mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
5560668 part 3
This commit is contained in:
Meghana Athavale
parent
0f577240e4
commit
92da621577
@ -93,7 +93,7 @@ The following issue affects Citrix applications:
|
||||
|
||||
<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016 or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
|
||||
|
||||
- [KB4032786 High CPU usage in the LSAISO process on Windows](https://support.microsoft.com/help/4032786)
|
||||
- [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage)
|
||||
|
||||
For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes)
|
||||
|
||||
|
||||
@ -347,7 +347,7 @@ This example configures Wi-Fi as a trusted signal (Windows 10, version 1803 or l
|
||||
|
||||
You need at least a Windows 10, version 1709 or later workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1709 or later.
|
||||
|
||||
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
|
||||
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
|
||||
|
||||
### Create the Multifactor Unlock Group Policy object
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ ms.reviewer:
|
||||
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
|
||||
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
|
||||
|
||||
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
|
||||
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
|
||||
|
||||
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
|
||||
|
||||
|
||||
@ -66,7 +66,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
|
||||
|
||||
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
|
||||
|
||||
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
|
||||
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](/troubleshoot/windows-server/windows-security/requirements-domain-controller).
|
||||
|
||||
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder.
|
||||
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
|
||||
|
||||
@ -30,7 +30,7 @@ ms.reviewer:
|
||||
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
|
||||
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
|
||||
|
||||
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
|
||||
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
|
||||
|
||||
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
|
||||
|
||||
@ -69,7 +69,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
|
||||
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>If you don't find options in GPO, you have to load the [PolicyDefinitions folder](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
|
||||
>If you don't find options in GPO, you have to load the [PolicyDefinitions folder](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
|
||||
|
||||
### Windows Hello for Business Group Policy
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ ms.reviewer:
|
||||
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
|
||||
Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
|
||||
|
||||
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
|
||||
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
|
||||
|
||||
On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business
|
||||
|
||||
|
||||
@ -31,7 +31,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu
|
||||
|
||||
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md).
|
||||
|
||||
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201/) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
|
||||
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
|
||||
|
||||
## Managing devices joined to Azure Active Directory
|
||||
|
||||
|
||||
@ -180,7 +180,7 @@ Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLo
|
||||
> [!NOTE]
|
||||
> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
|
||||
|
||||
Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](https://support.microsoft.com/kb/947249).
|
||||
Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant).
|
||||
|
||||
But on computers running these supported systems with BitLocker enabled:
|
||||
|
||||
|
||||
@ -73,7 +73,7 @@ This table provides info about the most common problems you might encounter whil
|
||||
<tr>
|
||||
<td>Redirected folders with Client-Side Caching are not compatible with WIP.</td>
|
||||
<td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
|
||||
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><b>Note</b><br>For more info about Work Folders and Offline Files, see the blog, <a href="https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/" data-raw-source="[Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)">Work Folders and Offline Files support for Windows Information Protection</a>. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, <a href="https://support.microsoft.com/kb/3187045" data-raw-source="[Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045)">Can't open files offline when you use Offline Files and Windows Information Protection</a>.</td>
|
||||
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><b>Note</b><br>For more info about Work Folders and Offline Files, see the blog, <a href="https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/" data-raw-source="[Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)">Work Folders and Offline Files support for Windows Information Protection</a>. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, <a href="/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip" data-raw-source="[Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip)">Can't open files offline when you use Offline Files and Windows Information Protection</a>.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.</td>
|
||||
@ -114,7 +114,7 @@ This table provides info about the most common problems you might encounter whil
|
||||
</ul>
|
||||
</td>
|
||||
<td>WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.</td>
|
||||
<td>Don’t set the <b>MakeFolderAvailableOfflineDisabled</b> option to <b>False</b> for any of the specified folders. You can configure this parameter, as described <a href="/windows-server/storage/folder-redirection/disable-offline-files-on-folders" data-raw-source="[here](/windows-server/storage/folder-redirection/disable-offline-files-on-folders)">here</a>.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can't open files offline when you use Offline Files and Windows Information Protection</a>.
|
||||
<td>Don’t set the <b>MakeFolderAvailableOfflineDisabled</b> option to <b>False</b> for any of the specified folders. You can configure this parameter, as described <a href="/windows-server/storage/folder-redirection/disable-offline-files-on-folders" data-raw-source="[here](/windows-server/storage/folder-redirection/disable-offline-files-on-folders)">here</a>.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip" data-raw-source="[Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip)">Can't open files offline when you use Offline Files and Windows Information Protection</a>.
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
||||
@ -84,7 +84,7 @@ This event generates every time Windows Security audit log was cleared.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -89,7 +89,7 @@ You typically see these events during operating system startup or user logon and
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -98,7 +98,7 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -132,7 +132,7 @@ This event generates when a logon session is created (on destination machine). I
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
|
||||
|
||||
@ -196,7 +196,7 @@ This event generates when a logon session is created (on destination machine). I
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
|
||||
|
||||
|
||||
@ -104,7 +104,7 @@ This event generates on domain controllers, member servers, and workstations.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
@ -143,7 +143,7 @@ This event generates on domain controllers, member servers, and workstations.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -98,7 +98,7 @@ This event generates on the computer to which the logon was performed (target co
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
@ -134,7 +134,7 @@ This event generates on the computer to which the logon was performed (target co
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -97,7 +97,7 @@ Multiple events are generated if the group membership information cannot fit in
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
@ -134,7 +134,7 @@ Multiple events are generated if the group membership information cannot fit in
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -89,7 +89,7 @@ It may be positively correlated with a “[4624](event-4624.md): An account was
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -88,7 +88,7 @@ It may be positively correlated with a “[4624](event-4624.md): An account was
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -96,7 +96,7 @@ It is also a routine event which periodically occurs during normal operating sys
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
@ -122,7 +122,7 @@ It is also a routine event which periodically occurs during normal operating sys
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -107,7 +107,7 @@ This event shows that access was requested, and the results of the request, but
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -94,7 +94,7 @@ This event generates only if “Set Value" auditing is set in registry key’s [
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -90,7 +90,7 @@ Typically this event is needed if you need to know how long the handle to the ob
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -93,7 +93,7 @@ The advantage of this event is that it’s generated only during real delete ope
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -97,7 +97,7 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -97,7 +97,7 @@ You will get one 4662 for each operation type which was performed.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -101,7 +101,7 @@ The main difference with “[4656](event-4656.md): A handle to an object was req
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -85,7 +85,7 @@ This event generates when an NTFS hard link was successfully created.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -93,7 +93,7 @@ Before this event can generate, certain ACEs might need to be set in the object
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user