Merge branch 'wdac' of https://cpubwin.visualstudio.com/_git/it-client into wdac

windows/security/threat-protection/TOC.md

@@ -280,7 +280,8 @@
 #### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
 
 
-## [Windows Defender Application Control](windows-defender-application-control.md)
+## [Windows Defender Application Control](windows-defender-application-control\windows-defender-application-control.md)
+### [Deploy WDAC policies](windows-defender-application-control\deploy-windows-defender-application-control-policies.md)
 
 ## [Enable HVCI](enable-virtualization-based-protection-of-code-integrity.md)
 

windows/security/threat-protection/applocker/TOC.md

@@ -0,0 +1,91 @@
+
+# [AppLocker](applocker-overview.md)
+
+## [Administer AppLocker](administer-applocker.md)
+### [Maintain AppLocker policies](maintain-applocker-policies.md)
+### [Edit an AppLocker policy](edit-an-applocker-policy.md)
+### [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+### [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
+### [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)
+### [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
+### [Optimize AppLocker performance](optimize-applocker-performance.md)
+### [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+### [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
+### [Working with AppLocker rules](working-with-applocker-rules.md)
+#### [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+#### [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+#### [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+#### [Create AppLocker default rules](create-applocker-default-rules.md)
+#### [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+#### [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)
+#### [Delete an AppLocker rule](delete-an-applocker-rule.md)
+#### [Edit AppLocker rules](edit-applocker-rules.md)
+#### [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+#### [Enforce AppLocker rules](enforce-applocker-rules.md)
+#### [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
+### [Working with AppLocker policies](working-with-applocker-policies.md)
+#### [Configure the Application Identity service](configure-the-application-identity-service.md)
+#### [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+#### [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
+#### [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
+#### [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)
+#### [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
+#### [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
+#### [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
+#### [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
+#### [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)
+#### [Merge AppLocker policies manually](merge-applocker-policies-manually.md)
+#### [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
+#### [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
+## [AppLocker design guide](applocker-policies-design-guide.md)
+### [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+### [Determine your application control objectives](determine-your-application-control-objectives.md)
+### [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+#### [Document your app list](document-your-application-list.md)
+### [Select the types of rules to create](select-types-of-rules-to-create.md)
+#### [Document your AppLocker rules](document-your-applocker-rules.md)
+### [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+#### [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+#### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
+#### [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)
+### [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+#### [Document your application control management processes](document-your-application-control-management-processes.md)
+### [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+## [AppLocker deployment guide](applocker-policies-deployment-guide.md)
+### [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+### [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)
+### [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)
+### [Create Your AppLocker policies](create-your-applocker-policies.md)
+#### [Create Your AppLocker rules](create-your-applocker-rules.md)
+### [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+#### [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+#### [Determine which apps are digitally signed on a reference device](determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
+### [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
+## [AppLocker technical reference](applocker-technical-reference.md)
+### [What Is AppLocker?](what-is-applocker.md)
+### [Requirements to use AppLocker](requirements-to-use-applocker.md)
+### [AppLocker policy use scenarios](applocker-policy-use-scenarios.md)
+### [How AppLocker works](how-applocker-works-techref.md)
+#### [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+#### [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+#### [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+#### [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+#### [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+##### [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
+##### [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
+##### [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
+#### [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+##### [Executable rules in AppLocker](executable-rules-in-applocker.md)
+##### [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
+##### [Script rules in AppLocker](script-rules-in-applocker.md)
+##### [DLL rules in AppLocker](dll-rules-in-applocker.md)
+##### [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+### [AppLocker architecture and components](applocker-architecture-and-components.md)
+### [AppLocker processes and interactions](applocker-processes-and-interactions.md)
+### [AppLocker functions](applocker-functions.md)
+### [Security considerations for AppLocker](security-considerations-for-applocker.md)
+### [Tools to Use with AppLocker](tools-to-use-with-applocker.md)
+#### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md)
+### [AppLocker Settings](applocker-settings.md)
+
+

windows/security/threat-protection/change-history-for-threat-protection.md

@@ -21,7 +21,7 @@ New or changed topic | Description
 ## January 2018
 |New or changed topic |Description |
 |---------------------|------------|
-|[Windows Defender Application Control](windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
+|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
 
 ## November 2017
 |New or changed topic |Description |

windows/security/threat-protection/index.md

@@ -19,8 +19,8 @@ Learn more about how to help protect against threats in Windows 10 and Windows
 |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
 |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
 |[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
-|[Windows Defender Application Control](enable-virtualization-based-protection-of-code-integrity.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
-|[Enable HVCI](windows-defender-application-control.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
+|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
+|[Enable HVCI](enable-virtualization-based-protection-of-code-integrity.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
 |[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
 |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
 |[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|

windows/security/threat-protection/windows-defender-antivirus/TOC.md

@@ -0,0 +1,68 @@
+
+#	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
+## [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+
+## [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
+
+## [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md)
+### [Use limited periodic scanning in Windows Defender AV](limited-periodic-scanning-windows-defender-antivirus.md)
+
+
+## [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
+
+
+## [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
+#### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md)
+### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
+#### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md)
+### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+#### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+#### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+#### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+#### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+#### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+
+## [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
+### [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+#### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+#### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
+#### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md)
+#### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+#### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+#### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+#### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+#### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+#### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+#### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
+## [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+#### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+#### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+#### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
+### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+### [Configure and run scans](run-scan-windows-defender-antivirus.md)
+### [Review scan results](review-scan-results-windows-defender-antivirus.md)
+### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md)
+
+
+## [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
+
+
+
+## [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)
+### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)
+### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)
+### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)
+### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md)
+
+

windows/security/threat-protection/windows-defender-application-control/TOC.md

@@ -0,0 +1,3 @@
+# [Windows Defender Application Control](windows-defender-application-control.md)
+
+## [Enable HVCI](enable-virtualization-based-protection-of-code-integrity.md)

windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies.md

@@ -0,0 +1,44 @@
+---
+title: Deploy Windows Defender Application Control (WDAC) Policies (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 02/08/2018
+---
+
+# Deploy Windows Defender Application Control Policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+## Introduction
+
+You can deploy WDAC policies using Group Policy, System Center Configuration Manager (SCCM), or Microsoft Intune. 
+
+## Deployment options
+
+# [Group Policy](#tab/GP)
+
+If you use Group Policy, follow these steps.
+
+# [SCCM](#tab/SCCM)
+
+If you use SCCM, follow these steps.
+
+# [Intune](#tab/Intune)
+
+If you use Microsoft Intune, follow these steps. 
+
+---
+
+## Another Heading
+
+placeholder text
+
+

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -0,0 +1,173 @@
+# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
+
+##Get started
+## [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+## [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
+## [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+## [Preview features](preview-windows-defender-advanced-threat-protection.md)
+## [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+## [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
+## [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
+## [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+### [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+#### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
+### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+### [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+## [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+## [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+## [Run a detection test on a newly onboarded endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
+## [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+## [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+## [Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
+## [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
+## [View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
+## [View the Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+
+##Investigate and remediate threats
+##Alerts queue
+### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
+### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
+### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
+
+##Machines list
+### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+#### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+#### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+#### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+#### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+
+
+## [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
+### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+#### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+#### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+#### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+#### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+
+##API and SIEM support
+## [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+
+## [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
+### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+## [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
+### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
+###Actor
+#### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
+#### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+###Alerts
+#### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
+#### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+#### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+#### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+#### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+#### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+#### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+###Domain
+####  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+#### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+#### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+#### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+###File
+#### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
+#### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
+#### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+#### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+#### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
+#### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+#### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
+
+###IP
+#### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+#### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+#### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+#### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+###Machines
+#### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+#### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+#### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+#### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+#### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+#### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+#### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+#### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+#### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+#### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+#### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+#### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+#### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
+#### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
+#### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+#### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
+#### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+#### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
+#### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+
+
+###User
+#### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+#### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
+#### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+#### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+##Reporting
+## [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+
+##Check service health and sensor state
+## [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
+### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+## [Check service health](service-status-windows-defender-advanced-threat-protection.md)
+## [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md)
+## [Update general settings](general-settings-windows-defender-advanced-threat-protection.md)
+## [Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
+## [Enable preview experience](preview-settings-windows-defender-advanced-threat-protection.md)
+## [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+## [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+## [Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+## [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+## [Enable Security Analytics security controls](enable-security-analytics-windows-defender-advanced-threat-protection.md)
+
+## [Configure Windows Defender ATP time zone settings](settings-windows-defender-advanced-threat-protection.md)
+## [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
+## [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
+## [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
+## [Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md)
+

windows/security/threat-protection/windows-defender-exploit-guard/TOC.md

@@ -0,0 +1,591 @@
+# [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+
+## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
+### [View Exploit Guard events](event-views-exploit-guard.md)
+
+## [Exploit protection](exploit-protection-exploit-guard.md)
+### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+### [Evaluate Exploit protection](evaluate-exploit-protection.md)
+### [Enable Exploit protection](enable-exploit-protection.md)
+### [Customize Exploit protection](customize-exploit-protection.md)
+#### [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+## [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
+### [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+### [Enable Attack surface reduction](enable-attack-surface-reduction.md)
+### [Customize Attack surface reduction](customize-attack-surface-reduction.md)
+### [Troubleshoot Attack surface reduction rules](troubleshoot-asr.md)
+## [Network Protection](network-protection-exploit-guard.md)
+### [Evaluate Network Protection](evaluate-network-protection.md)
+### [Enable Network Protection](enable-network-protection.md)
+### [Troubleshoot Network protection](troubleshoot-np.md)
+## [Controlled folder access](controlled-folders-exploit-guard.md)
+### [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
+### [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
+### [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
+
+
+## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
+
+## [Device Guard deployment guide](device-guard/device-guard-deployment-guide.md)
+### [Introduction to Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+### [Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md)
+### [Planning and getting started on the Device Guard deployment process](device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md)
+### [Deploy WDAC](device-guard/deploy-windows-defender-application-control.md)
+#### [Optional: Create a code signing certificate for WDAC](device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
+#### [Deploy WDAC: policy rules and file rules](device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
+#### [Steps to deploy WDAC](device-guard/steps-to-deploy-windows-defender-application-control.md)
+#### [Deploy catalog files to support WDAC](device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md)
+#### [Deploy Managed Installer for Device Guard](device-guard/deploy-managed-installer-for-device-guard.md)
+### [Deploy Device Guard: enable virtualization-based security](device-guard/deploy-device-guard-enable-virtualization-based-security.md)
+
+
+## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
+### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
+### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
+
+##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
+###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
+###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
+###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
+###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
+###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
+
+## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
+
+## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
+
+## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
+
+## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
+
+## [Security auditing](auditing\security-auditing-overview.md)
+### [Basic security audit policies](auditing\basic-security-audit-policies.md)
+#### [Create a basic audit policy for an event category](auditing\create-a-basic-audit-policy-settings-for-an-event-category.md)
+#### [Apply a basic audit policy on a file or folder](auditing\apply-a-basic-audit-policy-on-a-file-or-folder.md)
+#### [View the security event log](auditing\view-the-security-event-log.md)
+#### [Basic security audit policy settings](auditing\basic-security-audit-policy-settings.md)
+##### [Audit account logon events](auditing\basic-audit-account-logon-events.md)
+##### [Audit account management](auditing\basic-audit-account-management.md)
+##### [Audit directory service access](auditing\basic-audit-directory-service-access.md)
+##### [Audit logon events](auditing\basic-audit-logon-events.md)
+##### [Audit object access](auditing\basic-audit-object-access.md)
+##### [Audit policy change](auditing\basic-audit-policy-change.md)
+##### [Audit privilege use](auditing\basic-audit-privilege-use.md)
+##### [Audit process tracking](auditing\basic-audit-process-tracking.md)
+##### [Audit system events](auditing\basic-audit-system-events.md)
+### [Advanced security audit policies](auditing\advanced-security-auditing.md)
+#### [Planning and deploying advanced security audit policies](auditing\planning-and-deploying-advanced-security-audit-policies.md)
+#### [Advanced security auditing FAQ](auditing\advanced-security-auditing-faq.md)
+##### [Which editions of Windows support advanced audit policy configuration](auditing\which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+#### [Using advanced security auditing options to monitor dynamic access control objects](auditing\using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+##### [Monitor the central access policies that apply on a file server](auditing\monitor-the-central-access-policies-that-apply-on-a-file-server.md)
+##### [Monitor the use of removable storage devices](auditing\monitor-the-use-of-removable-storage-devices.md)
+##### [Monitor resource attribute definitions](auditing\monitor-resource-attribute-definitions.md)
+##### [Monitor central access policy and rule definitions](auditing\monitor-central-access-policy-and-rule-definitions.md)
+##### [Monitor user and device claims during sign-in](auditing\monitor-user-and-device-claims-during-sign-in.md)
+##### [Monitor the resource attributes on files and folders](auditing\monitor-the-resource-attributes-on-files-and-folders.md)
+##### [Monitor the central access policies associated with files and folders](auditing\monitor-the-central-access-policies-associated-with-files-and-folders.md)
+##### [Monitor claim types](auditing\monitor-claim-types.md)
+#### [Advanced security audit policy settings](auditing\advanced-security-audit-policy-settings.md)
+##### [Audit Credential Validation](auditing\audit-credential-validation.md)
+###### [Event 4774 S, F: An account was mapped for logon.](auditing\event-4774.md)
+###### [Event 4775 F: An account could not be mapped for logon.](auditing\event-4775.md)
+###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing\event-4776.md)
+###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing\event-4777.md)
+##### [Audit Kerberos Authentication Service](auditing\audit-kerberos-authentication-service.md)
+###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing\event-4768.md)
+###### [Event 4771 F: Kerberos pre-authentication failed.](auditing\event-4771.md)
+###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing\event-4772.md)
+##### [Audit Kerberos Service Ticket Operations](auditing\audit-kerberos-service-ticket-operations.md)
+###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing\event-4769.md)
+###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing\event-4770.md)
+###### [Event 4773 F: A Kerberos service ticket request failed.](auditing\event-4773.md)
+##### [Audit Other Account Logon Events](auditing\audit-other-account-logon-events.md)
+##### [Audit Application Group Management](auditing\audit-application-group-management.md)
+##### [Audit Computer Account Management](auditing\audit-computer-account-management.md)
+###### [Event 4741 S: A computer account was created.](auditing\event-4741.md)
+###### [Event 4742 S: A computer account was changed.](auditing\event-4742.md)
+###### [Event 4743 S: A computer account was deleted.](auditing\event-4743.md)
+##### [Audit Distribution Group Management](auditing\audit-distribution-group-management.md)
+###### [Event 4749 S: A security-disabled global group was created.](auditing\event-4749.md)
+###### [Event 4750 S: A security-disabled global group was changed.](auditing\event-4750.md)
+###### [Event 4751 S: A member was added to a security-disabled global group.](auditing\event-4751.md)
+###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing\event-4752.md)
+###### [Event 4753 S: A security-disabled global group was deleted.](auditing\event-4753.md)
+##### [Audit Other Account Management Events](auditing\audit-other-account-management-events.md)
+###### [Event 4782 S: The password hash an account was accessed.](auditing\event-4782.md)
+###### [Event 4793 S: The Password Policy Checking API was called.](auditing\event-4793.md)
+##### [Audit Security Group Management](auditing\audit-security-group-management.md)
+###### [Event 4731 S: A security-enabled local group was created.](auditing\event-4731.md)
+###### [Event 4732 S: A member was added to a security-enabled local group.](auditing\event-4732.md)
+###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing\event-4733.md)
+###### [Event 4734 S: A security-enabled local group was deleted.](auditing\event-4734.md)
+###### [Event 4735 S: A security-enabled local group was changed.](auditing\event-4735.md)
+###### [Event 4764 S: A group’s type was changed.](auditing\event-4764.md)
+###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing\event-4799.md)
+##### [Audit User Account Management](auditing\audit-user-account-management.md)
+###### [Event 4720 S: A user account was created.](auditing\event-4720.md)
+###### [Event 4722 S: A user account was enabled.](auditing\event-4722.md)
+###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing\event-4723.md)
+###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing\event-4724.md)
+###### [Event 4725 S: A user account was disabled.](auditing\event-4725.md)
+###### [Event 4726 S: A user account was deleted.](auditing\event-4726.md)
+###### [Event 4738 S: A user account was changed.](auditing\event-4738.md)
+###### [Event 4740 S: A user account was locked out.](auditing\event-4740.md)
+###### [Event 4765 S: SID History was added to an account.](auditing\event-4765.md)
+###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing\event-4766.md)
+###### [Event 4767 S: A user account was unlocked.](auditing\event-4767.md)
+###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing\event-4780.md)
+###### [Event 4781 S: The name of an account was changed.](auditing\event-4781.md)
+###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing\event-4794.md)
+###### [Event 4798 S: A user's local group membership was enumerated.](auditing\event-4798.md)
+###### [Event 5376 S: Credential Manager credentials were backed up.](auditing\event-5376.md)
+###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing\event-5377.md)
+##### [Audit DPAPI Activity](auditing\audit-dpapi-activity.md)
+###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing\event-4692.md)
+###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing\event-4693.md)
+###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing\event-4694.md)
+###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing\event-4695.md)
+##### [Audit PNP Activity](auditing\audit-pnp-activity.md)
+###### [Event 6416 S: A new external device was recognized by the System.](auditing\event-6416.md)
+###### [Event 6419 S: A request was made to disable a device.](auditing\event-6419.md)
+###### [Event 6420 S: A device was disabled.](auditing\event-6420.md)
+###### [Event 6421 S: A request was made to enable a device.](auditing\event-6421.md)
+###### [Event 6422 S: A device was enabled.](auditing\event-6422.md)
+###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing\event-6423.md)
+###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing\event-6424.md)
+##### [Audit Process Creation](auditing\audit-process-creation.md)
+###### [Event 4688 S: A new process has been created.](auditing\event-4688.md)
+###### [Event 4696 S: A primary token was assigned to process.](auditing\event-4696.md)
+##### [Audit Process Termination](auditing\audit-process-termination.md)
+###### [Event 4689 S: A process has exited.](auditing\event-4689.md)
+##### [Audit RPC Events](auditing\audit-rpc-events.md)
+###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing\event-5712.md)
+##### [Audit Detailed Directory Service Replication](auditing\audit-detailed-directory-service-replication.md)
+###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing\event-4928.md)
+###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing\event-4929.md)
+###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing\event-4930.md)
+###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing\event-4931.md)
+###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing\event-4934.md)
+###### [Event 4935 F: Replication failure begins.](auditing\event-4935.md)
+###### [Event 4936 S: Replication failure ends.](auditing\event-4936.md)
+###### [Event 4937 S: A lingering object was removed from a replica.](auditing\event-4937.md)
+##### [Audit Directory Service Access](auditing\audit-directory-service-access.md)
+###### [Event 4662 S, F: An operation was performed on an object.](auditing\event-4662.md)
+###### [Event 4661 S, F: A handle to an object was requested.](auditing\event-4661.md)
+##### [Audit Directory Service Changes](auditing\audit-directory-service-changes.md)
+###### [Event 5136 S: A directory service object was modified.](auditing\event-5136.md)
+###### [Event 5137 S: A directory service object was created.](auditing\event-5137.md)
+###### [Event 5138 S: A directory service object was undeleted.](auditing\event-5138.md)
+###### [Event 5139 S: A directory service object was moved.](auditing\event-5139.md)
+###### [Event 5141 S: A directory service object was deleted.](auditing\event-5141.md)
+##### [Audit Directory Service Replication](auditing\audit-directory-service-replication.md)
+###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing\event-4932.md)
+###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing\event-4933.md)
+##### [Audit Account Lockout](auditing\audit-account-lockout.md)
+###### [Event 4625 F: An account failed to log on.](auditing\event-4625.md)
+##### [Audit User/Device Claims](auditing\audit-user-device-claims.md)
+###### [Event 4626 S: User/Device claims information.](auditing\event-4626.md)
+##### [Audit Group Membership](auditing\audit-group-membership.md)
+###### [Event 4627 S: Group membership information.](auditing\event-4627.md)
+##### [Audit IPsec Extended Mode](auditing\audit-ipsec-extended-mode.md)
+##### [Audit IPsec Main Mode](auditing\audit-ipsec-main-mode.md)
+##### [Audit IPsec Quick Mode](auditing\audit-ipsec-quick-mode.md)
+##### [Audit Logoff](auditing\audit-logoff.md)
+###### [Event 4634 S: An account was logged off.](auditing\event-4634.md)
+###### [Event 4647 S: User initiated logoff.](auditing\event-4647.md)
+##### [Audit Logon](auditing\audit-logon.md)
+###### [Event 4624 S: An account was successfully logged on.](auditing\event-4624.md)
+###### [Event 4625 F: An account failed to log on.](auditing\event-4625.md)
+###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing\event-4648.md)
+###### [Event 4675 S: SIDs were filtered.](auditing\event-4675.md)
+##### [Audit Network Policy Server](auditing\audit-network-policy-server.md)
+##### [Audit Other Logon/Logoff Events](auditing\audit-other-logonlogoff-events.md)
+###### [Event 4649 S: A replay attack was detected.](auditing\event-4649.md)
+###### [Event 4778 S: A session was reconnected to a Window Station.](auditing\event-4778.md)
+###### [Event 4779 S: A session was disconnected from a Window Station.](auditing\event-4779.md)
+###### [Event 4800 S: The workstation was locked.](auditing\event-4800.md)
+###### [Event 4801 S: The workstation was unlocked.](auditing\event-4801.md)
+###### [Event 4802 S: The screen saver was invoked.](auditing\event-4802.md)
+###### [Event 4803 S: The screen saver was dismissed.](auditing\event-4803.md)
+###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing\event-5378.md)
+###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing\event-5632.md)
+###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing\event-5633.md)
+##### [Audit Special Logon](auditing\audit-special-logon.md)
+###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing\event-4964.md)
+###### [Event 4672 S: Special privileges assigned to new logon.](auditing\event-4672.md)
+##### [Audit Application Generated](auditing\audit-application-generated.md)
+##### [Audit Certification Services](auditing\audit-certification-services.md)
+##### [Audit Detailed File Share](auditing\audit-detailed-file-share.md)
+###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing\event-5145.md)
+##### [Audit File Share](auditing\audit-file-share.md)
+###### [Event 5140 S, F: A network share object was accessed.](auditing\event-5140.md)
+###### [Event 5142 S: A network share object was added.](auditing\event-5142.md)
+###### [Event 5143 S: A network share object was modified.](auditing\event-5143.md)
+###### [Event 5144 S: A network share object was deleted.](auditing\event-5144.md)
+###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing\event-5168.md)
+##### [Audit File System](auditing\audit-file-system.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing\event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing\event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing\event-4660.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing\event-4663.md)
+###### [Event 4664 S: An attempt was made to create a hard link.](auditing\event-4664.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing\event-4985.md)
+###### [Event 5051: A file was virtualized.](auditing\event-5051.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing\event-4670.md)
+##### [Audit Filtering Platform Connection](auditing\audit-filtering-platform-connection.md)
+###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing\event-5031.md)
+###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing\event-5150.md)
+###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing\event-5151.md)
+###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing\event-5154.md)
+###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing\event-5155.md)
+###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing\event-5156.md)
+###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing\event-5157.md)
+###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing\event-5158.md)
+###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing\event-5159.md)
+##### [Audit Filtering Platform Packet Drop](auditing\audit-filtering-platform-packet-drop.md)
+###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing\event-5152.md)
+###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing\event-5153.md)
+##### [Audit Handle Manipulation](auditing\audit-handle-manipulation.md)
+###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing\event-4690.md)
+##### [Audit Kernel Object](auditing\audit-kernel-object.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing\event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing\event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing\event-4660.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing\event-4663.md)
+##### [Audit Other Object Access Events](auditing\audit-other-object-access-events.md)
+###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing\event-4671.md)
+###### [Event 4691 S: Indirect access to an object was requested.](auditing\event-4691.md)
+###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing\event-5148.md)
+###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing\event-5149.md)
+###### [Event 4698 S: A scheduled task was created.](auditing\event-4698.md)
+###### [Event 4699 S: A scheduled task was deleted.](auditing\event-4699.md)
+###### [Event 4700 S: A scheduled task was enabled.](auditing\event-4700.md)
+###### [Event 4701 S: A scheduled task was disabled.](auditing\event-4701.md)
+###### [Event 4702 S: A scheduled task was updated.](auditing\event-4702.md)
+###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing\event-5888.md)
+###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing\event-5889.md)
+###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing\event-5890.md)
+##### [Audit Registry](auditing\audit-registry.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing\event-4663.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing\event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing\event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing\event-4660.md)
+###### [Event 4657 S: A registry value was modified.](auditing\event-4657.md)
+###### [Event 5039: A registry key was virtualized.](auditing\event-5039.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing\event-4670.md)
+##### [Audit Removable Storage](auditing\audit-removable-storage.md)
+##### [Audit SAM](auditing\audit-sam.md)
+###### [Event 4661 S, F: A handle to an object was requested.](auditing\event-4661.md)
+##### [Audit Central Access Policy Staging](auditing\audit-central-access-policy-staging.md)
+###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing\event-4818.md)
+##### [Audit Audit Policy Change](auditing\audit-audit-policy-change.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing\event-4670.md)
+###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing\event-4715.md)
+###### [Event 4719 S: System audit policy was changed.](auditing\event-4719.md)
+###### [Event 4817 S: Auditing settings on object were changed.](auditing\event-4817.md)
+###### [Event 4902 S: The Per-user audit policy table was created.](auditing\event-4902.md)
+###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing\event-4906.md)
+###### [Event 4907 S: Auditing settings on object were changed.](auditing\event-4907.md)
+###### [Event 4908 S: Special Groups Logon table modified.](auditing\event-4908.md)
+###### [Event 4912 S: Per User Audit Policy was changed.](auditing\event-4912.md)
+###### [Event 4904 S: An attempt was made to register a security event source.](auditing\event-4904.md)
+###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing\event-4905.md)
+##### [Audit Authentication Policy Change](auditing\audit-authentication-policy-change.md)
+###### [Event 4706 S: A new trust was created to a domain.](auditing\event-4706.md)
+###### [Event 4707 S: A trust to a domain was removed.](auditing\event-4707.md)
+###### [Event 4716 S: Trusted domain information was modified.](auditing\event-4716.md)
+###### [Event 4713 S: Kerberos policy was changed.](auditing\event-4713.md)
+###### [Event 4717 S: System security access was granted to an account.](auditing\event-4717.md)
+###### [Event 4718 S: System security access was removed from an account.](auditing\event-4718.md)
+###### [Event 4739 S: Domain Policy was changed.](auditing\event-4739.md)
+###### [Event 4864 S: A namespace collision was detected.](auditing\event-4864.md)
+###### [Event 4865 S: A trusted forest information entry was added.](auditing\event-4865.md)
+###### [Event 4866 S: A trusted forest information entry was removed.](auditing\event-4866.md)
+###### [Event 4867 S: A trusted forest information entry was modified.](auditing\event-4867.md)
+##### [Audit Authorization Policy Change](auditing\audit-authorization-policy-change.md)
+###### [Event 4703 S: A user right was adjusted.](auditing\event-4703.md)
+###### [Event 4704 S: A user right was assigned.](auditing\event-4704.md)
+###### [Event 4705 S: A user right was removed.](auditing\event-4705.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing\event-4670.md)
+###### [Event 4911 S: Resource attributes of the object were changed.](auditing\event-4911.md)
+###### [Event 4913 S: Central Access Policy on the object was changed.](auditing\event-4913.md)
+##### [Audit Filtering Platform Policy Change](auditing\audit-filtering-platform-policy-change.md)
+##### [Audit MPSSVC Rule-Level Policy Change](auditing\audit-mpssvc-rule-level-policy-change.md)
+###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing\event-4944.md)
+###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing\event-4945.md)
+###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing\event-4946.md)
+###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing\event-4947.md)
+###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing\event-4948.md)
+###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing\event-4949.md)
+###### [Event 4950 S: A Windows Firewall setting has changed.](auditing\event-4950.md)
+###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing\event-4951.md)
+###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing\event-4952.md)
+###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing\event-4953.md)
+###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing\event-4954.md)
+###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing\event-4956.md)
+###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing\event-4957.md)
+###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing\event-4958.md)
+##### [Audit Other Policy Change Events](auditing\audit-other-policy-change-events.md)
+###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing\event-4714.md)
+###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing\event-4819.md)
+###### [Event 4826 S: Boot Configuration Data loaded.](auditing\event-4826.md)
+###### [Event 4909: The local policy settings for the TBS were changed.](auditing\event-4909.md)
+###### [Event 4910: The group policy settings for the TBS were changed.](auditing\event-4910.md)
+###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing\event-5063.md)
+###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing\event-5064.md)
+###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing\event-5065.md)
+###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing\event-5066.md)
+###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing\event-5067.md)
+###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing\event-5068.md)
+###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing\event-5069.md)
+###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing\event-5070.md)
+###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing\event-5447.md)
+###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing\event-6144.md)
+###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing\event-6145.md)
+##### [Audit Sensitive Privilege Use](auditing\audit-sensitive-privilege-use.md)
+###### [Event 4673 S, F: A privileged service was called.](auditing\event-4673.md)
+###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing\event-4674.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing\event-4985.md)
+##### [Audit Non Sensitive Privilege Use](auditing\audit-non-sensitive-privilege-use.md)
+###### [Event 4673 S, F: A privileged service was called.](auditing\event-4673.md)
+###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing\event-4674.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing\event-4985.md)
+##### [Audit Other Privilege Use Events](auditing\audit-other-privilege-use-events.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing\event-4985.md)
+##### [Audit IPsec Driver](auditing\audit-ipsec-driver.md)
+##### [Audit Other System Events](auditing\audit-other-system-events.md)
+###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing\event-5024.md)
+###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing\event-5025.md)
+###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing\event-5027.md)
+###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing\event-5028.md)
+###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing\event-5029.md)
+###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing\event-5030.md)
+###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing\event-5032.md)
+###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing\event-5033.md)
+###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing\event-5034.md)
+###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing\event-5035.md)
+###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing\event-5037.md)
+###### [Event 5058 S, F: Key file operation.](auditing\event-5058.md)
+###### [Event 5059 S, F: Key migration operation.](auditing\event-5059.md)
+###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing\event-6400.md)
+###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing\event-6401.md)
+###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing\event-6402.md)
+###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing\event-6403.md)
+###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing\event-6404.md)
+###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing\event-6405.md)
+###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing\event-6406.md)
+###### [Event 6407: 1%.](auditing\event-6407.md)
+###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing\event-6408.md)
+###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing\event-6409.md)
+##### [Audit Security State Change](auditing\audit-security-state-change.md)
+###### [Event 4608 S: Windows is starting up.](auditing\event-4608.md)
+###### [Event 4616 S: The system time was changed.](auditing\event-4616.md)
+###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing\event-4621.md)
+##### [Audit Security System Extension](auditing\audit-security-system-extension.md)
+###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing\event-4610.md)
+###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing\event-4611.md)
+###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing\event-4614.md)
+###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing\event-4622.md)
+###### [Event 4697 S: A service was installed in the system.](auditing\event-4697.md)
+##### [Audit System Integrity](auditing\audit-system-integrity.md)
+###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing\event-4612.md)
+###### [Event 4615 S: Invalid use of LPC port.](auditing\event-4615.md)
+###### [Event 4618 S: A monitored security event pattern has occurred.](auditing\event-4618.md)
+###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing\event-4816.md)
+###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing\event-5038.md)
+###### [Event 5056 S: A cryptographic self-test was performed.](auditing\event-5056.md)
+###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing\event-5062.md)
+###### [Event 5057 F: A cryptographic primitive operation failed.](auditing\event-5057.md)
+###### [Event 5060 F: Verification operation failed.](auditing\event-5060.md)
+###### [Event 5061 S, F: Cryptographic operation.](auditing\event-5061.md)
+###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing\event-6281.md)
+###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing\event-6410.md)
+##### [Other Events](auditing\other-events.md)
+###### [Event 1100 S: The event logging service has shut down.](auditing\event-1100.md)
+###### [Event 1102 S: The audit log was cleared.](auditing\event-1102.md)
+###### [Event 1104 S: The security log is now full.](auditing\event-1104.md)
+###### [Event 1105 S: Event log automatic backup.](auditing\event-1105.md)
+###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing\event-1108.md)
+##### [Appendix A: Security monitoring recommendations for many audit events](auditing\appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
+##### [Registry (Global Object Access Auditing) ](auditing\registry-global-object-access-auditing.md)
+##### [File System (Global Object Access Auditing) ](auditing\file-system-global-object-access-auditing.md)
+
+## [Security policy settings](security-policy-settings/security-policy-settings.md)
+### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
+#### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
+### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
+### [Security policy settings reference](security-policy-settings/security-policy-settings-reference.md)
+#### [Account Policies](security-policy-settings/account-policies.md)
+##### [Password Policy](security-policy-settings/password-policy.md)
+###### [Enforce password history](security-policy-settings/enforce-password-history.md)
+###### [Maximum password age](security-policy-settings/maximum-password-age.md)
+###### [Minimum password age](security-policy-settings/minimum-password-age.md)
+###### [Minimum password length](security-policy-settings/minimum-password-length.md)
+###### [Password must meet complexity requirements](security-policy-settings/password-must-meet-complexity-requirements.md)
+###### [Store passwords using reversible encryption](security-policy-settings/store-passwords-using-reversible-encryption.md)
+##### [Account Lockout Policy](security-policy-settings/account-lockout-policy.md)
+###### [Account lockout duration](security-policy-settings/account-lockout-duration.md)
+###### [Account lockout threshold](security-policy-settings/account-lockout-threshold.md)
+###### [Reset account lockout counter after](security-policy-settings/reset-account-lockout-counter-after.md)
+##### [Kerberos Policy](security-policy-settings/kerberos-policy.md)
+###### [Enforce user logon restrictions](security-policy-settings/enforce-user-logon-restrictions.md)
+###### [Maximum lifetime for service ticket](security-policy-settings/maximum-lifetime-for-service-ticket.md)
+###### [Maximum lifetime for user ticket](security-policy-settings/maximum-lifetime-for-user-ticket.md)
+###### [Maximum lifetime for user ticket renewal](security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md)
+###### [Maximum tolerance for computer clock synchronization](security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md)
+#### [Audit Policy](security-policy-settings/audit-policy.md)
+#### [Security Options](security-policy-settings/security-options.md)
+##### [Accounts: Administrator account status](security-policy-settings/accounts-administrator-account-status.md)
+##### [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md)
+##### [Accounts: Guest account status](security-policy-settings/accounts-guest-account-status.md)
+##### [Accounts: Limit local account use of blank passwords to console logon only](security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md)
+##### [Accounts: Rename administrator account](security-policy-settings/accounts-rename-administrator-account.md)
+##### [Accounts: Rename guest account](security-policy-settings/accounts-rename-guest-account.md)
+##### [Audit: Audit the access of global system objects](security-policy-settings/audit-audit-the-access-of-global-system-objects.md)
+##### [Audit: Audit the use of Backup and Restore privilege](security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md)
+##### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md)
+##### [Audit: Shut down system immediately if unable to log security audits](security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
+##### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+##### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
+##### [Devices: Allow undock without having to log on](security-policy-settings/devices-allow-undock-without-having-to-log-on.md)
+##### [Devices: Allowed to format and eject removable media](security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md)
+##### [Devices: Prevent users from installing printer drivers](security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md)
+##### [Devices: Restrict CD-ROM access to locally logged-on user only](security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md)
+##### [Devices: Restrict floppy access to locally logged-on user only](security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md)
+##### [Domain controller: Allow server operators to schedule tasks](security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md)
+##### [Domain controller: LDAP server signing requirements](security-policy-settings/domain-controller-ldap-server-signing-requirements.md)
+##### [Domain controller: Refuse machine account password changes](security-policy-settings/domain-controller-refuse-machine-account-password-changes.md)
+##### [Domain member: Digitally encrypt or sign secure channel data (always)](security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
+##### [Domain member: Digitally encrypt secure channel data (when possible)](security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+##### [Domain member: Digitally sign secure channel data (when possible)](security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md)
+##### [Domain member: Disable machine account password changes](security-policy-settings/domain-member-disable-machine-account-password-changes.md)
+##### [Domain member: Maximum machine account password age](security-policy-settings/domain-member-maximum-machine-account-password-age.md)
+##### [Domain member: Require strong (Windows 2000 or later) session key](security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md)
+##### [Interactive logon: Display user information when the session is locked](security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md)
+##### [Interactive logon: Don't display last signed-in](security-policy-settings/interactive-logon-do-not-display-last-user-name.md)
+##### [Interactive logon: Don't display username at sign-in](security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md)
+##### [Interactive logon: Do not require CTRL+ALT+DEL](security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md)
+##### [Interactive logon: Machine account lockout threshold](security-policy-settings/interactive-logon-machine-account-lockout-threshold.md)
+##### [Interactive logon: Machine inactivity limit](security-policy-settings/interactive-logon-machine-inactivity-limit.md)
+##### [Interactive logon: Message text for users attempting to log on](security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md)
+##### [Interactive logon: Message title for users attempting to log on](security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md)
+##### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
+##### [Interactive logon: Prompt user to change password before expiration](security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md)
+##### [Interactive logon: Require Domain Controller authentication to unlock workstation](security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
+##### [Interactive logon: Require smart card](security-policy-settings/interactive-logon-require-smart-card.md)
+##### [Interactive logon: Smart card removal behavior](security-policy-settings/interactive-logon-smart-card-removal-behavior.md)
+##### [Microsoft network client: Digitally sign communications (always)](security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md)
+##### [Microsoft network client: Digitally sign communications (if server agrees)](security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
+##### [Microsoft network client: Send unencrypted password to third-party SMB servers](security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
+##### [Microsoft network server: Amount of idle time required before suspending session](security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
+##### [Microsoft network server: Attempt S4U2Self to obtain claim information](security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
+##### [Microsoft network server: Digitally sign communications (always)](security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md)
+##### [Microsoft network server: Digitally sign communications (if client agrees)](security-policy-settings/microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
+##### [Microsoft network server: Disconnect clients when logon hours expire](security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
+##### [Microsoft network server: Server SPN target name validation level](security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md)
+##### [Network access: Allow anonymous SID/Name translation](security-policy-settings/network-access-allow-anonymous-sidname-translation.md)
+##### [Network access: Do not allow anonymous enumeration of SAM accounts](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)
+##### [Network access: Do not allow anonymous enumeration of SAM accounts and shares](security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)
+##### [Network access: Do not allow storage of passwords and credentials for network authentication](security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)
+##### [Network access: Let Everyone permissions apply to anonymous users](security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md)
+##### [Network access: Named Pipes that can be accessed anonymously](security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md)
+##### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md)
+##### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md)
+##### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)
+#####  [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)
+##### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md)
+##### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md)
+##### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)
+##### [Network security: Allow LocalSystem NULL session fallback](security-policy-settings/network-security-allow-localsystem-null-session-fallback.md)
+##### [Network security: Allow PKU2U authentication requests to this computer to use online identities](security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)
+##### [Network security: Configure encryption types allowed for Kerberos Win7 only](security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md)
+##### [Network security: Do not store LAN Manager hash value on next password change](security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)
+##### [Network security: Force logoff when logon hours expire](security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md)
+##### [Network security: LAN Manager authentication level](security-policy-settings/network-security-lan-manager-authentication-level.md)
+##### [Network security: LDAP client signing requirements](security-policy-settings/network-security-ldap-client-signing-requirements.md)
+##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
+##### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
+##### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
+##### [Network security: Restrict NTLM: Add server exceptions in this domain](security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
+##### [Network security: Restrict NTLM: Audit incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
+##### [Network security: Restrict NTLM: Audit NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md)
+##### [Network security: Restrict NTLM: Incoming NTLM traffic](security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md)
+##### [Network security: Restrict NTLM: NTLM authentication in this domain](security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)
+##### [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)
+##### [Recovery console: Allow automatic administrative logon](security-policy-settings/recovery-console-allow-automatic-administrative-logon.md)
+##### [Recovery console: Allow floppy copy and access to all drives and folders](security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)
+##### [Shutdown: Allow system to be shut down without having to log on](security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)
+##### [Shutdown: Clear virtual memory pagefile](security-policy-settings/shutdown-clear-virtual-memory-pagefile.md)
+##### [System cryptography: Force strong key protection for user keys stored on the computer](security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
+##### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
+##### [System objects: Require case insensitivity for non-Windows subsystems](security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
+##### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md)
+##### [System settings: Optional subsystems](security-policy-settings/system-settings-optional-subsystems.md)
+##### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
+##### [User Account Control: Admin Approval Mode for the Built-in Administrator account](security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
+##### [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)
+##### [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)
+##### [User Account Control: Behavior of the elevation prompt for standard users](security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)
+##### [User Account Control: Detect application installations and prompt for elevation](security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md)
+##### [User Account Control: Only elevate executables that are signed and validated](security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md)
+##### [User Account Control: Only elevate UIAccess applications that are installed in secure locations](security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)
+##### [User Account Control: Run all administrators in Admin Approval Mode](security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md)
+##### [User Account Control: Switch to the secure desktop when prompting for elevation](security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)
+##### [User Account Control: Virtualize file and registry write failures to per-user locations](security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)
+#### [Advanced security audit policy settings](security-policy-settings/secpol-advanced-security-audit-policy-settings.md)
+#### [User Rights Assignment](security-policy-settings/user-rights-assignment.md)
+##### [Access Credential Manager as a trusted caller](security-policy-settings/access-credential-manager-as-a-trusted-caller.md)
+##### [Access this computer from the network](security-policy-settings/access-this-computer-from-the-network.md)
+##### [Act as part of the operating system](security-policy-settings/act-as-part-of-the-operating-system.md)
+##### [Add workstations to domain](security-policy-settings/add-workstations-to-domain.md)
+##### [Adjust memory quotas for a process](security-policy-settings/adjust-memory-quotas-for-a-process.md)
+##### [Allow log on locally](security-policy-settings/allow-log-on-locally.md)
+##### [Allow log on through Remote Desktop Services](security-policy-settings/allow-log-on-through-remote-desktop-services.md)
+##### [Back up files and directories](security-policy-settings/back-up-files-and-directories.md)
+##### [Bypass traverse checking](security-policy-settings/bypass-traverse-checking.md)
+##### [Change the system time](security-policy-settings/change-the-system-time.md)
+##### [Change the time zone](security-policy-settings/change-the-time-zone.md)
+##### [Create a pagefile](security-policy-settings/create-a-pagefile.md)
+##### [Create a token object](security-policy-settings/create-a-token-object.md)
+##### [Create global objects](security-policy-settings/create-global-objects.md)
+##### [Create permanent shared objects](security-policy-settings/create-permanent-shared-objects.md)
+##### [Create symbolic links](security-policy-settings/create-symbolic-links.md)
+##### [Debug programs](security-policy-settings/debug-programs.md)
+##### [Deny access to this computer from the network](security-policy-settings/deny-access-to-this-computer-from-the-network.md)
+##### [Deny log on as a batch job](security-policy-settings/deny-log-on-as-a-batch-job.md)
+##### [Deny log on as a service](security-policy-settings/deny-log-on-as-a-service.md)
+##### [Deny log on locally](security-policy-settings/deny-log-on-locally.md)
+##### [Deny log on through Remote Desktop Services](security-policy-settings/deny-log-on-through-remote-desktop-services.md)
+##### [Enable computer and user accounts to be trusted for delegation](security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md)
+##### [Force shutdown from a remote system](security-policy-settings/force-shutdown-from-a-remote-system.md)
+##### [Generate security audits](security-policy-settings/generate-security-audits.md)
+##### [Impersonate a client after authentication](security-policy-settings/impersonate-a-client-after-authentication.md)
+##### [Increase a process working set](security-policy-settings/increase-a-process-working-set.md)
+##### [Increase scheduling priority](security-policy-settings/increase-scheduling-priority.md)
+##### [Load and unload device drivers](security-policy-settings/load-and-unload-device-drivers.md)
+##### [Lock pages in memory](security-policy-settings/lock-pages-in-memory.md)
+##### [Log on as a batch job](security-policy-settings/log-on-as-a-batch-job.md)
+##### [Log on as a service](security-policy-settings/log-on-as-a-service.md)
+##### [Manage auditing and security log](security-policy-settings/manage-auditing-and-security-log.md)
+##### [Modify an object label](security-policy-settings/modify-an-object-label.md)
+##### [Modify firmware environment values](security-policy-settings/modify-firmware-environment-values.md)
+##### [Perform volume maintenance tasks](security-policy-settings/perform-volume-maintenance-tasks.md)
+##### [Profile single process](security-policy-settings/profile-single-process.md)
+##### [Profile system performance](security-policy-settings/profile-system-performance.md)
+##### [Remove computer from docking station](security-policy-settings/remove-computer-from-docking-station.md)
+##### [Replace a process level token](security-policy-settings/replace-a-process-level-token.md)
+##### [Restore files and directories](security-policy-settings/restore-files-and-directories.md)
+##### [Shut down the system](security-policy-settings/shut-down-the-system.md)
+##### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
+##### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
+
+
+## [Windows security baselines](windows-security-baselines.md)
+### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
+### [Get support](get-support-for-security-baselines.md)
+
+## [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
+
+## [Change history for Threat protection](change-history-for-threat-protection.md)

windows/security/threat-protection/windows-defender-security-center/TOC.md

@@ -0,0 +1,11 @@
+# [The Windows Defender Security Center app](windows-defender-security-center.md)
+
+
+## [Customize the Windows Defender Security Center app for your organization](wdsc-customize-contact-information.md)
+## [Hide Windows Defender Security Center app notifications](wdsc-hide-notifications.md)
+## [Virus and threat protection](wdsc-virus-threat-protection.md)
+## [Device performance and health](wdsc-device-performance-health.md)
+## [Firewall and network protection](wdsc-firewall-network-protection.md)
+## [App and browser control](wdsc-app-browser-control.md)
+## [Family options](wdsc-family-options.md)
+