-to-private-store.md
@@ -23,7 +23,7 @@ Organizations might want control the set of apps that are available to their emp
The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this:
-
+
Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#group-policy-table). More specifically, the **ApplicationManagement/RequirePrivateStoreOnly** policy.
diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f3194a4699..4c01926131 100644
--- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -309,7 +309,7 @@ You can prevent Windows from setting the time automatically.
-or-
-- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**.
+- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
### 3. Device metadata retrieval
diff --git a/windows/manage/manage-corporate-devices.md b/windows/manage/manage-corporate-devices.md
index 901a3beb11..dbc5ed0c8a 100644
--- a/windows/manage/manage-corporate-devices.md
+++ b/windows/manage/manage-corporate-devices.md
@@ -97,7 +97,7 @@ For more information about the MDM protocols, see [Mobile device management](htt
[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627898.aspx)
-[Windows 10, Azure AD and Microsoft Intune: Automatic MDM Enrollment](http://go.microsoft.com/fwlink/p/?LinkId=623321)
+[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
[Microsoft Intune End User Enrollment Guide](http://go.microsoft.com/fwlink/p/?LinkID=617169)
diff --git a/windows/manage/manage-private-store-settings.md b/windows/manage/manage-private-store-settings.md
index 1eb1190a30..6132f1e513 100644
--- a/windows/manage/manage-private-store-settings.md
+++ b/windows/manage/manage-private-store-settings.md
@@ -19,9 +19,9 @@ author: TrudyHa
The private store is a feature in the Windows Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store.
-The name of your private store is shown on a tab in the Windows Store.
+The name of your private store is shown on a tab in the Windows Store app.
-
+
You can change the name of your private store in Store for Business.
@@ -33,13 +33,13 @@ You can change the name of your private store in Store for Business.
You'll see your private store name.
- 
+ 
3. Click **Change**.
4. Type a new display name for your private store, and click **Save**.
- 
+ 
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md
index 4fbfcc521e..92d9f7e5e8 100644
--- a/windows/manage/roles-and-permissions-windows-store-for-business.md
+++ b/windows/manage/roles-and-permissions-windows-store-for-business.md
@@ -204,11 +204,11 @@ These permissions allow people to:
2. Click **Settings**, and then choose **Permissions**.
- 
+ 
3. Click **Add people**, type a name, choose the role you want to assign, and click **Save** .
- 
+ 
4.
diff --git a/windows/manage/sign-up-windows-store-for-business.md b/windows/manage/sign-up-windows-store-for-business.md
index 89ca4e135b..643d42eddf 100644
--- a/windows/manage/sign-up-windows-store-for-business.md
+++ b/windows/manage/sign-up-windows-store-for-business.md
@@ -34,7 +34,7 @@ Before signing up for the Store for Business, make sure you're the global admini
- If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms.
- 
+ 
**To sign up for Azure AD accounts through Office 365 for Business**
@@ -44,43 +44,43 @@ Before signing up for the Store for Business, make sure you're the global admini
Type the required info and click **Next.**
- 
+ 
- Step 2: Create an ID.
We'll use info you provided on the previous page to build your user ID. Check the info and click **Next**.
- 
+ 
- Step 3: You're in.
Let us know how you'd like to receive a verification code, and click either **Text me**, or **Call me**. We'll send you a verification code
- 
+ 
- Verification.
Type your verification code and click **Create my account**.
- 
+ 
- Save this info.
Be sure to save the portal sign-in page and your user ID info. Click **You're ready to go**.
- 
+ 
- At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business.
2. Sign in with your Azure AD account.
- 
+ 
3. Read through and accept Store for Business terms.
4. Welcome to the Store for Business. Click **Next** to continue.
- 
+ 
### Next steps
diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md
index d6212238a6..fc128ba315 100644
--- a/windows/plan/TOC.md
+++ b/windows/plan/TOC.md
@@ -1,6 +1,6 @@
# [Plan for Windows 10 deployment](index.md)
## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
-## [Windows 10 servicing options](windows-10-servicing-options.md)
+## [Windows 10 servicing overview](windows-10-servicing-options.md)
## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
## [Windows 10 compatibility](windows-10-compatibility.md)
## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
diff --git a/windows/plan/index.md b/windows/plan/index.md
index e57a04c1cb..e8c8cdb020 100644
--- a/windows/plan/index.md
+++ b/windows/plan/index.md
@@ -16,7 +16,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
|Topic |Description |
|------|------------|
|[Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md) |This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
-|[Windows 10 servicing options](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
+|[Windows 10 servicing overview](windows-10-servicing-options.md) |Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. |
|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md
index 2e67c97c04..8a2347918c 100644
--- a/windows/plan/windows-10-servicing-options.md
+++ b/windows/plan/windows-10-servicing-options.md
@@ -7,56 +7,43 @@ ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: servicing
ms.sitesec: library
-author: mtniehaus
+author: greg-lindsay
---
-# Windows 10 servicing options
-
+# Windows 10 servicing overview
**Applies to**
-
- Windows 10
- Windows 10 Mobile
-Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process.
+This topic provides an overview of the new servicing model for Windows 10. For more detailed information about this model, refer to [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md).
-Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a “wipe and load” process to deploy the new operating system version to existing machines, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, organizations would invest significant time and effort to complete the required tasks.
+## The Windows servicing model
-With Windows 10, a new model is being adopted. Instead of new features being added only in new releases that happen every few years, the goal is to provide new features two to three times per year, continually providing new capabilities while maintaining a high level of hardware and application compatibility. This new model, referred to as Windows as a service, requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens “every few years”; it is a continual process.
+Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a "wipe and load" process to deploy the new operating system version to existing computers, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, a significant amount of time and effort was required to complete these tasks.
-To support this process, you need to use simpler deployment methods. By combining these simpler methods (for example, in-place upgrade) with new techniques to deploy in phases to existing devices, you can reduce the amount of effort required overall, by taking the effort that used to be performed as part of a traditional deployment project and spreading it across a broad period of time.
+With Windows 10, a new model is being adopted. This new model, referred to as "Windows as a service," requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens every few years, it is a continual process.
-## Key terminology
+## Windows as a service
+Instead of new features being added only in new releases that happen every few years, the goal of Windows as a service is to continually provide new capabilities. New features are provided or updated two to three times per year, while maintaining a high level of hardware and application compatibility.
-With the shift to this new Windows as a service model, it is important to understand the distinction between two key terms:
+This new model uses simpler deployment methods, reducing the overall amount of effort required for Windows servicing. By combining these simpler methods (such as in-place upgrade) with new techniques to deploy upgrades in phases to existing devices, the effort that used to be performed as part of a traditional deployment project is spread across a broad period of time.
-- **Upgrade**. A new Windows 10 release that contains additional features and capabilities, released two to three times per year.
+## Windows 10 servicing branches
-- **Update**. Packages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.
+The concept of branching goes back many years, and represents how Windows has traditionally been written and serviced. Each release of Windows was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because it is incorporated directly into the servicing model.
-In addition to these terms, some additional concepts need to be understood:
-
-- **Branches**. The concept of “branching” goes back many years, and represents how Windows has traditionally been written and serviced: Each release was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because of the increased frequency of upgrades.
-
-- **Rings**. The concept of “rings” defines a mechanism for Windows 10 deployment to targeted groups of PCs; each ring represents another group. These are used as part of the release mechanism for new Windows 10 upgrades, and should be used internally by organizations to better control the upgrade rollout process.
-
-## Windows 10 branch overview
-
-
-To support different needs and use cases within your organization, you can select among different branches:
+With Windows 10, Microsoft has implemented the following new servicing options:
-- **Windows Insider Program**. To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, small numbers of PCs can leverage the Windows Insider Program branch. These would typically be dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
+**Windows Insider Program**: To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, a small number of PCs can leverage the Windows Insider Program branch. These are typically dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
+**Current Branch (CB)**: For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
+**Current Branch for Business (CBB)**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
+**Long-Term Servicing Branch (LTSB)**: For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
-- **Current Branch**. For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
-
-- **Current Branch for Business**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
-
-- **Long-Term Servicing Branch**. For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
-
-Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples:
+These servicing options provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples are shown in the table below:
| Industry | Windows Insider Program | Current Branch | Current Branch for Business | Long-Term Servicing Branch |
|--------------------|-------------------------|----------------|-----------------------------|----------------------------|
@@ -66,8 +53,6 @@ Most organizations will leverage all of these choices, with the mix determined b
| Consulting | 10% | 50% | 35% | 5% |
| Software developer | 30% | 60% | 5% | 5% |
-
-
Because every organization is different, the exact breakdown will vary even within a specific industry; these should be considered only examples, not specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch.
- Retailers often have critical devices (for example, point-of-sale systems) in stores which results in higher percentages of PCs on the Long-Term Servicing Branch. But those used by information workers in support of the retail operations would leverage Current Branch for Business to receive new features.
@@ -82,169 +67,12 @@ Because every organization is different, the exact breakdown will vary even with
Note that there are few, if any, scenarios where an entire organization would use the Long-Term Servicing Branch for all PCs – or even for a majority of them.
-For more information about the Windows as a service model, refer to [Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md).
+In addition to implementing these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership.
-## Current Branch versus Current Branch for Business
-
-
-When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded.
-
-The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM).
-
-
-
-Figure 1. Configure the **Defer upgrades** setting
-
-Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period.
-
-For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later.
-
-With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager.
-
-For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015.
-
-With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10.
-
-Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule:
-
-- Begin your evaluation process with the Windows Insider Program releases.
-
-- Perform initial pilot deployments by using the Current Branch.
-
-- Expand to broad deployment after the Current Branch for Business is available.
-
-- Complete deployments by using that release in advance of the availability of the next Current Branch.
-
-
-
-Figure 2. Deployment timeline
-
-Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release:
-
-
-
-Figure 3. Overlapping releases
-
-As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall.
-
-## Long-Term Servicing Branch
-
-
-For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS.
-
-These LTSB images can be used to upgrade existing machines or to create new custom images.
-
-Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps.
-
-As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC – or even for a majority of them.
-
-## Windows Insider Program
-
-
-During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process.
-
-To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account.
-
-Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation.
-
-## Switching between branches
-
-
-During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved.
-
-
-
-
-
-
-
-
-
-
-
-
-| Windows Insider Program |
-Current Branch |
-Wait for the final Current Branch release. |
-
-
- |
-Current Branch for Business |
-Not directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle. |
-
-
- |
-Long-Term Servicing Branch |
-Not directly possible (requires wipe-and-load). |
-
-
-| Current Branch |
-Insider |
-Use the Settings app to enroll the device in the Windows Insider Program. |
-
-
- |
-Current Branch for Business |
-Select the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release. |
-
-
- |
-Long-Term Servicing Branch |
-Not directly possible (requires wipe-and-load). |
-
-
-| Current Branch for Business |
-Insider |
-Use the Settings app to enroll the device in the Windows Insider Program. |
-
-
- |
-Current Branch |
-Disable the Defer upgrade setting, or move the PC to a target group or flight that will receive the latest Current Branch release. |
-
-
- |
-Long-Term Servicing Branch |
-Not directly possible (requires wipe-and-load). |
-
-
-| Long-Term Servicing Branch |
-Insider |
-Use media to upgrade to the latest Windows Insider Program build. |
-
-
- |
-Current Branch |
-Use media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.) |
-
-
- |
-Current Branch for Business |
-Use media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build. |
-
-
-
-
-
+Windows 10 enables organizations to fulfill the desire to provide users with the latest features while balancing the need for manageability and cost control. To keep pace with technology, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows.
## Related topics
-
-[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
-
-[Windows 10 compatibility](windows-10-compatibility.md)
-
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-
-
-
-
-
-
-
-
-
+[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+[Windows 10 compatibility](windows-10-compatibility.md)
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md
index 5bd63a42af..48f7a4f853 100644
--- a/windows/whats-new/credential-guard.md
+++ b/windows/whats-new/credential-guard.md
@@ -13,6 +13,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
+- Windows Server 2016
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md
index ed8847ee60..c96f390c98 100644
--- a/windows/whats-new/device-guard-overview.md
+++ b/windows/whats-new/device-guard-overview.md
@@ -15,6 +15,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows 10 Mobile
+- Windows Server 2016
Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when.
Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md
index cc29c76faa..4b157c50e8 100644
--- a/windows/whats-new/edp-whats-new-overview.md
+++ b/windows/whats-new/edp-whats-new-overview.md
@@ -16,76 +16,61 @@ author: eross-msft
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
-[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]
+[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud.
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-Many of the existing solutions try to address this issue by requiring employees to switch between personal and work containers and apps, which can lead to a less than optimal user experience. The feature code-named enterprise data protection (EDP) offers a better user experience, while helping to better separate and protect enterprise apps and data against disclosure risks across both company and personal devices, without requiring changes in environments or apps. Additionally, EDP when used with Rights Management Services (RMS), can help to protect your enterprise data locally, persisting the protection even when your data roams or is shared.
+Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
## Benefits of EDP
EDP provides:
-- Additional protection against enterprise data leakage, with minimal impact on employees’ regular work practices.
-- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
-- Additional data protection for existing line-of-business apps without a need to update the apps.
-- Ability to wipe corporate data from devices while leaving personal data alone.
-- Use of audit reports for tracking issues and remedial actions.
-- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later)’, or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
-- Additional protection for your data (through RMS integration) while roaming and sharing, like when you share encrypted content through Outlook or move encrypted files to USB keys.
-- Ability to manage Office universal apps on Windows 10 devices using an MDM solution to help protect corporate data. To manage Office mobile apps for Android and iOS devices, see technical resources [here]( http://go.microsoft.com/fwlink/p/?LinkId=526490).
+- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
+
+- Additional data protection for existing line-of-business apps without a need to update the apps.
+
+- Ability to wipe corporate data from devices while leaving personal data alone.
+
+- Use of audit reports for tracking issues and remedial actions.
+
+- Integration with your existing management system (Microsoft Intune, System Center Configuration Manager (version 1511 or later), or your current mobile device management (MDM) system) to configure, deploy, and manage EDP for your company.
## Enterprise scenarios
-
EDP currently addresses these enterprise scenarios:
-- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-- You can select specific apps that can access enterprise data, called "protected apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
-- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
+- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-### Enterprise data security
+- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-As an enterprise admin, you need to maintain the security and confidentiality of your corporate data. Using EDP you can help ensure that your corporate data is protected on your employee-owned computers, even when the employee isn’t actively using it. In this case, when the employee initially creates the content on a managed device he’s asked whether it’s a work document. If it's a work document, it becomes locally-protected as enterprise data.
+- You can select specific apps that can access enterprise data, called "allowed apps" that are clearly recognizable to employees. You can also block non-protected apps from accessing enterprise data.
-### Persistent data encryption
+- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
-EDP helps keep your enterprise data protected, even when it roams. Apps like Office and OneNote work with EDP to persist your data encryption across locations and services. For example, if an employee opens EDP-encrypted content from Outlook, edits it, and then tries to save the edited version with a different name to remove the encryption, it won’t work. Outlook automatically applies EDP to the new document, keeping the data encryption in place.
+## Why use EDP?
+EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-### Remotely wiping devices of enterprise data
-EDP also offers the ability to remotely wipe your corporate data from all devices managed by you and used by an employee, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen computer.
-In this case, documents are stored locally, and encrypted with an enterprise identity. When you verify that you have to wipe the device, you can send a remote wipe command through your mobile device management system so when the device connects to the network, the encryption keys are revoked and the enterprise data is removed. This action only affects devices that have been targeted by the command. All other devices will continue to work normally.
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
-### Protected apps and restrictions
+- **Manage your enterprise documents, apps, and encryption modes.**
-Using EDP you can control the set of apps that are made "protected apps", or apps that can access and use your enterprise data. After you add an app to your **Protected App** list, it’s trusted to use enterprise data. All apps not on this list are treated as personal and are potentially blocked from accessing your corporate data, depending on your EDP protection-mode.
-As a note, your existing line-of-business apps don’t have to change to be included as protected apps. You simply have to include them in your list.
+ - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
-### Great employee experiences
+ - **Using allowed apps.** Managed apps (apps that you've included on the allowed apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-EDP can offer a great user experience by not requiring employees to switch between apps to protect corporate data. For example, while checking work emails in Microsoft Outlook, an employee gets a personal message. Instead of having to leave Outlook, both the work and personal messages appear on the screen, side-by-side.
+ - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your EDP management-mode.
+
+ You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in your protected apps list.
-#### Using protected apps
+ - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list.
-Protected apps are allowed to access your enterprise data and will react differently with other non-protected or personal apps. For example, if your EDP-protection mode is set to block, your protected apps will let the employee copy and paste information between other protected apps, but not with personal apps. Imagine an HR person wants to copy a job description from a protected app to an internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that it couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website and it works without a problem.
+ - **Data encryption at rest.** EDP helps protect enterprise data on local files and on removable media.
+
+ Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
-#### Copying or downloading enterprise data
+ - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-Downloading content from a location like SharePoint or a network file share, or an enterprise web location, such as Office365.com automatically determines that the content is enterprise data and is encrypted as such, while it’s stored locally. The same applies to copying enterprise data to something like a USB drive. Because the content is already marked as enterprise data locally, the encryption is persisted on the new device.
+ - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-#### Changing the EDP protection
-
-Employees can change enterprise data protected documents back to personal if the document is wrongly marked as enterprise. However, this requires the employee to take an action and is audited and logged for you to review
-
-### Deciding your level of data access
-
-EDP lets you decide to block, allow overrides, or silently audit your employee's data sharing actions. Blocking the action stops it immediately, while allowing overrides let the employee know there's a problem, but lets the employee continue to share the info, and silent just logs the action without stopping it, letting you start to see patterns of inappropriate sharing so you can take educative action.
-
-### Helping prevent accidental data disclosure to public spaces
-
-EDP helps protect your enterprise data from being shared to public spaces, like the public cloud, accidentally. For example, if an employee stores content in the **Documents** folder, which is automatically synched with OneDrive (an app on your Protected Apps list), then the document is encrypted locally and not synched it to the user’s personal cloud. Likewise, if other synching apps, like Dropbox™, aren’t on the Protected Apps list, they also won’t be able to sync encrypted files to the user’s personal cloud.
-
-### Helping prevent accidental data disclosure to other devices
-
-EDP helps protect your enterprise data from leaking to other devices while transferring or moving between them. For example, if an employee puts corporate data on a USB key that also includes personal data, the corporate data remains encrypted even though the personal information remains open. Additionally, the encryption continues when the employee copies the encrypted content back to another corporate-managed device.
+ - **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
## Turn off EDP
diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md
index 15350dc9c4..13c6a7e5b8 100644
--- a/windows/whats-new/security-auditing.md
+++ b/windows/whats-new/security-auditing.md
@@ -10,9 +10,11 @@ ms.pagetype: security, mobile
---
# What's new in security auditing?
+
**Applies to**
- Windows 10
- Windows 10 Mobile
+- Windows Server 2016
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md
index 9937fada56..18a325aa7f 100644
--- a/windows/whats-new/trusted-platform-module.md
+++ b/windows/whats-new/trusted-platform-module.md
@@ -14,6 +14,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows 10 Mobile
+- Windows Server 2016
This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10.