diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index f663299fb7..a93f2fb987 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -18,9 +18,9 @@ ms.reviewer:
# Smart Card Group Policy and Registry Settings
-Applies To: Windows 10, Windows Server 2016
+Applies to: Windows 10, Windows Server 2016
-This topic for the IT professional and smart card developer describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
+This article for IT professionals and smart card developers describes the Group Policy settings, registry key settings, local security policy settings, and credential delegation policy settings that are available for configuring smart cards.
The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
@@ -66,21 +66,23 @@ The following sections and tables list the smart card-related Group Policy setti
## Primary Group Policy settings for smart cards
-The following smart card Group Policy settings are located in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
+The following smart card Group Policy settings are in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
The registry keys are in the following locations:
-- HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP**
-- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider**
-- HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp
+- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp**
-> **Note** Smart card reader registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers.
Smart card registry information is located in HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards.
+> [!NOTE]
+> Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.
+Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**.
The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this topic.
-| **Server Type or GPO** | **Default Value** |
+| **Server type or GPO** | **Default value** |
|----------------------------------------------|-------------------|
| Default Domain Policy | Not configured |
| Default Domain Controller Policy | Not configured |
@@ -91,13 +93,14 @@ The following table lists the default values for these GPO settings. Variations
### Allow certificates with no extended key usage certificate attribute
-This policy setting allows certificates without an enhanced key usage (EKU) set to be used for sign in.
+You can use this policy setting to allow certificates without an enhanced key usage (EKU) set to be used for sign in.
-> **Note** Enhanced key usage certificate attribute is also known as extended key usage.
+> [!NOTE]
+> Enhanced key usage certificate attribute is also known as extended key usage.
+>
+> In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
-In versions of Windows prior to Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
-
-When this policy setting is enabled, certificates with the following attributes can also be used to sign in with a smart card:
+When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card:
- Certificates with no EKU
@@ -105,7 +108,7 @@ When this policy setting is enabled, certificates with the following attributes
- Certificates with a Client Authentication EKU
-When this policy setting is disabled or not configured, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
+When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
@@ -116,68 +119,87 @@ When this policy setting is disabled or not configured, only certificates that c
### Allow ECC certificates to be used for logon and authentication
-This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain. When this setting is enabled, ECC certificates on a smart card can be used to sign in to a domain. When this setting is disabled or not configured, ECC certificates on a smart card cannot be used to sign in to a domain.
+You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
+
+When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
+
+When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
| **Item** | **Description** |
|--------------------------------------|-------------------------------|
-| Registry key | EnumerateECCCerts |
+| Registry key | **EnumerateECCCerts** |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, are not affected by this policy setting.
If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign-in when you are not connected to the network. |
+| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting.
If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
### Allow Integrated Unblock screen to be displayed at the time of logon
-This policy setting lets you determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
+You can use this policy setting to determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
-When this setting is enabled, the integrated unblock feature is available. When this setting is disabled or not configured, the feature is not available.
+When this setting is turned on, the integrated unblock feature is available.
+
+When this setting isn't turned on, the feature is not available.
| **Item** | **Description** |
|--------------------------------------|---------------------------------------------------------------------------------------------------------------|
-| Registry key | AllowIntegratedUnblock |
+| Registry key | **AllowIntegratedUnblock** |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.
You can create a custom message that is displayed when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
+| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature.
You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
### Allow signature keys valid for Logon
-This policy setting lets you allow signature key-based certificates to be enumerated and available for sign in. When this setting is enabled, any certificates available on the smart card with a signature-only key are listed on the sign-in screen. When this setting is disabled or not configured, certificates available on the smart card with a signature-only key are not listed on the sign-in screen.
+You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign in.
+
+When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
+
+When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | AllowSignatureOnlyKeys |
+| Registry key | **AllowSignatureOnlyKeys**|
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | |
### Allow time invalid certificates
-This policy setting permits those certificates that are expired or not yet valid to be displayed for sign-in.
+You can use this policy setting to permit certificates that are expired or not yet valid to be displayed for sign in.
-Prior to Windows Vista, certificates were required to contain a valid time and to not expire. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
+> [!NOTE]
+> Before Windows Vista, certificates were required to contain a valid time and to not expire. For a certificate to be used, it must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
-When this setting is enabled, certificates are listed on the sign-in screen whether they have an invalid time or their time validity has expired. When this setting is disabled or not configured, certificates that are expired or not yet valid are not listed on the sign-in screen.
+When this setting is turned on, certificates are listed on the sign-in screen whether they have an invalid time, or their time validity has expired.
+
+When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in screen.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | AllowTimeInvalidCertificates |
+| Registry key | **AllowTimeInvalidCertificates** |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | |
### Allow user name hint
-This policy setting lets you determine whether an optional field is displayed during sign-in and provides a subsequent elevation process that allows users to enter their user name or user name and domain, which associates a certificate with the user. If this setting is enabled, an optional field is displayed that allows users to enter their user name or user name and domain. If this setting is disabled or not configured, the field is not displayed.
+You can use this policy setting to determine whether an optional field appears during sign in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
+
+When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
+
+When this policy setting isn't turned on, users don't see this optional field.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | X509HintsNeeded |
+| Registry key | **X509HintsNeeded**|
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | |
### Configure root certificate clean up
-This policy setting allows you to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate. When this setting is enabled, you can set the following cleanup options:
+You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
+
+When this policy setting is turned on, you can set the following cleanup options:
- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
@@ -185,122 +207,168 @@ This policy setting allows you to manage the cleanup behavior of root certificat
- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
-When this policy setting is disabled or not configured, root certificates are automatically removed when the user signs out of Windows.
+When this policy setting isn't turned on, root certificates are automatically removed when the user signs out of Windows.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | RootCertificateCleanupOption |
+| Registry key | **RootCertificateCleanupOption**|
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | |
### Display string when smart card is blocked
-When this policy setting is enabled, you can create and manage the displayed message that the user sees when a smart card is blocked. When this setting is disabled or not configured (and the integrated unblock feature is also enabled), the system’s default message is displayed to the user when the smart card is blocked.
+You can use this policy setting to change the default message that a user sees if their smart card is blocked.
+
+When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
+
+When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system’s default message when the smart card is blocked.
| **Item** | **Description** |
|--------------------------------------|-------------------------|
-| Registry key | IntegratedUnblockPromptString |
+| Registry key | **IntegratedUnblockPromptString** |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
| Notes and resources | |
### Filter duplicate logon certificates
-This policy setting lets you use a filtering process to configure which valid sign-in certificates are displayed. During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
+You can use this policy setting to configure which valid sign-in certificates are displayed.
-Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (this is determined by their UPN). When this policy setting is enabled, filtering occurs so that the user will only see the most current valid certificates from which to select. If this setting is disabled or not configured, all the certificates are displayed to the user.
+> [!NOTE]
+> During the certificate renewal period, a user’s smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
+>
+> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
+
+When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
+
+If this policy setting isn't turned on, all the certificates are displayed to the user.
This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
| **Item** | **Description** |
|--------------------------------------|--------------------------------------------------------------------------------------------------|
-| Registry key | FilterDuplicateCerts |
+| Registry key | **FilterDuplicateCerts**|
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
### Force the reading of all certificates from the smart card
-This policy setting allows you to manage how Windows reads all certificates from the smart card for sign-in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
+You can use this policy setting to manage how Windows reads all certificates from the smart card for sign in. During sign in, Windows reads only the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This policy setting forces Windows to read all the certificates from the smart card.
-When this policy setting is enabled, Windows attempts to read all certificates from the smart card regardless of the CSP feature set. When disabled or not configured, Windows attempts to read only the default certificate from smart cards that do not support retrieval of all certificates in a single call. Certificates other than the default are not available for sign in.
+When this policy setting is turned on, Windows attempts to read all certificates from the smart card, regardless of the CSP feature set.
+
+When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign in.
| **Item** | **Description** |
|--------------------------------------|----------------------------------------------------------------------------|
-| Registry key | ForceReadingAllCertificates |
+| Registry key | **ForceReadingAllCertificates** |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None
**Important** Enabling this policy setting can adversely impact performance during the sign in process in certain situations. |
+| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign in process in certain situations. |
| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
### Notify user of successful smart card driver installation
-This policy setting allows you to control whether a confirmation message is displayed to the user when a smart card device driver is installed. When this policy setting is enabled, a confirmation message is displayed when a smart card device driver is installed. When this setting is disabled or not configured, a smart card device driver installation message is not displayed.
+You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed.
+
+When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed.
+
+When this setting isn't turned on, the user doesn't see a smart card device driver installation message.
| **Item** | **Description** |
|--------------------------------------|------------------------------------------------|
-| Registry key | ScPnPNotification |
+| Registry key | **ScPnPNotification** |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
### Prevent plaintext PINs from being returned by Credential Manager
-This policy setting prevents Credential Manager from returning plaintext PINs. Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile. When this policy setting is enabled, Credential Manager does not return a plaintext PIN. When this setting is disabled or not configured, plaintext PINs can be returned by Credential Manager.
+You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
+
+> [!NOTE]
+> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user’s profile.
+
+When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
+
+When this setting isn't turned on, Credential Manager can return plaintext PINs.
| **Item** | **Description** |
|--------------------------------------|-----------------------------------------------------------------------------------|
-| Registry key | DisallowPlaintextPin |
+| Registry key | **DisallowPlaintextPin**|
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
-| Notes and resources | If this policy setting is enabled, some smart cards may not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
+| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
### Reverse the subject name stored in a certificate when displaying
-When this policy setting is enabled, it causes the display of the subject name to be reversed from the way it is stored in the certificate during the sign-in process.
+You can use this policy setting to control the way the subject name appears during sign in.
+
+> [!NOTE]
+> To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
+
+When this policy setting is turned on, the subject name during sign in appears reversed from the way that it's stored in the certificate.
+
+When this policy setting isn’t turned on, the subject name appears the same as it’s stored in the certificate.
-To help users distinguish one certificate from another, the user principal name (UPN) and the common name are displayed by default. For example, when this setting is enabled, if the certificate subject is CN=User1, OU=Users, DN=example, DN=com and the UPN is user1@example.com, "User1" is displayed with "user1@example.com." If the UPN is not present, the entire subject name is displayed. This setting controls the appearance of that subject name, and it might need to be adjusted for your organization.
| **Item** | **Description** |
|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | ReverseSubject |
+| Registry key | **ReverseSubject** |
| Default values | No changes per operating system versions
Disabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | |
### Turn on certificate propagation from smart card
-This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
+You can use this policy setting to manage the certificate propagation that occurs when a smart card is inserted.
+> [!NOTE]
+> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
-If you enable or do not configure this policy setting, certificate propagation occurs when the user inserts the smart card. When this setting is disabled, certificate propagation does not occur and the certificates will not be made available to applications such as Outlook.
+When this policy setting is turned on, certificate propagation occurs when the user inserts the smart card.
+
+When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook.
| **Item** | **Description** |
|--------------------------------------|----------------|
-| Registry key | CertPropEnabled |
+| Registry key | **CertPropEnabled**|
| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
| Notes and resources | |
### Turn on root certificate propagation from smart card
-This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. When this policy setting is enabled or not configured, root certificate propagation occurs when the user inserts the smart card.
+You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
+
+> [!NOTE]
+> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
+
+When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card.
+
+When this policy setting isn’t turned on, root certificate propagation doesn’t occur when the user inserts the smart card.
| **Item** | **Description** |
|--------------------------------------|---------------------------------------------------------------------------------------------------------|
-| Registry key | EnableRootCertificate Propagation |
+| Registry key | **EnableRootCertificate Propagation** |
| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
| Notes and resources | |
### Turn on Smart Card Plug and Play service
-This policy setting allows you to control whether Smart Card Plug and Play is enabled. This means that your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver is not available from Windows Update, a PIV-compliant minidriver that is included with any of the supported versions of Windows is used for these cards.
+You can use this policy setting to control whether Smart Card Plug and Play is enabled.
-When the Smart Card Plug and Play policy setting is enabled or not configured, and the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader. If this policy setting is disabled a device driver is not installed when a smart card is inserted in a smart card reader.
+> [!NOTE]
+> Your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver isn't available from Windows Update, a PIV-compliant mini driver that's included with any of the supported versions of Windows is used for these cards.
+
+When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.
+
+When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart card reader.
| **Item** | **Description** |
|--------------------------------------|------------------------------------------------|
-| Registry key | EnableScPnP |
+| Registry key | **EnableScPnP** |
| Default values | No changes per operating system versions
Enabled and not configured are equivalent |
| Policy management | Restart requirement: None
Sign off requirement: None
Policy conflicts: None |
| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
@@ -309,9 +377,9 @@ When the Smart Card Plug and Play policy setting is enabled or not configured, a
The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
-The registry keys for the Base CSP are located in the registry in HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider.
+The registry keys for the Base CSP are in the registry in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider**.
-The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider.
+The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider**.
**Registry keys for the base CSP and smart card KSP**
@@ -320,7 +388,7 @@ The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SY
| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios.
Default value: 00000000 |
| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired.
Default value: 00000400
Default key generation parameter: 1024-bit keys |
-| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that do not support on-card key generation or where key escrow is required.
Default value: 00000000 |
+| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required.
Default value: 00000000 |
| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail.
Default value: 000005dc1500
The default timeout for holding transactions to the smart card is 1.5 seconds. |
**Additional registry keys for the smart card KSP**
@@ -332,14 +400,14 @@ The registry keys for the smart card KSP are located in HKEY\_LOCAL\_MACHINE\\SY
## CRL checking registry keys
-The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you need to configure settings for both the KDC and the client.
+The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
**CRL checking registry keys**
| **Registry Key** | **Details** |
|------------|-----------------------------|
-| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD
Value = 1 |
-| HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors | Type = DWORD
Value = 1 |
+| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD
Value = 1 |
+| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD
Value = 1 |
## Additional smart card Group Policy settings and registry keys
@@ -349,40 +417,41 @@ In a smart card deployment, additional Group Policy settings can be used to enha
- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
-The following smart card-related Group Policy settings are located in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
+The following smart card-related Group Policy settings are in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
**Local security policy settings**
-| Group Policy Setting and Registry Key | Default | Description |
+| Group Policy setting and registry key | Default | Description |
|------------------------------------------|------------|---------------|
-| Interactive logon: Require smart card
scforceoption | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can only sign in to the computer by using a smart card.
**Disabled** Users can sign in to the computer by using any method. |
-| Interactive logon: Smart card removal behavior
scremoveoption | This policy setting is not defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. This allows the user to reinsert the smart card and resume the session later, or at another computer that is equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note** Remote Desktop Services was called Terminal Services in previous versions of Windows Server. |
+| Interactive logon: Require smart card
**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can sign in to the computer only by using a smart card.
**Disabled** Users can sign in to the computer by using any method. |
+| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
**No Action**
**Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session.
**Force Logoff**: The user is automatically signed out when the smart card is removed.
**Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
-The following smart card-related Group Policy settings are located in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
+The following smart card-related Group Policy settings are in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
-Registry keys are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults.
+Registry keys are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**.
-> **Note** In the following table, fresh credentials are those that you are prompted for when running an application.
+> [!NOTE]
+> In the following table, fresh credentials are those that you are prompted for when running an application.
**Credential delegation policy settings**
-| Group Policy Setting and Registry Key | Default | Description |
+| Group Policy setting and registry key | Default | Description |
|----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Allow Delegating Fresh Credentials**
AllowFreshCredentials | Not Configured | This policy setting applies:
When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
**Disabled**: Delegation of fresh credentials to any computer is not permitted.
**Note** This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer.
Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
-| **Allow Delegating Fresh Credentials with NTLM-only Server Authentication**
AllowFreshCredentialsWhenNTLMOnly | Not Configured | This policy setting applies:
When server authentication was achieved by using NTLM.
To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
**Disabled**: Delegation of fresh credentials is not permitted to any computer.
**Note** This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
-| **Deny Delegating Fresh Credentials**
DenyFreshCredentials | Not Configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials cannot be delegated.
**Disabled** or **Not Configured**: A server is not specified.
**Note** This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+| Allow Delegating Fresh Credentials
**AllowFreshCredentials** | Not configured | This policy setting applies:
When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
**Disabled**: Delegation of fresh credentials to any computer isn't permitted.
**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer.
Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
+| Allow Delegating Fresh Credentials with NTLM-only Server Authentication
**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies:
When server authentication was achieved by using NTLM.
To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
**Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
**Disabled**: Delegation of fresh credentials isn't permitted to any computer.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+| Deny Delegating Fresh Credentials
**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated.
**Disabled** or **Not configured**: A server is not specified.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
For examples, see the "Allow delegating fresh credentials" policy setting. |
-If you are using Remote Desktop Services with smart card logon, you cannot delegate default and saved credentials. The registry keys in the following table, which are located at HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults, and the corresponding Group Policy settings are ignored.
+If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**, and the corresponding Group Policy settings are ignored.
| **Registry key** | **Corresponding Group Policy setting** |
|-------------------------------------|---------------------------------------------------------------------------|
-| AllowDefaultCredentials | Allow Delegating Default Credentials |
-| AllowDefaultCredentialsWhenNTLMOnly | Allow Delegating Default Credentials with NTLM-only Server Authentication |
-| AllowSavedCredentials | Allow Delegating Saved Credentials |
-| AllowSavedCredentialsWhenNTLMOnly | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
+| **AllowDefaultCredentials** | Allow Delegating Default Credentials |
+| **AllowDefaultCredentialsWhenNTLMOnly** | Allow Delegating Default Credentials with NTLM-only Server Authentication |
+| **AllowSavedCredentials** | Allow Delegating Saved Credentials |
+| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
## See also
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index f15fee7c4d..14179cf7bc 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -23,25 +23,26 @@ ms.date: 07/25/2018
- Windows 10
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
-To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right.
+
+To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.
**To apply or modify auditing policy settings for a local file or folder**
-1. Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab.
-2. Click **Advanced**.
-3. In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**.
+1. Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab.
+2. Select **Advanced**.
+3. In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**.
4. Do one of the following:
- - To set up auditing for a new user or group, click **Add**. Click **Select a principal**, type the name of the user or group that you want, and then click **OK**.
- - To remove auditing for an existing group or user, click the group or user name, click **Remove**, click **OK**, and then skip the rest of this procedure.
- - To view or change auditing for an existing group or user, click its name, and then click **Edit.**
+ - To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**.
+ - To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure.
+ - To view or change auditing for an existing group or user, select its name, and then select **Edit.**
5. In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
- - To audit successful events, click **Success.**
- - To audit failure events, click **Fail.**
- - To audit all events, click **All.**
+ - To audit successful events, select **Success.**
+ - To audit failure events, select **Fail.**
+ - To audit all events, select **All.**
-6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
+6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These include:
- **This folder only**
- **This folder, subfolders and files**
@@ -55,16 +56,20 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- **Read and execute**
- **List folder contents**
- **Read**
- - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination.
+ - Additionally, with your selected audit combination, you can select any combination of the following permissions:
+ - **Full control**
+ - **Modify**
+ - **Write**
-> **Important:** Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
+> [!IMPORTANT]
+> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
## Additional considerations
-- After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes.
+- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
- You can set up file and folder auditing only on NTFS drives.
-- Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
+- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index 94499439b0..e6131584e5 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -22,38 +22,39 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
-This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
+This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects.
-This security audit policy and the event that it records are generated when the central access policy that is associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
+This security audit policy and the event that it records are generated when the central access policy that's associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
-For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
+For information about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx).
->**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
+> [!NOTE]
+> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
**To configure settings to monitor central access policies associated with files or folders**
1. Sign in to your domain controller by using domain administrator credentials.
-2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
+2. In Server Manager, point to **Tools**, and then select **Group Policy Management**.
+3. In the console tree, right-click the flexible access Group Policy Object, and then select **Edit**.
4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**.
-5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
-6. Enable auditing for a file or folder as described in the following procedure.
+5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**.
+6. Turn on auditing for a file or folder as described in the following procedure.
-**To enable auditing for a file or folder**
+**To turn on auditing for a file or folder**
-1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
-2. Right-click the file or folder, click **Properties**, and then click the **Security** tab.
-3. Click **Advanced**, click the **Auditing** tab, and then click **Continue**.
+1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
+2. Right-click the file or folder, select **Properties**, and then select the **Security** tab.
+3. Select **Advanced**, select the **Auditing** tab, and then select **Continue**.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+ If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-4. Click **Add**, click **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then click **OK**.
+4. Select **Add**, select **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then select **OK**.
5. In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**.
-6. Click **OK** four times to complete the configuration of the object SACL.
-7. Open a File Explorer window and select or create a file or folder to audit.
-8. Open an elevated command prompt, and run the following command:
+6. To complete the configuration of the object SACL, select **OK** four times.
+7. Open a File Explorer window, and then select or create a file or folder to audit.
+8. Open an elevated command prompt, and then run the following command:
`gpupdate /force`
@@ -61,15 +62,16 @@ After you configure settings to monitor changes to the central access policies t
**To verify that changes to central access policies associated with files and folders are monitored**
-1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
-2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous procedure.
-3. Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**.
-4. Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice.
- >**Note:** You must select a setting that is different than your original setting to generate the audit event.
+1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
+2. Open a File Explorer window, and then select the file or folder that you configured for auditing in the previous procedure.
+3. Right-click the file or folder, select **Properties**, select the **Security** tab, and then select **Advanced**.
+4. Select the **Central Policy** tab, select **Change**, select a different central access policy (if one is available) or select **No Central Access Policy**, and then select **OK** twice.
+ > [!NOTE]
+ > You must select a setting that is different than your original setting to generate the audit event.
-5. In Server Manager, click **Tools**, and then click **Event Viewer**.
-6. Expand **Windows Logs**, and then click **Security**.
-7. Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies.
+5. In Server Manager, select **Tools**, and then select **Event Viewer**.
+6. Expand **Windows Logs**, and then select **Security**.
+7. Look for event 4913, which is generated when the central access policy that's associated with a file or folder changes. This event includes the security identifiers (SIDs) of the old and new central access policies.
### Related resource
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 4a75974332..fb06a1c928 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
-Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
+This article describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
## Reference
@@ -38,11 +38,12 @@ This policy setting determines the behavior of all User Account Control (UAC) po
Admin Approval Mode and all related UAC policies are disabled.
- >**Note:** If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
+ > [!NOTE]
+ > If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
### Best practices
-- Enable this policy to allow all other UAC features and policies to function.
+- Turn on this policy to allow all other UAC features and policies to function.
### Location
@@ -67,11 +68,11 @@ This section describes features and tools that are available to help you manage
### Restart requirement
-A restart of the computer is required before this policy will be effective when changes to this policy are saved locally or distributed through Group Policy.
+The computer must be restarted before this policy is effective when changes to this policy are saved locally or distributed through Group Policy.
### Group Policy
-All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
+All auditing capabilities are integrated in Group Policy. You can configure, deploy, and manage these settings in the Group Policy Management Console or Local Security Policy snap-in for a domain, site, or organizational unit.
## Security considerations
@@ -79,11 +80,11 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-This is the setting that turns UAC on or off. If this setting is disabled, UAC is not used, and any security benefits and risk mitigations that are dependent on UAC are not present on the computer.
+This setting turns on or turns off UAC. If this setting isn't turned on, UAC isn't used, and any security benefits and risk mitigations that are dependent on UAC aren't present on the computer.
### Countermeasure
-Enable the **User Account Control: Run all users, including administrators, as standard users** setting.
+Turn on the **User Account Control: Run all users, including administrators, as standard users** setting.
### Potential impact