✅ User | ❌ Pro
❌ Enterprise
❌ Education
❌ Windows SE
❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/MixedReality/AutoUnlock +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoUnlock +``` + + + + +This policy controls whether a signed-in user will be prompted for credentials when returning to the device after the device has entered suspended state. This policy is available both for the device as well as the user scope. When enabled for the device scope, auto unlock will be enabled for all users on the device. When enabled for the user scope, only the specific user will have auto unlock enabled. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | User will be prompted for credentials. | +| 1 | User won't be prompted for credentials. | + + + + + + + + ## BrightnessButtonDisabled diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index b47df98114..d0ed927da8 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -47,7 +47,7 @@ "author": "paolomatarazzo", "manager": "aaroncz", "feedback_system": "Standard", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-configuration", @@ -66,31 +66,34 @@ "beccarobins", "Stacyrch140", "v-stsavell", - "American-Dipper" + "American-Dipper", + "shdyas" ], - "searchScope": ["Windows 10"] + "searchScope": [ + "Windows 10" + ] }, "fileMetadata": { "feedback_system": { "ue-v/**/*.*": "None" }, - "author":{ + "author": { "wcd//**/*.md": "aczechowski", "wcd//**/*.yml": "aczechowski", "ue-v//**/*.md": "aczechowski", "ue-v//**/*.yml": "aczechowski" }, - "ms.author":{ + "ms.author": { "wcd//**/*.md": "aaroncz", "wcd//**/*.yml": "aaroncz", "ue-v//**/*.md": "aaroncz", "ue-v//**/*.yml": "aaroncz" }, - "ms.reviewer":{ + "ms.reviewer": { "kiosk//**/*.md": "sybruckm", "start//**/*.md": "ericpapa" }, - "ms.collection":{ + "ms.collection": { "wcd//**/*.md": "must-keep", "ue-v//**/*.md": [ "must-keep", @@ -112,5 +115,4 @@ "dest": "win-configuration", "markdownEngineName": "markdig" } -} - +} \ No newline at end of file diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 187db39a40..47091d44c1 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -4,7 +4,7 @@ - name: Get started items: - name: Windows client deployment scenarios - href: windows-10-deployment-scenarios.md + href: windows-deployment-scenarios.md - name: Quick guide to Windows as a service href: update/waas-quick-start.md - name: Windows as a service overview @@ -175,9 +175,9 @@ - name: Activate items: - name: Windows subscription activation - href: windows-10-subscription-activation.md + href: windows-subscription-activation.md - name: Windows Enterprise E3 in CSP - href: windows-10-enterprise-e3-overview.md + href: windows-enterprise-e3-overview.md - name: Configure VDA for subscription activation href: vda-subscription-activation.md - name: Deploy Windows Enterprise licenses diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 8208704491..c02e0390cd 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,6 +1,6 @@ --- title: Deploy Windows Enterprise licenses -description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP. +description: Steps to deploy Windows Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP. author: frankroj ms.author: frankroj manager: aaroncz @@ -11,17 +11,18 @@ ms.topic: how-to ms.collection: - highpri - tier2 -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.date: 11/14/2023 +ms.date: 02/13/2024 +zone_pivot_groups: windows-versions-11-10 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- # Deploy Windows Enterprise licenses -This article describes how to deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with [subscription activation](windows-10-subscription-activation.md) or [Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Microsoft Entra ID. +This article describes how to deploy Windows Enterprise E3 or E5 licenses with [subscription activation](windows-subscription-activation.md) or [Enterprise E3 in CSP](windows-enterprise-e3-overview.md) and Microsoft Entra ID. -These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro: +These activation features require a supported and licensed version of Windows Pro: - Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA). - Enterprise E3 in CSP. @@ -30,9 +31,9 @@ These activation features require a supported and licensed version of Windows 10 ## Enable subscription activation with an existing EA -If you're an EA customer with an existing Microsoft 365 tenant, use the following steps to enable Windows subscription licenses on your existing tenant: +EA customers with an existing Microsoft 365 tenant can use the following steps to enable Windows subscription licenses on the existing tenant: -1. Work with your reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on your current Windows Enterprise SA license: +1. Work with the reseller to place an order for one $0 SKU per user. As of October 1, 2022, there are three SKUs available, depending on the current Windows Enterprise SA license: | SKU | Description | |---------|---------| @@ -41,13 +42,14 @@ If you're an EA customer with an existing Microsoft 365 tenant, use the followin | **VRM-00001** | `Win OLS Activation User GCC Sub Per User` | > [!NOTE] - > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. + > + > As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. -1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses have been provisioned on the tenant. +1. After an order is placed, the OLS admin on the agreement will receive a service activation email, which indicates the subscription licenses is provisioned on the tenant. -1. You can now assign subscription licenses to users. +1. Subscription licenses can now be assigned to users. -If you need to update contact information and resend the activation email, use the following process: +To update contact information and resend the activation email, use the following process: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). @@ -55,257 +57,477 @@ If you need to update contact information and resend the activation email, use t 1. Select **Online Services Agreement List**. -1. Enter your agreement number, and then select **Search**. +1. Enter the agreement number, and then select **Search**. 1. Select the **Service Name**. 1. In the **Subscription Contact** section, select the name listed under **Last Name**. -1. Update the contact information, then select **Update Contact Details**. This action will trigger a new email. +1. Update the contact information, then select **Update Contact Details**. This action triggers a new email. ## Preparing for deployment: reviewing requirements -- Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro +- Devices must be running a supported version of Windows Pro. - Microsoft Entra joined, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this article. - - ### Active Directory synchronization with Microsoft Entra ID -If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Microsoft Entra ID. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5. - -**Figure 1** illustrates the integration between the on-premises AD DS domain with Microsoft Entra ID. Microsoft Entra Connect is responsible for synchronization of identities between the on-premises AD DS domain and Microsoft Entra ID. Microsoft Entra Connect is a service that you can install on-premises or in a virtual machine in Azure. - -:::image type="content" source="images/enterprise-e3-ad-connect.png" alt-text="Figure 1 illustrates the integration between the on-premises AD DS domain with Azure AD."::: - -Figure 1: On-premises AD DS integrated with Microsoft Entra ID +If there's an on-premises Active Directory Domain Services (AD DS) domain, identities in the on-premises AD DS domain need to be synchronized with Microsoft Entra ID. This synchronization is required for users to have a _single identity_ that they can use to access their on-premises apps and cloud services that use Microsoft Entra ID. An example of a cloud service is Windows Enterprise E3 or E5. For more information about integrating on-premises AD DS domains with Microsoft Entra ID, see the following resources: +- [Configure Microsoft Entra hybrid join](/entra/identity/devices/how-to-hybrid-join) - [What is hybrid identity with Microsoft Entra ID?](/azure/active-directory/hybrid/whatis-hybrid-identity) - [Microsoft Entra Connect and Microsoft Entra Connect Health installation roadmap](/azure/active-directory/hybrid/how-to-connect-install-roadmap) ## Assigning licenses to users -After you've ordered the Windows subscription (Windows 10 Business, E3 or E5), you'll receive an email with guidance on how to use Windows as an online service: +After the Windows subscription is ordered, an email is sent with guidance on how to use Windows as an online service. The following methods are available to assign licenses: -:::image type="content" source="images/al01.png" alt-text="An example email from Microsoft to complete your profile after purchasing Online Services through Microsoft Volume Licensing."::: +- When the required Microsoft Entra subscription is available, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. -The following methods are available to assign licenses: - -- When you have the required Microsoft Entra subscription, [group-based licensing](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. - -- You can sign in to the Microsoft 365 admin center and manually assign licenses: - - :::image type="content" source="images/al02.png" alt-text="A screenshot of the admin center, showing assignment of the Windows 10 Enterprise E3 product license to a specific user."::: - -- You can assign licenses by uploading a spreadsheet. - -- [How to use PowerShell to automatically assign licenses to your Microsoft 365 users](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx). - -> [!TIP] -> Other solutions may exist from the community. For example, a Microsoft MVP shared the following process: [Assign EMS licenses based on local Active Directory group membership](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/). +- Licenses can be manually assigned by signing into the [Microsoft 365 admin center](https://admin.microsoft.com/). +- Licenses can be assigned by uploading a spreadsheet. +- Licenses can be assigned via [PowerShell](/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell). ## Explore the upgrade experience -Now that you've established a subscription and assigned licenses to users, you can upgrade devices running supported versions of Windows 10 Pro or Windows 11 Pro to Enterprise edition. +Now that a subscription is established and licenses are assigned to users, devices running supported versions of Windows Pro can be upgraded to Enterprise edition. -> [!NOTE] -> The following experiences are specific to Windows 10. The general concepts also apply to Windows 11. - - +> [!TIP] +> +> This upgrade experience walkthrough assumes Autopilot isn't being used. For the Autopilot experience when joining Microsoft Entra ID, see [User-driven Microsoft Entra join: Deploy the device](/autopilot/tutorial/user-driven/azure-ad-join-deploy-device). ### Step 1: Join Windows Pro devices to Microsoft Entra ID -You can join a Windows Pro device to Microsoft Entra ID during setup, the first time the device starts. You can also join a device that's already set up. +The first time the device starts, a Windows Pro device can join Microsoft Entra ID during setup. Existing devices can also join Microsoft Entra ID. - +#### Join a device to Microsoft Entra ID during OOBE when the device is started for the first time -#### Join a device to Microsoft Entra ID the first time the device is started +::: zone pivot="windows-11" -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then select **Next**. +1. Power on the device for the first time to initiate Windows Setup and the Out of Box experience (OOBE). - :::image type="content" source="images/enterprise-e3-who-owns.png" alt-text="A screenshot of the 'Who owns this PC?' page in Windows 10 setup."::: +1. In the **Is this the right country or region?** screen, select the desired country/region and then select the **Yes** button. - Figure 2: The "Who owns this PC?" page in initial Windows 10 setup. +1. In the **Is this the right keyboard layout or input method?** screen, select the desired keyboard/input methods and then select the **Yes** button. -1. On the **Choose how you'll connect** page, select **Join Microsoft Entra ID**, and then select **Next**. +1. In the **Want to add a second keyboard layout?** screen, if desired add additional keyboard/input methods by selecting **Add layout**. Otherwise select the **Skip** button. - :::image type="content" source="images/enterprise-e3-choose-how.png" alt-text="A screenshot of the 'Choose how you'll connect' page in Windows 10 setup."::: +1. If no network connection is detected, the **Let's connect you to a network** screen appears. Connect to a wireless or wired network that has Internet access, and then select the **Next** button. - Figure 3: The "Choose how you'll connect" page in initial Windows 10 setup. +1. At this point, updates for Windows Setup might be installed. If updates are installed, the device reboots to finish installing the updates. -1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**. +1. In Windows 11 Pro editions, the **Let's name your device** screen appears. Give the device a name and then select the **Next** button. After the device is given a name, the device might reboot. - :::image type="content" source="images/enterprise-e3-lets-get.png" alt-text="A screenshot of the 'Let's get you signed in' page in Windows 10 setup."::: +1. In Windows 11 Pro editions, the **How would you like to set up this device?** screen appears. Select **Set up for work or school** and then select the **Next** button. - Figure 4: The "Let's get you signed in" page in initial Windows 10 setup. +1. In the **Let's set things up for your work or school** screen: -Now the device is Microsoft Entra joined to the organization's subscription. + 1. In the **someone@example.com** text box under **Sign in**, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com. - + 1. In the **Password** text box under **Enter password**, enter the password for the Microsoft Entra user account, and then select the **Sign in** button. -#### Join a device to Microsoft Entra ID when the device is already set up with Windows 10 Pro +1. The device proceeds with the rest of the Windows setup including configuration of organization specific settings. + +1. In the **Choose privacy settings for your device** screen, configure privacy settings as desired, using the **Next** button to go between settings. Once complete, select the **Accept** button. + +1. Depending on the device and the configuration of organization specific settings, additional screens might appear. For example, the **Windows Hello** screen might appear. + +::: zone-end + +::: zone pivot="windows-10" + +1. Power on the device for the first time to initiate Windows Setup and the Out of Box experience (OOBE). + +1. In the **Let's start with region. Is this right?** screen, select the desired country/region and then select the **Yes** button. + +1. In the **Is this the right keyboard layout?** screen, select the desired keyboard/input methods and then select the **Yes** button. + +1. In the **Want to add a second keyboard layout?** screen, if desired add additional keyboard/input methods by selecting the **Add layout** button. Otherwise select the **Skip** button. + +1. If no network connection is detected, the **Let's connect you to a network** screen appears. Connect to a wireless or wired network that has Internet access, and then select the **Next** button. + +1. At this point, updates for Windows Setup might be installed. If updates are installed, the device reboots to finish installing the updates. + +1. In Windows 10 Pro editions, the **How would you like to set up?** screen appears. Select **Set up for an organization** and then select the **Next** button. + +1. In the **Sign in with Microsoft** screen, in the **someone@example.com** text box, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com. + +1. In the **Enter your password** screen, in the **Password** text box, enter the password for the Microsoft Entra user account, and then select the **Next** button. + +1. The device proceeds with the rest of the Windows setup including configuration of organization specific settings. + +1. In the **Choose privacy settings for your device** screen, configure privacy settings as desired. Once complete, select the **Accept** button. + +1. Depending on the device and the configuration of organization specific settings, additional screens might appear. For example, the **Windows Hello** screen might appear. + +::: zone-end + +Once Windows Setup finishes, the user is automatically signed in and the device is Microsoft Entra joined to the organization's subscription. + +#### Join a device to Microsoft Entra ID when the device is already set up with Windows > [!IMPORTANT] -> Make sure that the user you're signing in with is _not_ the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account. +> +> Make sure that the user signing in isn't the **BUILTIN/Administrator** account. That user can't use the `+ Connect` action to join a work or school account. -1. Go to **Settings**, select **Accounts**, and select **Access work or school**. +Open the **Accounts** > **Access work or school** pane in the **Settings** app by selecting the following link: - :::image type="content" source="images/enterprise-e3-connect-to-work-or-school.png" alt-text="A screenshot of the 'Connect to work or school' settings page."::: +> [!div class="nextstepaction"] +> [Access work or school](ms-settings:workplace) - Figure 5: "Connect to work or school" configuration in Settings. +or -1. In **Set up a work or school account**, select **Join this device to Microsoft Entra ID**. +1. Right-click on the **Start** menu and select **Run**. - :::image type="content" source="images/enterprise-e3-set-up-work-or-school.png" alt-text="A screenshot of the 'Set up a work or school account' wizard."::: +1. In the **Run** window, next to **Open:**, enter: - Figure 6: Set up a work or school account. + ```console + ms-settings:workplace + ``` -1. On the **Let's get you signed in** page, enter your Microsoft Entra credentials, and then select **Sign in**. + and then select **OK**. - :::image type="content" source="images/enterprise-e3-lets-get-2.png" alt-text="A screenshot of the 'Let's get you signed in' window."::: +or - Figure 7: The "Let's get you signed in" window. +::: zone pivot="windows-11" -Now the device is Microsoft Entra joined to the organization's subscription. +1. Right-click on the **Start** menu and select **Settings**. + +1. In the **Settings** app, select **Accounts** in the left hand pane. + +1. In the **Accounts** pane, select **Access work or school**. + +Once the **Accounts > Access work or school** pane is open: + +1. In the **Accounts > Access work or school** pane, next to **Add a work or school account**, select the **Connect** button. + +1. In the **Microsoft account** window that opens: + + 1. In the **Set up a work or school account** page, under **Alternate actions:**, select **Join this device to Microsoft Entra ID**. + + 1. In the **Email or phone** text box of the **Sign in** page, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com. + + 1. In the **Password** text box of the **Enter password** page, enter the password for the Microsoft Entra user account, and then select the **Sign in** button. + + 1. When the **Make sure this is your organization** window opens, confirm the information is correct and then select the **Join** button. + + 1. The device joins the organization's Microsoft Entra ID subscription. Once complete, the **You're all set!** page is displayed. Select the **Done** button to complete the process. + +::: zone-end + +::: zone pivot="windows-10" + +1. Right-click on the **Start** menu and select **Settings**. + +1. In the **Settings** app, select **Accounts**. + +1. In the left hand pane, select **Access work or school**. + +Once the **Access work or school** pane is open: + +1. In the **Access work or school** pane, select the **+** button next to **Connect**. + +1. In the **Microsoft account** window that opens: + + 1. In the **Set up a work or school account** page, under **Alternate actions:**, select **Join this device to Microsoft Entra ID**. + + 1. In the **Email or phone** text box of the **Sign in** page, enter the username for the Microsoft Entra user account, and then select the **Next** button. The username is in the email format of user@domain.com. + + 1. In the **Password** text box of the **Enter password** page, enter the password for the Microsoft Entra user account, and then select the **Sign in** button. + + 1. When the **Make sure this is your organization** window opens, confirm the information is correct and then select the **Join** button. + + 1. The device joins the organization's Microsoft Entra subscription. Once complete, the **You're all set!** page is displayed. Select the **Done** button to complete the process. + +::: zone-end + +The device is now Microsoft Entra joined to the organization's subscription. ### Step 2: Pro edition activation -If the device is running a supported version of Windows 10 or Windows 11, it automatically activates Windows Enterprise edition using the firmware-embedded activation key. - - +Windows Pro has to be activated on the device. However, if the device is running a currently supported version of Windows, most modern devices automatically activates Windows Pro edition using the firmware-embedded activation key. ### Step 3: Sign in using Microsoft Entra account -Once the device is joined to Microsoft Entra ID, users will sign in with their Microsoft Entra account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. - -:::image type="content" source="images/enterprise-e3-sign-in.png" alt-text="A screenshot of signing in to Windows 10 as a Microsoft Entra user."::: - -Figure 8: Sign in to Windows 10 with a Microsoft Entra account. +Once the device is joined to Microsoft Entra ID and Windows Setup/OOBE completes, the user signs in with their Microsoft Entra account. Once the user signs in with their Microsoft Entra account, the Windows Enterprise E3 or E5 license associated with the user enables Windows Enterprise edition capabilities on the device. ### Step 4: Verify that Enterprise edition is enabled -To verify the Windows Enterprise E3 or E5 subscription, go to **Settings**, select **Update & Security**, and select **Activation**. +To verify the Windows Enterprise E3 or E5 subscription: -:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of verifying Windows 10 Enterprise activation in Settings."::: +Open the **Activation** pane in the **Settings** app by selecting the following link: -Figure 9: Verify Windows 10 Enterprise subscription in Settings. +> [!div class="nextstepaction"] +> [Activation](ms-settings:activation) -If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. +or -> [!NOTE] -> If you use the `slmgr /dli` or `slmgr /dlv` commands to get the activation information for the E3 or E5 license, the license information displayed will be similar to the following output: -> -> ```console -> Name: Windows(R), Professional edition -> Description: Windows(R) Operating System, RETAIL channel -> Partial Product Key: 3V66T -> ``` +1. Right-click on the **Start** menu and select **Run**. + +1. In the **Run** window, next to **Open:**, enter: + + ```console + ms-settings:activation + ``` + + and then select **OK**. + +or + +::: zone pivot="windows-11" + +1. Right-click on the **Start** menu and select **Settings**. + +1. In the **Settings** app, select **System** in the left hand pane. + +1. In the **System** pane, **Activation**. + +Once the **System > Activation** pane is open: + +1. In the **System > Activation** pane, expand **Activation state** and **Subscription** to see full details of the activation state and status: + + 1. Under **Activation state**, verify that Windows is activated. It should display the message: + + `Windows is activated with a digital license` + + 1. Under **Subscription**, verify that the Windows 11 Enterprise subscription is active. It should display the message: + + `Windows 11 Enterprise subscription is active` + + > [!NOTE] + > + > If the Windows Enterprise subscription hasn't yet been applied, the **Subscription** pane isn't displayed. + +::: zone-end + +::: zone pivot="windows-10" + +1. Right-click on the **Start** menu and select **Settings**. + +1. In the **Settings** app, select **Update & Security**. + +1. In the left hand pane, select **Activation**. + +Once the **Activation** pane is open: + +1. In the **Activation** pane: + + 1. Next to **Subscription**, verify that the Windows 10 Enterprise subscription is active. It should display the message: + + `Windows Enterprise 10 subscription is active` + + > [!NOTE] + > + > If the Windows Enterprise subscription hasn't yet been applied, the **Subscription** field isn't displayed. + + 1. Next to **Activation**, verify that Windows is activated. It should display the message: + + `Windows is activated with a digital license` + +::: zone-end + +A device is healthy when both the subscription and activation are active. If there are any problems with the Windows Enterprise E3 or E5 license or the activation of the license, the **Activation** pane displays the appropriate error message or status. This information can be used to help diagnose the licensing and activation process. + +#### Verify that Enterprise edition is enabled with slmgr + +**Slmgr** can also be used to verify the activation information: + +1. Open a command prompt. + +1. To get basic licensing information, run the following command at the command prompt: + + ```cmd + slmgr /dli + ``` + + A window with output similar to the following opens: + + ```console + Name: Windows(R), Professional edition + Description: Windows(R) Operating System, RETAIL channel + Partial Product Key: 3V66T + License Status: Licensed + ``` + + To instead get detailed licensing information, run the following command: + + ```cmd + slmgr /dlv + ``` + +For more information on **Slmgr**, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options). ## Troubleshoot the user experience -In some instances, users may experience problems with the Windows Enterprise E3 or E5 subscription. The most common problems that users may experience are the following issues: +In some instances, users might experience problems with activation of the Windows Enterprise E3 or E5 subscription. The most common problems that users might experience are the following issues: -- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed. -- An earlier version of Windows 10 Pro isn't activated. For example, Windows 10, versions 1703 or 1709. +- The Windows Enterprise E3 or E5 subscription has lapsed, was removed, or isn't applied. +- Windows Pro was never activated. -### Troubleshoot common problems in the Activation pane +When there are problems with Windows Enterprise E3 or E5 subscription activation, the following are errors can occur in the [Activation](ms-settings:activation) pane: -Use the following figures to help you troubleshoot when users experience common problems: +- **Windows Pro isn't activated** -#### Device in healthy state + When Windows Pro isn't activated on a device, the following message is displayed for **Activation** in the [Activation](ms-settings:activation) pane: -The following image illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active. + `Windows is not activated` -:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's healthy and successfully activated."::: + Additionally, the following message might be displayed: -#### Device that's not activated with active subscription + `We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034.` -Figure 10 illustrates a device on which the Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active. + Examples where this problem can occur include: -:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that isn't activated but the subscription is active."::: + - The device doesn't have a firmware-embedded activation key. + - The starting edition of Windows wasn't Windows Pro. For example, the starting edition of Windows was Windows Home. -Figure 10: Windows 10 Pro, version 1703 edition not activated in Settings. + In these cases, a Windows Pro key might need to be manually entered. -It displays the following error: "We can't activate Windows on this device right now. You can try activating again later or go to the Store to buy genuine Windows. Error code: 0xC004F034." +- **Windows Enterprise subscription isn't active** -#### Device that's activated without an Enterprise subscription + When a device with a Windows Enterprise subscription has lapsed or has been removed, the following message is displayed for **Subscription** in the [Activation](ms-settings:activation) pane: -Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. + `Windows Enterprise subscription isn't valid.` -:::image type="content" source="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's activated but the subscription isn't active."::: + ::: zone pivot="windows-11" -Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings. + > [!NOTE] + > + > If the Windows Enterprise subscription has never been applied, the **Subscription** pane isn't displayed. -It displays the following error: "Windows 10 Enterprise subscription isn't valid." + ::: zone-end -#### Device that's not activated and without an Enterprise subscription + ::: zone pivot="windows-10" -Figure 12 illustrates a device on which the Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed. + > [!NOTE] + > + > If the Windows Enterprise subscription has never been applied, the **Subscription** field isn't displayed. -:::image type="content" source="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt-text="A screenshot of Windows 10 Enterprise activation in Settings that's not activated and the subscription isn't active."::: - -Figure 12: Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings. - -It displays both of the previously mentioned error messages. + ::: zone-end ### Review requirements on devices -Devices must be running a supported version of Windows 10 Pro or Windows 11 Pro. Earlier versions of Windows 10, such as version 1703, don't support this feature. +When there are Windows Enterprise E3 or E5 license activation issues on a device, verify that it meets all of the requirements: -Devices must also be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible. +- Devices must be running a currently supported version of Windows Pro. Versions of Windows Pro that are out support don't support this feature. -Use the following procedures to review whether a particular device meets these requirements. +- Devices must be joined to Microsoft Entra ID, or hybrid domain joined with Microsoft Entra Connect. Customers who are federated with Microsoft Entra ID are also eligible. -#### Firmware-embedded activation key +- For automatic activation of Windows Pro, the device must have a firmware-embedded activation key. -To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt: +Use the following guides to verify each one of these requirements: -```powershell -(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey -``` +- **Determine if the version of Windows is currently supported**. -If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. + To determine if the version of Windows is currently supported: - + 1. Open a command prompt -#### Determine if a device is Microsoft Entra joined + 1. In the command prompt window, enter: -1. Open a command prompt and enter `dsregcmd /status`. + ```cmd + winver.exe + ``` -1. Review the output in the **Device State** section. If the **AzureAdJoined** value is **YES**, the device is joined to Microsoft Entra ID. + 1. The **About Windows** window opens and displays both the OS version and the build information of Windows. -#### Determine the version of Windows + 1. Compare the information from the **About Windows** window against the Windows support lifecycle: -1. Open a command prompt and enter `winver`. + - [Windows 11 release information](/windows/release-health/windows11-release-information). + - [Windows 10 release information](/windows/release-health/release-information). -1. The **About Windows** window displays the OS version and build information. +- **Determine if a device is Microsoft Entra joined**. -1. Compare this information again the Windows support lifecycle: + To determine if a device is Microsoft Entra joined: - - [Windows 10 release information](/windows/release-health/release-information) - - [Windows 11 release information](/windows/release-health/windows11-release-information) + 1. Open a command prompt. -> [!NOTE] -> If a device is running a version of Windows 10 Pro prior to version 1703, it won't upgrade to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. + 1. In the command prompt window, enter: -### Delay in the activation of Enterprise license of Windows 10 + ```cmd + dsregcmd.exe /status + ``` -This delay is by design. Windows 10 and Windows 11 include a built-in cache that's used when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. + 1. Review the output. Under the first section called **Device State**, verify that the value of **AzureAdJoined** is **YES**. If the value is **YES**, the device is joined to Microsoft Entra ID. + + ```console + +----------------------------------------------------------------------+ + | Device State | + +----------------------------------------------------------------------+ + + AzureAdJoined : YES + EnterpriseJoined : NO + DomainJoined : NO + Virtual Desktop : NOT SET + Device Name : Demo-PC + ``` + +- **Determine if devices has a firmware-embedded activation key**. + + To determine if the device has a firmware-embedded activation key: + + 1. Open an elevated Windows PowerShell command prompt. + + 1. In the elevated Windows PowerShell command prompt, enter: + + ```powershell + (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey + ``` + + 1. If the device has a firmware-embedded activation key, the key is displayed in the output. If the output is blank, the device doesn't have a firmware embedded activation key. Most modern OEM-provided devices designed to run currently supported versions of Windows have a firmware-embedded key. + +- **Make sure the Microsoft Entra user has been assigned a license**. + + For more information, see [Assigning licenses to users](#assigning-licenses-to-users). ## Known issues -If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. To work around this issue: +- If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. Make sure that Windows Update isn't blocked on the device: -- Make sure that the device doesn't have the following registry value: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD)`. If this registry value exists, it must be set to `0`. + - Using `gpedit.msc` or group policy editor in the domain, make sure that the following group policy setting is set to **Disabled** or **Not Configured**: -- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Don't connect to any Windows Update Internet locations. + ::: zone pivot="windows-11" + + **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage updates offered from Windows Server Update Service** > **Do not connect to any Windows Update Internet locations** + + ::: zone-end + + ::: zone pivot="windows-10" + + **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** + + ::: zone-end + + If this policy is set to **Enabled**, it must be changed to **Disabled** or **Not Configured**. + + - In the following registry key: + + `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` + + check if the value `DoNotConnectToWindowsUpdateInternetLocations` exists. If the value does exist, verify that it has a REG_DWORD value of `0`. If the value is instead set to `1`, it must be changed to `0`. The value can be changed by running the following command from an elevated command prompt: + + ```cmd + reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /t REG_DWORD /d 1 /f + ``` + + > [!NOTE] + > + > Make sure to first check the group policy of **Do not connect to any Windows Update Internet locations**. If the policy is **Enabled**, then this registry key will eventually be reset back to `1` even after it's manually set to `0` via `reg.exe`. Setting the policy of **Do not connect to any Windows Update Internet locations** to **Disabled** or **Not Configured** will make sure the registry value remains as `0`. + +- Delay in the activation of Enterprise license of Windows. + + There might be a delay in the activation of the Enterprise license in Windows. This delay is by design. Windows uses a built-in cache when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. ## Virtual Desktop Access (VDA) -Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster. +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant host. Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md). + +## Related articles + +- [MDM enrollment of Windows devices](/windows/client-management/mdm-enrollment-of-windows-devices). diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index 08eca15252..c2a4d9ce76 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -1,75 +1,55 @@ --- -title: Deploy Windows 10 with Microsoft 365 +title: Deploy Windows with Microsoft 365 manager: aaroncz ms.author: frankroj -description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365. +description: Learn about deploying Windows with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365. ms.service: windows-client ms.localizationpriority: medium author: frankroj ms.topic: article -ms.date: 11/23/2022 +ms.date: 02/13/2024 ms.subservice: itpro-deploy +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- -# Deploy Windows 10 with Microsoft 365 - -*Applies to:* - -- Windows 10 +# Deploy Windows with Microsoft 365 This article provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365. -[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) for an overview. +[Microsoft 365](https://www.microsoft.com/microsoft-365) is an offering from Microsoft that combines [Windows](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/security/business) (EMS). See the [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) for an overview. -For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: +For Windows deployment, Microsoft 365 includes a deployment advisor that walks through the entire process of deploying Windows. The wizard supports multiple Windows deployment methods, including: -- Windows Autopilot -- In-place upgrade -- Deploying Windows 10 upgrade with Intune -- Deploying Windows 10 upgrade with Microsoft Configuration Manager -- Deploying a computer refresh with Microsoft Configuration Manager +- Windows Autopilot. +- In-place upgrade. +- Deploying Windows upgrade with Intune. +- Deploying Windows upgrade with Microsoft Configuration Manager. +- Deploying a computer refresh with Microsoft Configuration Manager. ## Free trial account -### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center +If an existing Microsoft services subscription account exists, and there's access to the Microsoft 365 Admin Center: -From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services. -In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles. -There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles. +1. Sign into the [Microsoft 365 Admin Center](https://admin.microsoft.com/). +1. Go to **Billing** and then **Purchase services**. +1. In the Enterprise Suites section of the service offerings, find the Microsoft 365 E3 and Microsoft 365 E5 tiles. +1. Select one of the available **Start Free Trial** options. -### If you do not already have a Microsoft services subscription +If there isn't an existing Microsoft services subscription, Microsoft 365 deployment advisor and other resources can be tried for free! Just follow these steps: -You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. +1. [Obtain a free Microsoft 365 trial](https://www.microsoft.com/microsoft-365/try). +1. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide). > [!NOTE] -> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected. - -1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365). -2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide). -3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). - -Examples of these two deployment advisors are shown below. - -- [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365) - - [Free trial account](#free-trial-account) - - [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center) - - [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription) - - [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example) - - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example) - - [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) - - [Related articles](#related-articles) - -## Microsoft 365 deployment advisor example - - - -## Windows Analytics deployment advisor example +> +> When setup guide runs for the first time, the **Prepare your environment** guide appears. This guide makes sure the basics are covered like domain verification and a method for adding users. At the end of the **Prepare your environment** guide, there's a **Ready to continue** button that goes back to the original guide that was selected. ## Microsoft 365 Enterprise poster -[](https://aka.ms/m365eposter) +Select [Microsoft 365 Enterprise poster](https://aka.ms/m365eposter) to see the latest version of the Microsoft 365 Enterprise poster. ## Related articles -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-[Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) +- [Windows deployment scenarios](windows-deployment-scenarios.md). diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index f74e065856..bddc7bf6cb 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -154,5 +154,5 @@ On **PC0004**: ## Related articles -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog) +- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md). +- [Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog). diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index daa2eca850..b300268967 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -10,7 +10,7 @@ manager: aaroncz ms.reviewer: mstewart ms.collection: tier3 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Delivery Optimization @@ -21,11 +21,11 @@ ms.date: 06/02/2023 When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls. -Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows. +Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows. For downloads that use Delivery Optimization to successfully use the proxy, you should set the proxy via Windows **Proxy Settings** or the Internet Explorer proxy settings. -Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required. +Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the "NetworkService" context if proxy authentication is required. > [!NOTE] > We don't recommend that you use `netsh winhttp set proxy ProxyServerName:PortNumber`. Using this offers no auto-detection of the proxy, no support for an explicit PAC URL, and no authentication to the proxy. This setting is ignored by WinHTTP for requests that use auto-discovery (if an interactive user token is used). diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md index 51daba73a3..313d8afd21 100644 --- a/windows/deployment/do/delivery-optimization-test.md +++ b/windows/deployment/do/delivery-optimization-test.md @@ -10,9 +10,9 @@ ms.reviewer: mstewart manager: aaroncz ms.collection: tier3 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 - ✅ Delivery Optimization ms.date: 11/08/2022 --- @@ -21,42 +21,48 @@ ms.date: 11/08/2022 ## Overview -Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to Win10+ and provides default configuration to get the most out of the typical customer environment. It's used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization, 1) HTTP downloader, 2) Peer-to-peer (P2P) cloud technology, and 3) Microsoft Connected Cache. One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments. +Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to currently supported versions of Windows and provides default configuration to get the most out of the typical customer environment. Delivery Optimization is used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization: + +1. HTTP downloader. +1. Peer-to-peer (P2P) cloud technology. +1. Microsoft Connected Cache. + +One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments. ## Monitoring The Results -Since Delivery Optimization is on by default, you'll be able to monitor the value either through the Windows Settings for ‘Delivery Optimization’, using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report.](../update/wufb-reports-workbook.md) experience in Azure. +Since Delivery Optimization is on by default, you're able to monitor the value either through the Windows Settings for 'Delivery Optimization' using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report](../update/wufb-reports-workbook.md) experience in Azure. -In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, ‘Scenario 1: Basic Setup’ should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests. +In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, 'Scenario 1: Basic Setup' should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests. ## Expectations and Goals -The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal will be to show peer to peer is working as expected, using the following criteria: +The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal is to show peer to peer is working as expected, using the following criteria: -* Peers can find each other (for example on the same LAN / subnet / Group – matching your 'Download Mode' policy). +* Peers can find each other (for example on the same LAN / subnet / Group - matching your 'Download Mode' policy). * Files are downloading in the expected 'Download Mode' policy setting (validates connectivity to DO cloud, HTTP, and local configs). * At least some downloads happening via P2P (validates connectivity between peers). Several elements that influence overall peering, using Delivery Optimization. The most common, impactful environment factors should be considered. -* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device may not be serving a particular file. +* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device might not be serving a particular file. * **File size** **and** **internet connection** **reliability matter.** There's a Delivery Optimization setting to determine the minimum file size to use P2P. In addition, an internet connection must be open and reliable enough to let the Delivery Optimization client make cloud service API calls and download metadata files before starting a file download. * **Delivery Optimization Policies can play a role.** In general, it's important to familiarize yourself with the Delivery Optimization settings and defaults [Delivery Optimization reference - Windows Deployment | Microsoft Docs.](waas-delivery-optimization-reference.md). ### Delivery Optimization is a Hybrid P2P Platform -* Delivery Optimization’s hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimization’s ability to find bandwidth savings as more peers become available. +* Delivery Optimization's hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimization's ability to find bandwidth savings as more peers become available. -* At the point a download is initiated, the DO client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP. +* At the point a download is initiated, the Delivery Optimization client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP. -* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers, which shows Delivery Optimization continuously evaluating the optimal location from which to download the content. +* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers. These scenarios show Delivery Optimization continuously evaluating the optimal location from which to download the content. ## Test Scenarios ### Scenario 1: Basic Setup **Goal:** -Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment +Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment. **Expected Results:** Machine 1 will download zero bytes from peers and Machine 2 will download 50-99% from peers. @@ -72,9 +78,9 @@ Machine 1 will download zero bytes from peers and Machine 2 will download 50-99% |Disk size | 127 GB | |Network | Connected to same network, one that is representative of the corporate network. | |Pause Windows Updates | This controls the test environment so no other content is made available during the test, and potentially altering the outcome of the test. If there are problems and no peering happens, use 'Get-DeliveryOptimizationStatus' on the first machine to return a real-time list of the connected peers. | -|Ensure all Store apps are up to date | This will help prevent any new, unexpected updates to download during testing. | +|Ensure all Store apps are up to date | This helps prevent any new, unexpected updates to download during testing. | |Delivery Optimization 'Download Mode' Policy | 2 (Group)(set on each machine) | -|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, ‘[[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)’. | +|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, '[[guid]::NewGuid().](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/)'. | |**Required on Windows 11 devices only** set Delivery Optimization 'Restrict Peer Selection' policy | 0-NAT (set on each machine). The default behavior in Windows 11 is set to '2-Local Peer Discovery'. For testing purposes, this needs to be scoped to the NAT. | #### Test Instructions @@ -126,7 +132,7 @@ Machine 1 will download zero bytes from peers and Machine 2 will find peers and |Disk size | 127 GB | |Network | Connected to same network, one that is representative of the corporate network. | |Delivery Optimization 'Download Mode' Policy| 2 (Group)(set on each machine) | -|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)'. | +|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/)'. | |Delivery Optimization 'Delay background download from http' Policy | 60 (set on each machine) | |Delivery Optimization 'Delay foreground download from http Policy |60 (set on each machine) | @@ -134,13 +140,13 @@ Machine 1 will download zero bytes from peers and Machine 2 will find peers and The following set of instructions will be used for each machine: -1. Clear the DO cache: ‘Delete-DeliveryOptimizationCache’. +1. Clear the DO cache: 'Delete-DeliveryOptimizationCache'. 2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB). 3. Open PowerShell console as Administrator. Run 'Get-DeliveryOptimizationStatus'. **On machine #1:** -* Run ‘Test Instructions’ +* Run 'Test Instructions' **Output: Windows 10 (21H2)** @@ -149,14 +155,14 @@ The following set of instructions will be used for each machine: **Observations** * The first download in the group of devices shows all bytes coming from HTTP, 'BytesFromHttp'. -* Download is in the ‘Foreground’ because the Store app is doing the download and in the foreground on the device because it is initiated by the user in the Store app. +* Download is in the 'Foreground' because the Store app is doing the download and in the foreground on the device because it's initiated by the user in the Store app. * No peers are found. *Wait 5 minutes*. **On machine #2:** -* Run ‘Test Instructions’ +* Run 'Test Instructions' **Output** Windows 10 (21H2) @@ -171,7 +177,7 @@ The following set of instructions will be used for each machine: **On machine #3:** -* Run ‘Test Instructions’ +* Run 'Test Instructions' **Output:** Windows 10 (21H2) @@ -185,8 +191,8 @@ The following set of instructions will be used for each machine: ## Peer sourcing observations for all machines in the test group -The distributed nature of the Delivery Optimization technology is obvious when you rerun the ‘Get-DeliveryOptimizationStatus’ cmdlet on each of the test machines. For each, there's a new value populated for the ‘BytesToLanPeers’ field. This demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other. - +The distributed nature of the Delivery Optimization technology is obvious when you rerun the 'Get-DeliveryOptimizationStatus' cmdlet on each of the test machines. For each, there's a new value populated for the 'BytesToLanPeers' field. This test demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other. + **Output:** Machine 1 'BytesToPeers' sourced from Machine 1 are '5704426044'. This represents the total number of bytes downloaded by the two peers in the group. @@ -207,8 +213,8 @@ The distributed nature of the Delivery Optimization technology is obvious when y ## Conclusion -Using Delivery Optimization can help make a big impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device. +Using Delivery Optimization can help make a significant impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device. The testing scenarios found in this document help to show a controlled test environment, helping to prevent updates from interrupting the peering results. The other, a more real-world case, demonstrates how content available across peers will be used as the source of the content. -If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment. +If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment. diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 7f80c2e084..73a6691166 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -15,19 +15,66 @@ metadata: appliesto: - ✅ Windows 11 - ✅ Windows 10 + - ✅ Windows Server 2019, and later - ✅ Delivery Optimization - ms.date: 07/31/2023 -title: Delivery Optimization Frequently Asked Questions + ms.date: 02/16/2024 +title: Frequently Asked Questions about Delivery Optimization summary: | - Frequently Asked Questions for Delivery Optimization - + This article answers frequently asked questions about Delivery Optimization. -sections: - - name: Ignored + **General questions**: + + - [What Delivery Optimization settings are available?](#what-delivery-optimization-settings-are-available) + - [Does Delivery Optimization work with WSUS?](#does-delivery-optimization-work-with-wsus) + - [How are downloads initiated by Delivery Optimization?](#how-are-downloads-initiated-by-delivery-optimization) + - [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected) + - [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization) + + **Network related configuration questions**: + + - [Which ports does Delivery Optimization use?](#which-ports-does-delivery-optimization-use) + - [What are the requirements if I use a proxy?](#what-are-the-requirements-if-i-use-a-proxy) + - [What hostnames should I allow through my firewall to support Delivery Optimization?](#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) + - [My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?How do I configure it to download content with Delivery Optimization?](#my-firewall-requires-ip-addresses-and-can-t-process-fqdns--how-do-i-configure-it-to-download-content-with-delivery-optimization) + - [What is the recommended configuration for Delivery Optimization used with cloud proxies?](#what-is-the-recommended-configuration-for-delivery-optimization-used-with-cloud-proxies) + + **Peer-to-Peer related questions**: + + - [How does Delivery Optimization determine which content is available for peering?](#how-does-delivery-optimization-determine-which-content-is-available-for-peering) + - [Does Delivery Optimization use multicast?](#does-delivery-optimization-use-multicast) + - [How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?](#how-does-delivery-optimization-deal-with-congestion-on-the-router-from-peer-to-peer-activity-on-the-lan) + - [How does Delivery Optimization handle VPNs?](#how-does-delivery-optimization-handle-vpns) + - [How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?](#how-does-delivery-optimization-handle-networks-where-a-public-ip-address-is-used-in-place-of-a-private-ip-address) + + **Device resources questions**: + - [Delivery Optimization is using device resources and I can't tell why?](#delivery-optimization-is-using-device-resources-and-i-can-t-tell-why) + +sections: + - name: General questions questions: + - question: What Delivery Optimization settings are available? + answer: | + There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with controls on bandwidth, time of day, etc. - question: Does Delivery Optimization work with WSUS? - answer: Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - + answer: | + Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + - question: How are downloads initiated by Delivery Optimization? + answer: | + Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). + - question: Delivery Optimization is downloading Windows content on my devices directly from an IP address, is it expected? + answer: | + When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your internet service provider, the download will be pulled directly from the IP address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available. + - question: How do I turn off Delivery Optimization? + answer: | + Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage. + If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access. + Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated. + + > [!NOTE] + > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization. + + - name: Network related configuration questions + questions: - question: Which ports does Delivery Optimization use? answer: | Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). @@ -35,10 +82,9 @@ sections: Delivery Optimization uses Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - - question: What are the requirements if I use a proxy? - answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - + answer: | + For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - question: What hostnames should I allow through my firewall to support Delivery Optimization? answer: | **For communication between clients and the Delivery Optimization cloud service**: @@ -58,29 +104,37 @@ sections: - `win1910.ipv6.microsoft.com` For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. - - question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization? answer: | Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks. - The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible. - - - question: Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected? - answer: | - When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your Internet Service Provider, the download will be pulled directly from the IP Address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available. + The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible. + - question: What is the recommended configuration for Delivery Optimization used with cloud proxies? + answer: | + The recommended configuration for Delivery Optimization peer-to-peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy. + At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct internet access and bypass the cloud proxy service: - - question: Does Delivery Optimization use multicast? - answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + - `*.prod.do.dsp.mp.microsoft.com` + + If allowing direct internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. + - name: Peer-to-Peer related questions + questions: + - question: How does Delivery Optimization determine which content is available for peering? + answer: | + Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots. + - question: Does Delivery Optimization use multicast? + answer: | + No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - + answer: | + Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - question: How does Delivery Optimization handle VPNs? answer: | Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable peer caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN. + If you have defined a boundary group in Microsoft Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN. With split tunneling, make sure to allow direct access to these endpoints: @@ -101,7 +155,6 @@ sections: - `https://tsfe.trafficshaping.dsp.mp.microsoft.com` For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? answer: | Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. @@ -109,36 +162,8 @@ sections: > [!NOTE] > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. - - question: How are downloads initiated by Delivery Optimization? - answer: | - Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). - - - question: How does Delivery Optimization determine which content is available for peering? - answer: | - Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots. - - - question: What is the recommended configuration for Delivery Optimization used with cloud proxies (for example, Zscaler)? - answer: | - The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy. - At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: - - - `*.prod.do.dsp.mp.microsoft.com` - - If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. - - - question: How do I turn off Delivery Optimization? - answer: | - Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage. - If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access. - Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated. - - > [!NOTE] - > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization. - + - name: Device resources questions + questions: - question: Delivery Optimization is using device resources and I can't tell why? answer: | Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download. - - - question: What Delivery Optimization settings are available? - answer: | - There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc. diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index 20bea68778..6cfadc06b1 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -10,11 +10,11 @@ manager: aaroncz ms.reviewer: mstewart ms.collection: tier3 ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 - ✅ Delivery Optimization -ms.date: 07/31/2023 +ms.date: 02/14/2024 --- # Delivery Optimization reference @@ -59,8 +59,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz | [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. | | [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | | [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| -| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | | [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.| +| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. | | [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | No value is set as default. | | [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | No value is set as default. | | [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. | @@ -144,7 +144,7 @@ MDM Setting: **DOGroupID** By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] ->To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) +>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/) > >This configuration is optional and not required for most implementations of Delivery Optimization. @@ -161,9 +161,9 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. +When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. -### Minimum RAM (inclusive) allowed to use Peer Caching +### Minimum RAM (inclusive) allowed to use Peer Caching MDM Setting: **DOMinRAMAllowedToPeer** @@ -207,7 +207,7 @@ This setting specifies the minimum content file size in MB enabled to use Peer C MDM Setting: **DOMaxDownloadBandwidth** Deprecated in Windows 10, version 2004. -This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimize the maximum bandwidth used. +This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimizes the maximum bandwidth used. ### Maximum Foreground Download Bandwidth @@ -313,7 +313,7 @@ This setting determines whether a device will be allowed to participate in Peer MDM Setting: **DOVpnKeywords** -This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: “VPN”, “Secure”, and “Virtual Private Network” (ex: “MSFTVPN” matches the “VPN” keyword). As the number of VPNs grow it’s difficult to support an ever-changing list of VPN names. To address this, we’ve introduced this new setting to set unique VPN names to meet the needs of individual environments. +This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: "VPN", "Secure", and "Virtual Private Network" (ex: "MSFTVPN" matches the "VPN" keyword). As the number of VPNs grow it's difficult to support an ever-changing list of VPN names. To address this, we've introduced this new setting to set unique VPN names to meet the needs of individual environments. ### Disallow cache server downloads on VPN @@ -335,7 +335,7 @@ The device can download from peers while on battery regardless of this policy. MDM Setting: **DOCacheHost** -Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the next one. When the last server fails, it will fallback to the CDN. +Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, fallback to the CDN occurs immediately after the first failure in downloading from a cache server, unless the [DelayCacheServerFallbackBackground](#delay-background-download-cache-server-fallback-in-secs) or [DelayCacheServerFallbackForeground](#delay-foreground-download-cache-server-fallback-in-secs) policies are set. When these delay policies are set, the fallback occurs only after the configured delay time and the client continues to attempt connecting to the cache servers in round robin order before the delay time expires. >[!IMPORTANT] > Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty. diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 9291818694..3435fc58f4 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -8,11 +8,11 @@ author: cmknox ms.author: carmenf ms.reviewer: mstewart manager: aaroncz -ms.collection: +ms.collection: - tier3 - essentials-get-started ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Delivery Optimization @@ -119,9 +119,9 @@ This section summarizes common problems and some solutions to try. If you don't see any bytes coming from peers the cause might be one of the following issues: -- Clients aren’t able to reach the Delivery Optimization cloud services. -- The cloud service doesn’t see other peers on the network. -- Clients aren’t able to connect to peers that are offered back from the cloud service. +- Clients aren't able to reach the Delivery Optimization cloud services. +- The cloud service doesn't see other peers on the network. +- Clients aren't able to connect to peers that are offered back from the cloud service. - None of the computers on the network are getting updates from peers. ### Clients aren't able to reach the Delivery Optimization cloud services @@ -136,10 +136,10 @@ Try these steps: Try these steps: -1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads. +1. Download the same app on two different devices on the same network, waiting 10 - 15 minutes between downloads. 2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. 3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be nonzero. -4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**. +4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for "what is my IP"). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**. > [!NOTE] > Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer. diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index fa8fea1e46..9a1dbf00d0 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -38,10 +38,11 @@ "ms.collection": [ "tier2" ], + "zone_pivot_group_filename": "resources/zone-pivot-groups.json", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-Windows", "feedback_system": "Standard", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-development", @@ -50,23 +51,26 @@ }, "titleSuffix": "Windows Deployment", "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", "jborsecnik", "tiburd", "garycentric", "beccarobins", "Stacyrch140", "v-stsavell", - "American-Dipper" + "American-Dipper", + "shdyas" ], - "searchScope": ["Windows 10"] + "searchScope": [ + "Windows 10" + ] }, "fileMetadata": {}, "template": [], "dest": "win-development", "markdownEngineName": "markdig" } -} +} \ No newline at end of file diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index e9bc0caf59..e37a77e25a 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -1,6 +1,6 @@ --- title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista -description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. +description: Find released compatibility fixes for all Windows operating systems from Windows Vista through Windows 10. manager: aaroncz ms.author: frankroj ms.service: windows-client @@ -14,12 +14,12 @@ ms.subservice: itpro-deploy **Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. @@ -28,131 +28,128 @@ You can fix some compatibility issues that are due to the changes made between W If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account. - - ## Compatibility Fixes - -The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order. +The following table lists the known released compatibility fixes for all Windows operating systems from Windows Vista through Windows 10. The fixes are listed in alphabetical order. |Fix|Fix Description| |--- |--- | -|8And16BitAggregateBlts|Applications that are mitigated by 8/16-bit mitigation can exhibit performance issues. This layer aggregates all the blt operations and improves performance.| -|8And16BitDXMaxWinMode|Applications that use DX8/9 and are mitigated by the 8/16-bit mitigation are run in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.| +|8And16BitAggregateBlts|8/16-bit mitigation can cause performance issues in applications. This layer aggregates all the blt operations and improves performance.| +|8And16BitDXMaxWinMode|The 8/16-bit mitigation runs applications that use DX8/9 in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.| |8And16BitGDIRedraw|This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.| |AccelGdipFlush|This fix increases the speed of GdipFlush, which has perf issues in DWM.| |AoaMp4Converter|This fix resolves a display issue for the AoA Mp4 Converter.| -|BIOSRead|This problem is indicated when an application cannot access the **Device\PhysicalMemory** object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.
The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information..| +|BIOSRead|This problem is indicated when an application can't access the **Device\PhysicalMemory** object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.
The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information.| |BlockRunasInteractiveUser|This problem occurs when **InstallShield** creates installers and uninstallers that fail to complete and that generate error messages or warnings.
The fix blocks **InstallShield** from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.
**Note:** For more detailed information about this application fix, see [Using the BlockRunAsInteractiveUser Fix](/previous-versions/windows/it-pro/windows-7/dd638336(v=ws.10)).
|
-|ChangeFolderPathToXPStyle|This fix is required when an application cannot return shell folder paths when it uses the **SHGetFolder** API.The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.| +|ChangeFolderPathToXPStyle|This fix is required when an application can't return shell folder paths when it uses the **SHGetFolder** API.
The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.| |ClearLastErrorStatusonIntializeCriticalSection|This fix is indicated when an application fails to start.
The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.| |CopyHKCUSettingsFromOtherUsers|This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.
The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.
You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.
**Note:** For more detailed information about this application fix, see [Using the CopyHKCUSettingsFromOtherUsers Fix](/previous-versions/windows/it-pro/windows-7/dd638375(v=ws.10)).
|
-|CorrectCreateBrushIndirectHatch|The problem is indicated by an access violation error message that displays and when the application fails when you select or crop an image.The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.| -|CorrectFilePaths|The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.
The fixmodifies the file path names to point to a new location on the hard disk.
**Note:** For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](/previous-versions/windows/it-pro/windows-7/cc766201(v=ws.10)). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.
|
-|CorrectFilePathsUninstall|This problem occurs when an uninstalled application leaves behind files, directories, and links.The fix corrects the file paths that are used by the uninstallation process of an application.
**Note:** For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](/previous-versions/windows/it-pro/windows-7/dd638414(v=ws.10)). We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.
|
-|CorrectShellExecuteHWND|This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.The fixintercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.
**Note:** For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](/previous-versions/windows/it-pro/windows-7/cc722028(v=ws.10)).
|
-|CustomNCRender|This fix instructs DWM to not render the non-client area, thereby forcing the application to do its own NC rendering. This often gives windows an XP look.|
+|CorrectCreateBrushIndirectHatch|This problem occurs when an access violation error message displays and the application fails when you select or crop an image.The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.| +|CorrectFilePaths|This problem occurs when:
- An application tries to write files to the hard disk and is denied access.
- An application receives a file not found or path not found error message.
The fix modifies the file path names to point to a new location on the hard disk.
**Note:** For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](/previous-versions/windows/it-pro/windows-7/cc766201(v=ws.10)). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you're applying it to a setup installation file.
|
+|CorrectFilePathsUninstall|This problem occurs when an uninstalled application leaves behind files, directories, and links.The fix corrects the file paths that are used by the uninstallation process of an application.
**Note:** For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](/previous-versions/windows/it-pro/windows-7/dd638414(v=ws.10)). We recommend that you use this fix together with the CorrectFilePaths fix if you're applying it to a setup installation file.
|
+|CorrectShellExecuteHWND|This problem occurs when you start an executable (.exe) and:- A taskbar item blinks instead of an elevation prompt being opened, or when the application doesn't provide a valid HWND value when it calls the ShellExecute(Ex) function.
The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.
**Note:** For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](/previous-versions/windows/it-pro/windows-7/cc722028(v=ws.10)).| +|CustomNCRender|This fix instructs DWM to not render the non-client area forcing the application to do its own NC rendering. This issue often gives windows an XP look.| |DelayApplyFlag|This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.You can control this fix further by typing the following command at the command prompt:
`DLL_Name;Flag_Type;Hexidecimal_Value`
Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64 bits long.**Note:** The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().| -|DeprecatedServiceShim|The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.
You can control this fix further by typing the following command at the command prompt:
`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2`
Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.**Note:** If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.**Note:** You can separate multiple entries with a forward slash (/).| -|DirectXVersionLie|This problem occurs when an application fails because it does not find the correct version number for DirectX®.The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.
You can control this fix further by typing the following command at the command prompt:
`MAJORVERSION.MINORVERSION.LETTER`For example, 9.0.c.| -|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .| -|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and do not mix direct draw.| +|DeprecatedServiceShim|The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.
The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.
You can control this fix further by typing the following command at the command prompt:
`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2` where:
- Deprecated_Service is the name of the deprecated service
- App_Service is the name of the specific application service that is to be modified
**Note:** If you don't provide an App_Service name, the deprecated service is removed from all newly created services.**Note:** You can separate multiple entries with a forward slash (/).| +|DirectXVersionLie|This problem occurs when an application fails because it doesn't find the correct version number for DirectX®.The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.
You can control this fix further by typing the following command at the command prompt:
`MAJORVERSION.MINORVERSION.LETTER`For example, 9.0.c.| +|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8 .| +|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and don't mix direct draw.| |Disable8And16BitModes|This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.| -|DisableDWM|The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.
**Note:** For more detailed information about this application fix, see [Using the DisableDWM Fix](/previous-versions/windows/it-pro/windows-7/cc722418(v=ws.10)).| -|DisableFadeAnimations|The problem is indicated when an application fades animation, buttons, or other controls do not function properly.The fix disables the fade animations functionality for unsupported applications.| -|DisableThemeMenus|The problem is indicated by an application that behaves unpredictably when it tries to detect and use the correct Windows settings.
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.| -|DisableWindowsDefender|The fix disables Windows Defender for security applications that do not work with Windows Defender.| -|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.| +|DisableDWM|The problem occurs when some objects aren't drawn or object artifacts remain on the screen in an application.
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.
**Note:** For more detailed information about this application fix, see [Using the DisableDWM Fix](/previous-versions/windows/it-pro/windows-7/cc722418(v=ws.10)).| +|DisableFadeAnimations|The problem is indicated when an application fades animation, buttons, or other controls don't function properly.The fix disables the fade animations functionality for unsupported applications.| +|DisableThemeMenus|The problem occurs when an application behaves unpredictably when it tries to detect and use the correct Windows settings.
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.| +|DisableWindowsDefender|The fix disables Windows Defender for security applications that don't work with Windows Defender.| +|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8.| |DXGICompat|The fix allows application-specific compatibility instructions to be passed to the DirectX engine.| |DXMaximizedWindowedMode|Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.| -|ElevateCreateProcess|The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.
The fixhandles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.
**Note:** For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](/previous-versions/windows/it-pro/windows-7/cc722422(v=ws.10)).| +|ElevateCreateProcess|The problem is indicated when:- installations
- de-installations
- updates
The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code is returned unchanged.
**Note:** For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](/previous-versions/windows/it-pro/windows-7/cc722422(v=ws.10)).| |EmulateOldPathIsUNC|The problem occurs when an application fails because of an incorrect UNC path.The fix exchanges the PathIsUNC function to return a value of True for UNC paths in Windows.| -|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.
The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.
**Note:** For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](/previous-versions/windows/it-pro/windows-7/ff720129(v=ws.10)).| +|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run. An error message is generated that there isn't enough free disk space to install or use the application. The error message occurs even though there's enough free disk space to meet the application requirements.The fix determines the amount of free space. If the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB. However, if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.
**Note:** For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](/previous-versions/windows/it-pro/windows-7/ff720129(v=ws.10)).| |EmulateSorting|The problem occurs when an application experiences search functionality issues.The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.
**Note:** For more detailed information about this e application fix, see [Using the EmulateSorting Fix](/previous-versions/windows/it-pro/windows-7/cc749209(v=ws.10)).| |EmulateSortingWindows61|The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.| -|EnableRestarts|The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.
**Note:** For more detailed information about this application fix, see [Using the EnableRestarts Fix](/previous-versions/windows/it-pro/windows-7/ff720128(v=ws.10)).| -|ExtraAddRefDesktopFolder|The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.| +|EnableRestarts|The problem is indicated when an application and computer appear to hang because processes can't end to allow the computer to complete its restart processes.
The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.
**Note:** For more detailed information about this application fix, see [Using the EnableRestarts Fix](/previous-versions/windows/it-pro/windows-7/ff720128(v=ws.10)).| +|ExtraAddRefDesktopFolder|The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.The fix invokes the AddRef() method on the Desktop folder, which the SHGetDesktopFolder function returns, to counteract the problem.| |FailObsoleteShellAPIs|The problem occurs when an application fails because it generated deprecated API calls.
The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.
**Note:** You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.| -|FailRemoveDirectory|The problem occurs when an application uninstallation process does not remove all of the application files and folders.This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line. Only a single path is supported. The path can contain environment variables, but must be an exact path – no partial paths are supported.
The fixcan resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.| -|FakeLunaTheme|The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.
The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).
**Note:** For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](/previous-versions/windows/it-pro/windows-7/cc766315(v=ws.10)).| -|FlushFile|This problem is indicated when a file is updated and changes do not immediately appear on the hard disk. Applications cannot see the file changes.The fixenables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.| +|FailRemoveDirectory|The problem occurs when an application uninstall process doesn't remove all of the application files and folders.
This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line. Only a single path is supported. The path can contain environment variables, but must be an exact path - no partial paths are supported.
The fix resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.| +|FakeLunaTheme|The problem occurs when a theme application doesn't properly display: the colors are washed out or the user interface isn't detailed.
The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).
**Note:** For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](/previous-versions/windows/it-pro/windows-7/cc766315(v=ws.10)).| +|FlushFile|This problem is indicated when a file is updated and changes don't immediately appear on the hard disk. Applications can't see the file changes.The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.| |FontMigration|The fix replaces an application-requested font with a better font selection, to avoid text truncation.| |ForceAdminAccess|The problem occurs when an application fails to function during an explicit administrator check.
The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.
**Note:** For more detailed information about this application fix, see [Using the ForceAdminAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766024(v=ws.10)).| |ForceInvalidateOnClose|The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.| -|ForceLoadMirrorDrvMitigation|The fix loads the Windows 8-mirror driver mitigation for applications where the mitigation is not automatically applied.| +|ForceLoadMirrorDrvMitigation|The fix loads the Windows 8-mirror driver mitigation for applications where the mitigation isn't automatically applied.| |FreestyleBMX|The fix resolves an application race condition that is related to window message order.| -|GetDriveTypeWHook|The application presents unusual behavior during installation; for example, the setup program states that it cannot install to a user-specified location.The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.| -|GlobalMemoryStatusLie|The problem is indicated by a Computer memory full error message that displays when you start an application.
The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.| -|HandleBadPtr|The problem is indicated by an access violation error message that displays because an API is performing pointer validation before it uses a parameter.
The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.| -|HandleMarkedContentNotIndexed|The problem is indicated by an application that fails when it changes an attribute on a file or directory.
The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.| +|GetDriveTypeWHook|The application presents unusual behavior during installation; for example, the setup program states that it can't install to a user-specified location.
The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.| +|GlobalMemoryStatusLie|The problem occurs when a Computer memory full error message that displays when you start an application.
The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.| +|HandleBadPtr|The problem occurs when an access violation error message that displays because an API is performing pointer validation before it uses a parameter.
The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.| +|HandleMarkedContentNotIndexed|The problem occurs when an application that fails when it changes an attribute on a file or directory.
The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory. The fix then resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.| |HeapClearAllocation|The problem is indicated when the allocation process shuts down unexpectedly.
The fix uses zeros to clear out the heap allocation for an application.| |IgnoreAltTab|The problem occurs when an application fails to function when special key combinations are used.
The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.
**Note:** For more detailed information about this application fix, see [Using the IgnoreAltTab Fix](/previous-versions/windows/it-pro/windows-7/cc722093(v=ws.10)).| -|IgnoreChromeSandbox|The fix allows Google Chrome to run on systems that have ntdll loaded above 4 GB.| -|IgnoreDirectoryJunction|The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.
**Note:** Symbolic links appear to start in Windows Vista.| -|IgnoreException|The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.
You can control this fix further by typing the following command at the command prompt:
`Exception1;Exception2`
Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.**Important:** You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.
**Note:** For more detailed information about this application fix, see [Using the IgnoreException Fix](/previous-versions/windows/it-pro/windows-7/cc766154(v=ws.10)).| -|IgnoreFloatingPointRoundingControl|This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.Before floating point SSE2 support in the C runtime library, the rounding control request was being ignored which would use round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.| +|IgnoreChromeSandbox|The fix allows Google Chrome to run on systems where ntdll is loaded above 4 GB.| +|IgnoreDirectoryJunction|The problem occurs when a read or access violation error message that displays when an application tries to find or open files.
The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.
**Note:** Symbolic links appear to start in Windows Vista.| +|IgnoreException|The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.
You can control this fix further by typing the following command at the command prompt:
`Exception1;Exception2`
Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.**Important:** You should use this compatibility fix only if you're certain that it's acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.
**Note:** For more detailed information about this application fix, see [Using the IgnoreException Fix](/previous-versions/windows/it-pro/windows-7/cc766154(v=ws.10)).| +|IgnoreFloatingPointRoundingControl|This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.Before the C runtime library supported floating point SSE2, it ignored the rounding control request and used the round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.| |IgnoreFontQuality|The problem occurs when application text appears to be distorted.
The fix enables color-keyed fonts to properly work with anti-aliasing.| -|IgnoreMessageBox|The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.
The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.
**Note:** For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](/previous-versions/windows/it-pro/windows-7/cc749044(v=ws.10)).| -|IgnoreMSOXMLMF|The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.| +|IgnoreMessageBox|The problem occurs when a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.
The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.
**Note:** For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](/previous-versions/windows/it-pro/windows-7/cc749044(v=ws.10)).| +|IgnoreMSOXMLMF|The problem occurs when an error message that states that the operating system can't locate the MSVCR80D.DLL file.The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix ignores the registered MSOXMLMF and fails the CoGetClassObject for its CLSID.| |IgnoreSetROP2|The fix ignores read-modify-write operations on the desktop to avoid performance issues.| -|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET is not included with Windows 8.| +|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET isn't included with Windows 8.| |LoadLibraryRedirect|The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.| |LocalMappedObject|The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.
The fix intercepts the function call to create the object and replaces the word Global with Local.
**Note:** For more detailed information about this application fix, see [Using the LocalMappedObject Fix](/previous-versions/windows/it-pro/windows-7/cc749287(v=ws.10)).| -|MakeShortcutRunas|The problem is indicated when an application fails to uninstall because of access-related errors.The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.
**Note:** For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix](/previous-versions/windows/it-pro/windows-7/dd638338(v=ws.10))| +|MakeShortcutRunas|The problem is indicated when an application fails to uninstall because of access-related errors.The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installationenabling the uninstallation to occur later.
**Note:** For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix](/previous-versions/windows/it-pro/windows-7/dd638338(v=ws.10))| |ManageLinks|The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.| |MirrorDriverWithComposition|The fix allows mirror drivers to work properly with acceptable performance with desktop composition.| |MoveToCopyFileShim|The problem occurs when an application experiences security access issues during setup.The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.| -|OpenDirectoryAcl|The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.
The fix reduces the security privilege levels on a specified set of files and folders.
**Note:** For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](/previous-versions/windows/it-pro/windows-7/dd638417(v=ws.10)).| +|OpenDirectoryAcl|The problem occurs when an error message that states that you don't have the appropriate permissions to access the application.The fix reduces the security privilege levels on a specified set of files and folders.
**Note:** For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](/previous-versions/windows/it-pro/windows-7/dd638417(v=ws.10)).| |PopCapGamesForceResPerf|The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.| |PreInstallDriver|The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.| |PreInstallSmarteSECURE|The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.| -|ProcessPerfData|The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.
**Note:** This issue seems to occur most frequently with .NET applications.| +|ProcessPerfData|The problem occurs because the application tried to read the process performance data registry value to determine if another instance of the application is running. This problem results in an Unhandled Exception error message.The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it's the only instance running.
**Note:** This issue seems to occur most frequently with .NET applications.| |PromoteDAM|The fix registers an application for power state change notifications.| |PropagateProcessHistory|The problem occurs when an application incorrectly fails to apply an application fix.The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.| -|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.
The fix addresses the issues that occur when applications use non-standard Administrator checks, thereby generating false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but it is set as deny-only.| -|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.| -|RedirectHKCUKeys|The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.
The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.| -|RedirectMP3Codec|This problem occurs when you cannot play MP3 files.
The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.| -|RedirectShortcut|The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.
The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.
Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.
Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.
You cannot apply this fix to an .exe file that includes a manifest and provides a run level.| -|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.
The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.
**Note:** For more detailed information about this application fix, see [Using the RelaunchElevated Fix](/previous-versions/windows/it-pro/windows-7/dd638373(v=ws.10)).| -|RetryOpenSCManagerWithReadAccess|The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.The fix retries the call and requests a more restricted set of rights that include the following:
- SC_MANAGER_CONNECT
- SC_MANAGER_ENUMERATE_SERVICE
- SC_MANAGER_QUERY_LOCK_STATUS
- STANDARD_READ_RIGHTS
**Note:** For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc721915(v=ws.10)).| -|RetryOpenServiceWithReadAccess|The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work
**Note:** For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766423(v=ws.10)).| +|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.The fix addresses the issues that occur when applications use non-standard Administrator checks. This issue can result in false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but the SID is set as deny-only.| +|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume. The fix instead redirects the calls to a temporary file in the user's temporary directory.| +|RedirectHKCUKeys|The problem occurs when an application can't be accessed because of User Account Control (UAC) restrictions.
The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.| +|RedirectMP3Codec|This problem occurs when you can't play MP3 files.
The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.| +|RedirectShortcut|The problem occurs when an application's shortcut can't be accessed, or the application uninstallation process doesn't remove application shortcuts.
The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.
Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.
Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user can't access the shortcuts.
You can't apply this fix to an .exe file that includes a manifest and provides a run level.| +|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they're started from a host application.
The fix enables a child .exe file to run with elevated privileges when it's difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.
**Note:** For more detailed information about this application fix, see [Using the RelaunchElevated Fix](/previous-versions/windows/it-pro/windows-7/dd638373(v=ws.10)).| +|RetryOpenSCManagerWithReadAccess|The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.The fix retries the call and requests a more restricted set of rights that include the following items:
- SC_MANAGER_CONNECT
- SC_MANAGER_ENUMERATE_SERVICE
- SC_MANAGER_QUERY_LOCK_STATUS
- STANDARD_READ_RIGHTS
**Note:** For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc721915(v=ws.10)).| +|RetryOpenServiceWithReadAccess|The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.The fix retries the OpenService() API call and verifies that the user has Administrator rights, isn't a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this fix to work
**Note:** For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766423(v=ws.10)).| |RunAsAdmin|The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.
**Note:** For more detailed information about this application fix, see [Using the RunAsAdmin Fix](/previous-versions/windows/it-pro/windows-7/dd638315(v=ws.10)).| -|RunAsHighest|The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.
**Note:** For more detailed information about this application fix, see [Using the RunAsHighest Fix](/previous-versions/windows/it-pro/windows-7/dd638322(v=ws.10)).| -|RunAsInvoker|The problem occurs when an application is not detected as requiring elevation.The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.
**Note:** For more detailed information about this application fix, see [Using the RunAsInvoker Fix](/previous-versions/windows/it-pro/windows-7/dd638389(v=ws.10)).| +|RunAsHighest|The problem occurs when administrators can't view the read/write version of an application that presents a read-only view to standard users.The fix enables the application to run by using the highest available permissions. This fix is the equivalent of specifying highestAvailable in an application manifest.
**Note:** For more detailed information about this application fix, see [Using the RunAsHighest Fix](/previous-versions/windows/it-pro/windows-7/dd638322(v=ws.10)).| +|RunAsInvoker|The problem occurs when an application isn't detected as requiring elevation.The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This fix is the equivalent of specifying asInvoker in an application manifest.
**Note:** For more detailed information about this application fix, see [Using the RunAsInvoker Fix](/previous-versions/windows/it-pro/windows-7/dd638389(v=ws.10)).| |SecuROM7|The fix repairs applications by using SecuROM7 for copy protection.| -|SessionShim|The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.
**Important:** Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.
**Note:** For more detailed information about this application fix, see [Using the SessionShim Fix](/previous-versions/windows/it-pro/windows-7/cc722085(v=ws.10)).| +|SessionShim|The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.
**Important:** Users can't sign in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.
**Note:** For more detailed information about this application fix, see [Using the SessionShim Fix](/previous-versions/windows/it-pro/windows-7/cc722085(v=ws.10)).| |SetProtocolHandler|The fix registers an application as a protocol handler.You can control this fix further by typing the following command at the command prompt:`Client;Protocol;App`
Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.**Note:** Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().| -|SetupCommitFileQueueIgnoreWow|The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.The fixdisables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.| +|SetupCommitFileQueueIgnoreWow|The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.
The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.| |SharePointDesigner2007|The fix resolves an application bug that severely slows the application when it runs in DWM.| -|ShimViaEAT|The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.
The fixapplies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.
**Note:** For more information about this application fix, see [Using the ShimViaEAT Fix](/previous-versions/windows/it-pro/windows-7/cc766286(v=ws.10)).| -|ShowWindowIE|The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.The fixintercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.| -|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation, thereby preventing bugcheck.| +|ShimViaEAT|The problem occurs when an application fails, even after applying a compatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.
The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.
**Note:** For more information about this application fix, see [Using the ShimViaEAT Fix](/previous-versions/windows/it-pro/windows-7/cc766286(v=ws.10)).| +|ShowWindowIE|The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.| +|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation preventing bugcheck.| |Sonique2|The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.| -|SpecificInstaller|The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.
The fixflags the application as being an installer file (for example, setup.exe), and then prompts for elevation.
**Note:** For more detailed information about this application fix, see [Using the SpecificInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638397(v=ws.10)).| -|SpecificNonInstaller|The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.The fixflags the application to exclude it from detection by the GenericInstaller function.
**Note:** For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638326(v=ws.10)).| +|SpecificInstaller|The problem occurs when the GenericInstaller function fails to pick up an application installation file.The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.
**Note:** For more detailed information about this application fix, see [Using the SpecificInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638397(v=ws.10)).| +|SpecificNonInstaller|The problem occurs when an application that isn't an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.The fix flags the application to exclude it from detection by the GenericInstaller function.
**Note:** For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638326(v=ws.10)).| |SystemMetricsLie|The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.| |TextArt|The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.| -|TrimDisplayDeviceNames|The fix trims the names of the display devices that are returned by the EnumDisplayDevices API.| +|TrimDisplayDeviceNames|The fix trims the names returned by the EnumDisplayDevices API of the display devices.| |UIPICompatLogging|The fix enables the logging of Windows messages from Internet Explorer and other processes.| -|UIPIEnableCustomMsgs|The problem occurs when an application does not properly communicate with other processes because customized Windows messages are not delivered.The fixenables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.
You can control this fix further by typing the following command at the command prompt:
`MessageString1 MessageString2`
Where MessageString1 and MessageString2 reflect the message strings that can pass.**Note:** Multiple message strings must be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](/previous-versions/windows/it-pro/windows-7/dd638320(v=ws.10)).| -|UIPIEnableStandardMsgs|The problem occurs when an application does not communicate properly with other processes because standard Windows messages are not delivered.The fixenables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.
You can control this fix further by typing the following command at the command prompt:
`1055 1056 1069`
Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.
**Note:** Multiple messages can be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](/previous-versions/windows/it-pro/windows-7/dd638361(v=ws.10)).| +|UIPIEnableCustomMsgs|The problem occurs when an application doesn't properly communicate with other processes because customized Windows messages aren't delivered.The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.
You can control this fix further by typing the following command at the command prompt:
`MessageString1 MessageString2`
Where MessageString1 and MessageString2 reflect the message strings that can pass.**Note:** You must separate multiple message strings by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](/previous-versions/windows/it-pro/windows-7/dd638320(v=ws.10)).| +|UIPIEnableStandardMsgs|The problem occurs when an application doesn't communicate properly with other processes because standard Windows messages aren't delivered.The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.
You can control this fix further by typing the following command at the command prompt:
`1055 1056 1069`
Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.
**Note:** You can separate multiple messages with spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](/previous-versions/windows/it-pro/windows-7/dd638361(v=ws.10)).| |VirtualizeDeleteFileLayer|The fix virtualizes DeleteFile operations for applications that try to delete protected files.| -|VirtualizeDesktopPainting|This fix improves the performance of a number of operations on the Desktop DC while using DWM.| -|VirtualRegistry|The problem is indicated when a Component failed to be located error message displays when an application is started.The fixenables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.
For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).| -|VirtualizeDeleteFile|The problem occurs when several error messages display and the application cannot delete files.
The fixmakes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.
**Note:** For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](/previous-versions/windows/it-pro/windows-7/dd638360(v=ws.10)).| -|VirtualizeHKCRLite|The problem occurs when an application fails to register COM components at runtime.The fixredirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.
HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.
You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.
For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).| -|VirtualizeRegisterTypeLib|The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.**Note:** For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](/previous-versions/windows/it-pro/windows-7/dd638385(v=ws.10)).| -|WaveOutIgnoreBadFormat|This problem is indicated by an error message that states: Unable to initialize sound device from your audio driver; the application then closes.The fixenables the application to ignore the format error and continue to function properly.| -|WerDisableReportException|The fix turns off the silent reporting of exceptions to the Windows Error Reporting tool, including those that are reported by Object Linking and Embedding-Database (OLE DB). The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.| +|VirtualizeDesktopPainting|This fix improves the performance of several operations on the Desktop DC while using DWM.| +|VirtualRegistry|The problem is indicated when a Component failed to be located error message displays when an application is started.
The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.
For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).| +|VirtualizeDeleteFile|The problem occurs when several error messages display and the application can't delete files.
The fix makes the application's DeleteFile function call a virtual call to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.
**Note:** For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](/previous-versions/windows/it-pro/windows-7/dd638360(v=ws.10)).| +|VirtualizeHKCRLite|The problem occurs when an application fails to register COM components at runtime.The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This fix operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.
HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application isn't elevated and is ignored if the application is elevated.
You typically use this compatibility fix with the VirtualizeRegisterTypeLib fix.
For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).| +|VirtualizeRegisterTypeLib|The fix when used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This fix functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.**Note:** For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](/previous-versions/windows/it-pro/windows-7/dd638385(v=ws.10)).| +|WaveOutIgnoreBadFormat|When this problem occurs when an Unable to initialize sound device from your audio driver error occurs; the application then closes.The fix enables the application to ignore the format error and continue to function properly.| +|WerDisableReportException|The fix turns off the silent reporting of exceptions, including those exceptions reported by Object Linking and Embedding-Database (OLE DB), to the Windows Error Reporting tool. The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.| |Win7RTM/Win8RTM|The layer provides the application with Windows 7/Windows 8 compatibility mode.| -|WinxxRTMVersionLie|The problem occurs when an application fails because it does not find the correct version number for the required Windows operating system.
All version lie compatibility fixes address the issue whereby an application fails to function because it is checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.| -|Wing32SystoSys32|The problem is indicated by an error message that states that the WinG library was not properly installed.
The fixdetects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.
**Important:** The application must have Administrator privileges for this fix to work.| +|WinxxRTMVersionLie|The problem occurs when an application fails because it doesn't find the correct version number for the required Windows operating system.
All version lie compatibility fixes address the issue whereby an application fails to function because it's checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.| +|Wing32SystoSys32|The problem occurs when an error message that states that the WinG library wasn't properly installed.
The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.
**Important:** The application must have Administrator privileges for this fix to work.| |WinSrv08R2RTM|| -|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.
The fixforces the application to follow these steps:
- Open the Compatibility Administrator, and then select None for Operating System Mode.
- On the Compatibility Fixes page, click WinXPSP2VersionLie, and then click Parameters.
- The Options for <fix_name> dialog box appears.
- Type vbrun60.dll into the Module Name box, click Include, and then click Add.
- Save the custom database.
**Note:** For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](/previous-versions/windows/it-pro/windows-7/cc749518(v=ws.10)).| -|WRPDllRegister|The application fails when it tries to register a COM component that is released together with Windows Vista and later.The fixskips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.
You can control this fix further by typing the following command at the command prompt:
`Component1.dll;Component2.dll`
Where Component1.dll and Component2.dll reflect the components to be skipped.**Note:** For more detailed information about this application fix, see [Using the WRPDllRegister Fix](/previous-versions/windows/it-pro/windows-7/dd638345(v=ws.10)).| -|WRPMitigation|The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.The fixemulates the successful authentication and modification of file and registry APIs, so that the application can continue.
**Note:** For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](/previous-versions/windows/it-pro/windows-7/dd638325(v=ws.10)).| -|WRPRegDeleteKey|The problem is indicated by an access denied error message that displays when the application tries to delete a registry key.The fixverifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.| +|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.
The fix forces the application to follow these steps:
- Open the Compatibility Administrator, and then select None for Operating System Mode.
- On the Compatibility Fixes page, select WinXPSP2VersionLie, and then select Parameters.
- The Options for /
; dialog box appears. - Type vbrun60.dll into the Module Name box, select Include, and then select Add.
- Save the custom database.
**Note:** For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](/previous-versions/windows/it-pro/windows-7/cc749518(v=ws.10)).| +|WRPDllRegister|The application fails when it tries to register a COM component that is released together with Windows Vista and later.The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.
You can control this fix further by typing the following command at the command prompt:
`Component1.dll;Component2.dll`
Where Component1.dll and Component2.dll reflect the components to be skipped.**Note:** For more detailed information about this application fix, see [Using the WRPDllRegister Fix](/previous-versions/windows/it-pro/windows-7/dd638345(v=ws.10)).| +|WRPMitigation|The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.
**Note:** For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](/previous-versions/windows/it-pro/windows-7/dd638325(v=ws.10)).| +|WRPRegDeleteKey|The problem occurs when an access denied error message that displays when the application tries to delete a registry key.The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.| |XPAfxIsValidAddress|The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.| ## Compatibility Modes @@ -161,5 +158,5 @@ The following table lists the known compatibility modes. |Compatibility Mode Name|Description|Included Compatibility Fixes| |--- |--- |--- | -|WinSrv03|Emulates the Windows Server 2003 operating system.|
- Win2k3RTMVersionLie
- VirtualRegistry
- ElevateCreateProcess
- EmulateSorting
- FailObsoleteShellAPIs
- LoadLibraryCWD
- HandleBadPtr
- GlobalMemoryStatus2GB
- RedirectMP3Codec
- EnableLegacyExceptionHandlinginOLE
- NoGhost
- HardwareAudioMixer| +|WinSrv03|Emulates the Windows Server 2003 operating system.|
- Win2k3RTMVersionLie
- VirtualRegistry
- ElevateCreateProcess
- EmulateSorting
- FailObsoleteShellAPIs
- LoadLibraryCWD
- HandleBadPtr
- GlobalMemoryStatus2 GB
- RedirectMP3Codec
- EnableLegacyExceptionHandlinginOLE
- NoGhost
- HardwareAudioMixer| |WinSrv03Sp1|Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.|
- Win2K3SP1VersionLie
- VirtualRegistry
- ElevateCreateProcess
- EmulateSorting
- FailObsoleteShellAPIs
- LoadLibraryCWD
- HandleBadPtr
- EnableLegacyExceptionHandlinginOLE
- RedirectMP3Codec
- HardwareAudioMixer| diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 3dee852942..6728d4c2ee 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium ms.sitesec: library ms.date: 10/28/2022 - ms.reviewer: + ms.reviewer: author: frankroj ms.author: frankroj manager: aaroncz @@ -26,17 +26,17 @@ sections: Where can I download Windows 10 Enterprise? answer: | If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you don't have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). - + - question: | What are the system requirements? answer: | - For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). - + For details, see [Windows 10 Enterprise system requirements](https://www.microsoft.com/windows/Windows-10-specifications#areaheading-uid09f4). + - question: | What are the hardware requirements for Windows 10? answer: | Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. For more information, see [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications). - + - question: | Can I evaluate Windows 10 Enterprise? answer: | @@ -55,17 +55,17 @@ sections: - [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984) - [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) - + - question: | Where can I find out if an application or device is compatible with Windows 10? answer: | Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. - + - question: | Is there an easy way to assess if my organization's devices are ready to upgrade to Windows 10? answer: | [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without other infrastructure requirements. This service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. - + - name: Administration and deployment questions: - question: | @@ -78,36 +78,36 @@ sections: - [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment. - The [Windows ADK](/windows-hardware/get-started/adk-install) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. - + - question: | Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? answer: | Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md). - + - question: | Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? answer: | If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you're entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - + For devices that are licensed under a volume license agreement for Windows that doesn't include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. - + - name: Managing updates questions: - question: | What is Windows as a service? answer: | The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](../update/waas-overview.md). - + - question: | How is servicing different with Windows as a service? answer: | Traditional Windows servicing has included several release types: major revisions (for example, Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. - + - question: | What are the servicing channels? answer: | - To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels). - + To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](/windows/release-health/release-information). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels). + - question: | What tools can I use to manage Windows as a service updates? answer: | @@ -116,25 +116,25 @@ sections: - Windows Update for Business - Windows Server Update Services - Microsoft Configuration Manager - + For more information, see [Servicing Tools](../update/waas-overview.md#servicing-tools). - + - name: User experience questions: - question: | Where can I find information about new features and changes in Windows 10 Enterprise? answer: | For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. - + Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. - + To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). - + - question: | How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? answer: | Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. - + - question: | How does Windows 10 help people work with applications and data across various devices? answer: | @@ -143,13 +143,13 @@ sections: - Universal apps now open in windows instead of full screen. - [Multitasking is improved with adjustable Snap](https://blogs.windows.com/windows-insider/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. - Tablet Mode to simplify using Windows with a finger or pen by using touch input. - + - name: Help and support questions: - question: | Where can I ask a question about Windows 10? answer: | Use the following resources for additional information about Windows 10. - - If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. - - If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum). - - If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev). + - [Microsoft Q&A](/answers/) + - [Microsoft Support Community](https://answers.microsoft.com/) + diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index cd8a399645..c152fd21ae 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -10,7 +10,7 @@ ms.topic: conceptual ms.subservice: itpro-updates ms.collection: - tier1 -appliesto: +appliesto: - ✅ Windows 11 - ✅ Windows 10 - ✅ Windows Server 2022 @@ -21,12 +21,12 @@ ms.date: 02/14/2024 # Configure Windows Update for Business -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) > [!NOTE] > Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/). - -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). + +You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). > [!IMPORTANT] > Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). @@ -34,17 +34,17 @@ You can use Group Policy or your mobile device management (MDM) service to confi ## Start by grouping devices -By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. +By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization. >[!TIP] ->In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). +>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft's design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). ## Configure devices for the appropriate service channel -With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels). +With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels). **Release branch policies** @@ -65,7 +65,7 @@ Starting with Windows 10, version 1703, users can configure the branch readiness ## Configure when devices receive feature updates -After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` won't install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. @@ -87,7 +87,7 @@ For example, a device on the General Availability Channel with `DeferFeatureUpda You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again. -Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. +Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date. @@ -104,7 +104,7 @@ In cases where the pause policy is first applied after the configured start date | MDM for Windows 10, version 1607 or later: ../Vendor/MSFT/Policy/Config/Update/**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime | | MDM for Windows 10, version 1511: ../Vendor/MSFT/Policy/Config/Update/**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. The local group policy editor (GPEdit.msc) won't reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: @@ -125,7 +125,7 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha ## Configure when devices receive quality updates -Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates. For a list of other Microsoft products that might be updated, see [Update other Microsoft products](update-other-microsoft-products.md). @@ -145,7 +145,7 @@ You can set your system to receive updates for other Microsoft products—known You can also pause a system from receiving quality updates for a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality updates. Following this scan, you can then pause quality updates for the device again. -Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. +Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date. @@ -210,10 +210,10 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving | MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | ## Enable optional updates - + In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy. -To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. +To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. :::image type="content" source="media/7991583-update-seeker-enabled.png" alt-text="Screenshot of the Get the latest updates as soon as they're available option in the Windows updates page of Settings." lightbox="media/7991583-update-seeker-enabled.png"::: @@ -230,7 +230,7 @@ The following options are available for the policy: - **Users can select which optional updates to receive**: - Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**. - - Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled. + - Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled. - CFRs are offered to the device, but not necessarily in the early phases of the rollout. - Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then: - The device will receive CFRs in early phases of the rollout. @@ -249,7 +249,7 @@ The following options are available for the policy: ## Enable features that are behind temporary enterprise feature control -New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. +New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly. The features that are behind temporary enterprise feature control will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them. For a list of features that are turned off by default, see [Windows 11 features behind temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). @@ -274,7 +274,7 @@ The following are quick-reference tables of the supported policy values for Wind | BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates | | DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days | -| DeferQualityUpdates | REG_DWORD | 1: Defer quality updatesOther value or absent: Don't defer quality updates | +| DeferQualityUpdates | REG_DWORD | 1: Defer quality updatesOther value or absent: Don't defer quality updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days | | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: Exclude Windows Update driversOther value or absent: Offer Windows Update drivers | | PauseFeatureUpdatesStartTime | REG_DWORD |1: Pause feature updatesOther value or absent: Don't pause feature updates | @@ -310,4 +310,3 @@ When a device running a newer version sees an update available on Windows Update | PauseFeatureUpdates | PauseFeatureUpdatesStartTime | | PauseQualityUpdates | PauseQualityUpdatesStartTime | - \ No newline at end of file diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index fa5ee150d4..2e0aea738c 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -8,30 +8,30 @@ author: mestew ms.author: mstewart manager: aaroncz ms.localizationpriority: medium -appliesto: +appliesto: - ✅ Windows 11 -- ✅ Windows 10 +- ✅ Windows 10 ms.date: 12/31/2017 --- # Prepare a servicing strategy for Windows client updates -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) Here's an example of what this process might look like: - **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they're available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate prerelease builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business. -- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. +- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you're looking for feedback rather than people to just "try it out" and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. -- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) +- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/troubleshoot/windows-server/group-policy/manage-group-policy-adm-file) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) - **Choose a servicing tool.** Decide which product you'll use to manage the Windows updates in your environment. If you're currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you'll use, consider how you'll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). -- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview). +- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview). Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: 1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier "Configure test devices" step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. -2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it. -3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. +2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it. +3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department. diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 3a3e1ce84b..482d812e39 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -1,5 +1,5 @@ --- -title: Windows 10 upgrade paths (Windows 10) +title: Windows 10 upgrade paths description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported. ms.service: windows-client ms.localizationpriority: medium @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.subservice: itpro-deploy -ms.date: 10/02/2023 +ms.date: 02/13/2024 appliesto: - ✅ Windows 10 --- @@ -32,7 +32,7 @@ appliesto: This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. Paths include upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. -If you're also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded. +If you're also migrating to a different edition of Windows, see [Windows edition upgrade](windows-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded. - **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information. @@ -99,8 +99,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ## Related articles -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) - -[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md) - -[Windows 10 edition upgrade](windows-10-edition-upgrades.md) \ No newline at end of file +- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md). +- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md). +- [Windows 10 edition upgrade](windows-edition-upgrades.md). diff --git a/windows/deployment/upgrade/windows-upgrade-paths.md b/windows/deployment/upgrade/windows-upgrade-paths.md index cf0bfb9763..1033866907 100644 --- a/windows/deployment/upgrade/windows-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-upgrade-paths.md @@ -1,5 +1,5 @@ --- -title: Windows upgrade paths +title: Windows upgrade paths description: Upgrade to current versions of Windows from a previous version of Windows ms.service: windows-client ms.localizationpriority: medium @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.subservice: itpro-deploy -ms.date: 10/02/2023 +ms.date: 02/13/2024 appliesto: - ✅ Windows 10 - ✅ Windows 11 @@ -30,13 +30,13 @@ This article provides a summary of available upgrade paths to currently supporte - **Windows version upgrade**: You can directly upgrade any General Availability Channel version of Windows to a newer, supported General Availability Channel version of Windows, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information. - **Upgrade from Windows LTSC to Windows General Availability Channel**: Upgrade from Windows LTSC to Windows General Availability Channel is available when upgrading to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise 22H2. Upgrade is supported using the in-place upgrade process using Windows setup. The Product Key switch needs to be used if apps need to be kept. If the switch isn't used, the option **Keep personal files and apps** option is grayed out. The command line to perform the upgrade is: - + ```cmd setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx ``` where **xxxxx-xxxxx-xxxxx-xxxxx-xxxxx** is the Windows General Availability Channel product key. For example, if using a KMS, the command line for Windows Enterprise would be: - + ```cmd setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43 ``` @@ -66,6 +66,6 @@ This article provides a summary of available upgrade paths to currently supporte ## Related articles -- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) -- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md) -- [Windows edition upgrade](windows-edition-upgrades.md) \ No newline at end of file +- [Windows 10 deployment scenarios](../windows-deployment-scenarios.md). +- [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md). +- [Windows edition upgrade](windows-edition-upgrades.md). diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 52e3d80761..389249762f 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -46,7 +46,7 @@ This article discusses general and security-related best practices when using Us - **Chkdsk.exe.** - Microsoft recommends running **Chkdsk.exe** before running the **ScanState** and **LoadState** tools. **Chkdsk.exe** creates a status report for a hard disk drive and lists and corrects common errors. For more information about the **Chkdsk.exe** tool, see [Chkdsk](/previous-versions/windows/it-pro/windows-xp/bb490876(v=technet.10)). + Microsoft recommends running **Chkdsk.exe** before running the **ScanState** and **LoadState** tools. **Chkdsk.exe** creates a status report for a hard disk drive and lists and corrects common errors. For more information about the **Chkdsk.exe** tool, see [Chkdsk](/windows-server/administration/windows-commands/chkdsk). - **Migrate in groups.** @@ -112,7 +112,7 @@ As the authorized administrator, it's the responsibility to protect the privacy The migration performance can be affected when the **\
| +| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group or from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.
[Perform an in-place upgrade to Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager)| - -### Dynamic - -|Scenario|Description|More information| -|--- |--- |--- | -|[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)| -|[Microsoft Entra ID / MDM](#dynamic-provisioning)|The device is automatically joined to Microsoft Entra ID and configured by MDM.|[Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)| -|[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)| - -### Traditional - -|Scenario|Description|More information| -|--- |--- |--- | -|[Bare metal](#new-computer)|Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy a Windows 10 image using MDT](/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt)
[Deploy Windows 10 using PXE and Configuration Manager](/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager)| -|[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)| -|[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)| - -> [!IMPORTANT] -> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
-> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. - -## Modern deployment methods - -Modern deployment methods embrace both traditional on-premises and cloud services to deliver a simple, streamlined, and cost effective deployment experience. - -### Windows Autopilot - -Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. - -For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). - -### In-place upgrade - -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 uses the Windows installation program (Setup.exe) is to perform an in-place upgrade. An in-place upgrade: - -- Automatically preserves all data, settings, applications, and drivers from the existing operating system version -- Requires the least IT effort, because there's no need for any complex deployment infrastructure - -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. Control is accomplished by using tools like Microsoft Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. - -The in-place upgrade process is designed to be reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by using the automatically created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications don't need to be reinstalled as part of the process. - -Existing applications are preserved through the process. So, the upgrade process uses the standard Windows installation media image (Install.wim). Custom images aren't needed and can't be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) - -Scenarios that support in-place upgrade with some other procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - -- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) - -There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - -- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. - -- Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. - -- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. - -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken. - -## Dynamic provisioning - -For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image. A custom image was used because a custom image was often faster and easier than using the preinstalled version. However, reimaging with a custom image is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it's now possible to avoid using custom images. - -The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include: - -### Windows 10 Subscription Activation - -Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). - - - -### Microsoft Entra join with automatic mobile device management (MDM) enrollment - -In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Microsoft Entra ID and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). - -### Provisioning package configuration - -When you use the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through various means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). - -These scenarios can be used to enable "choose your own device" (CYOD) programs. With these programs, organization users can pick their own PC and aren't restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). - -While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts. - -## Traditional deployment - -New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). - -With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them. - -The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary: - -- **New computer**: A bare-metal deployment of a new machine. -- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup). -- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup). - -### New computer - -Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD). - -The deployment process for the new machine scenario is as follows: - -1. Start the setup from boot media (CD, USB, ISO, or PXE). - -2. Wipe the hard disk clean and create new volume(s). - -3. Install the operating system image. - -4. Install other applications (as part of the task sequence). - -After you follow these steps, the computer is ready for use. - -### Computer refresh - -A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario. - -The deployment process for the wipe-and-load scenario is as follows: - -1. Start the setup on a running operating system. - -2. Save the user state locally. - -3. Wipe the hard disk clean (except for the folder containing the backup). - -4. Install the operating system image. - -5. Install other applications. - -6. Restore the user state. - -After you follow these steps, the machine is ready for use. - -### Computer replace - -A computer replace is similar to the refresh scenario. However, since we're replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored. - -The deployment process for the replace scenario is as follows: - -1. Save the user state (data and settings) on the server through a backup job on the running operating system. - -2. Deploy the new computer as a bare-metal deployment. - - > [!NOTE] - > In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk. - -## Related articles - -- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -- [Upgrade to Windows 10 with Microsoft Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) -- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md) -- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference) -- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) -- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi) diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md deleted file mode 100644 index 7cfea55299..0000000000 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ /dev/null @@ -1,188 +0,0 @@ ---- -title: Windows 10/11 Enterprise E3 in CSP -description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition. -ms.service: windows-client -ms.localizationpriority: medium -ms.date: 11/23/2022 -author: frankroj -ms.author: frankroj -manager: aaroncz -ms.topic: article -ms.subservice: itpro-deploy ---- - -# Windows 10/11 Enterprise E3 in CSP - -*Applies to:* - -- Windows 10 -- Windows 11 - -Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available. - -Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites: - -- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded. -- Microsoft Entra available for identity management - -You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Microsoft Entra credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro. - -Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features. - -When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits: - -- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. -- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. -- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days). -- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization. -- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. - -How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? - -- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. -- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - - - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. - - **Training**. These benefits include training vouchers, online e-learning, and a home use program. - - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. - - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. - - In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. - -In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11. - -## Compare Windows 10 Pro and Enterprise editions - -Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. - -### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro - -|Feature|Description| -|--- |--- | -|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.
Credential Guard has the following features:- **Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
- **Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
- **Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.
- **Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.
For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).
*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*| -|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.
Device Guard protects in the following ways:- Helps protect against malware
- Helps protect the Windows system core from vulnerability and zero-day exploits
- Allows only trusted apps to run
For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).| -|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).| -|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.
For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).| -|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.
When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
UE-V provides the following features:- Specify which application and Windows settings synchronize across user devices
- Deliver the settings anytime and anywhere users work throughout the enterprise
- Create custom templates for your third-party or line-of-business applications
- Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state
For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).| -|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:- Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands
- Removing Log Off (the User tile) from the Start menu
- Removing frequent programs from the Start menu
- Removing the All Programs list from the Start menu
- Preventing users from customizing their Start screen
- Forcing Start menu to be either full-screen size or menu size
- Preventing changes to Taskbar and Start menu settings| - -## Deployment of Windows 10/11 Enterprise E3 licenses - -See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). - -## Deploy Windows 10/11 Enterprise features - -Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-10-pro-and-enterprise-editions)? - -The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features. - -### Credential Guard - -> [!NOTE] -> Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present). - -You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: - -- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. - -- **Manual**. You can manually turn on Credential Guard by taking one of the following actions: - - - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). - - - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - - You can automate these manual steps by using a management tool such as Microsoft Configuration Manager. - -For more information about implementing Credential Guard, see the following resources: - -- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) -- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations) -- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) - -### Device Guard - -Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: - -1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate. - -2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. - -3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. - -4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. - -5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. - -6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. - -7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. - -For more information about implementing Device Guard, see: - -- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) -- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) - -### AppLocker management - -You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that you have AD DS and that the Windows 10/11 Enterprise devices are joined to your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. - -For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide). - -### App-V - -App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows: - -- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. - -- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. - -- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices. - -For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: - -- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started) -- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server) -- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client) - -### UE-V - -UE-V requires server and client-side components that you'll need to download, activate, and install. These components include: - -- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. - -- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location. - -- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. - -- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates aren't required for Windows applications. - -- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications. - -For more information about deploying UE-V, see the following resources: - -- [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows) -- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started) -- [Prepare a UE-V Deployment](/windows/configuration/ue-v/uev-prepare-for-deployment) - -### Managed User Experience - -The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. - -#### Table 2. Managed User Experience features - -| Feature | Description | -|------------------|-----------------| -| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
| -| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group or from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.
For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). | - -## Related articles - -[Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)
-[Connect domain-joined devices to Microsoft Entra ID for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 0ea49d8ff8..c481efb0a5 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -157,7 +157,7 @@ The procedures in this guide are summarized in the following table. An estimate You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. - If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. + If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [winmgmt](/windows/win32/wmisdk/winmgmt) for troubleshooting information. 5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt: @@ -230,15 +230,9 @@ The procedures in this guide are summarized in the following table. An estimate ## Download MDOP and install DaRT > [!IMPORTANT] -> This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). - - -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. +1. Download the Microsoft Desktop Optimization Pack 2015 to the Hyper-V host from Visual Studio Online or from the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331) site. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. 2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: @@ -780,7 +774,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode - + [Default] DoCapture=NO ComputerBackupLocation=NONE @@ -1092,7 +1086,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example). - Select **Next** twice and then select **Close** in both windows. -3. Select **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Don't proceed until this name is displayed. +3. Select **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Don't proceed until this name is displayed. ### Create a new deployment diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 2ce3939cc7..91aadc47e7 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -118,8 +118,6 @@ The two Windows Server VMs can be combined into a single VM to conserve RAM and ### Verify support and install Hyper-V -Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. - 1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: ```cmd @@ -1046,4 +1044,4 @@ Use the following procedures to verify that the PoC environment is configured pr ## Next steps -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) +- [Windows 10 deployment scenarios](windows-deployment-scenarios.md). diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md deleted file mode 100644 index 53e3545bcc..0000000000 --- a/windows/deployment/windows-10-subscription-activation.md +++ /dev/null @@ -1,260 +0,0 @@ ---- -title: Windows subscription activation -description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions. -ms.service: windows-client -ms.subservice: itpro-fundamentals -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz -ms.collection: - - highpri - - tier2 -ms.topic: conceptual -ms.date: 11/14/2023 -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 ---- - -# Windows subscription activation - -The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition. - -If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business). - -The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and then rebooting client devices. - -This article covers the following information: - -- [Subscription activation](#subscription-activation-for-enterprise): An introduction to subscription activation for Windows Enterprise. -- [Subscription activation for Education](#subscription-activation-for-education): Information about subscription activation for Windows Education. -- [Inherited activation](#inherited-activation): Allow virtual machines to inherit activation state from their Windows client host. -- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows subscription activation model. -- [Benefits](#benefits): Advantages of subscription-based licensing. -- [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows subscription activation for VMs in the cloud. - -For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). - -> [!NOTE] -> -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**: -> -> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). -> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). -> -> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant. -> -> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). - -## Subscription activation for Enterprise - -Windows Enterprise E3 and E5 are available as online services via subscription. You can deploy Windows Enterprise in your organization without keys and reboots. - -- Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise. -- Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions. - -Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis). - -> [!NOTE] -> Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11. - -## Subscription activation for Education - -Subscription activation for Education works the same as the Enterprise edition, but in order to use subscription activation for Education, you must have a device running Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section. - -## Inherited activation - -Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM. - -To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V. - -## The evolution of deployment - -> [!TIP] -> The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus). - -The following list illustrates how deploying Windows client has evolved with each release: - -- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise. - -- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade. This process was considered a "repair upgrade", because the OS version was the same before and after. This upgrade was a lot easier than wipe-and-load, but it was still time-consuming. - -- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This process required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade. - -- **Windows 10, version 1607** made a large leap forward. You could just change the product key and the edition instantly changed from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can inject a key using slmgr.vbs, which injects the key into WMI. It became trivial to do this process using a command line. - -- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program. - -- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Microsoft Entra ID for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Microsoft Entra ID, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise. - -- **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled. - -- **Windows 10, version 1903** updated Windows 10 subscription activation to enable step-up from Windows 10 Pro Education to Windows 10 Education for devices with a qualifying Windows 10 or Microsoft 365 subscription. - -- **Windows 11, version 21H2** updated subscription activation to work on both Windows 10 and Windows 11 devices. - - > [!IMPORTANT] - > Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated. - -## Requirements - -### Windows Enterprise requirements - -> [!NOTE] -> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). - -> [!IMPORTANT] -> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). - -For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements: - -- A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded. -- Microsoft Entra available for identity management. -- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported. - -For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). - -### Windows Education requirements - -- A supported version of Windows Pro Education installed on the devices to be upgraded. -- A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. -- The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription. -- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported. - -> [!IMPORTANT] -> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. - -## Benefits - -With Windows Enterprise or Education editions, your organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features. - -To compare Windows 10 editions and review pricing, see the following sites: - -- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare) -- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing) - -You can benefit by moving to Windows as an online service in the following ways: - -- Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. You have a systematic way to assign licenses to end users and groups in your organization. - -- User sign-in triggers a silent edition upgrade, with no reboot required. - -- Support for mobile worker and "bring your own device" (BYOD) activation. This support transitions away from on-premises KMS and MAK keys. - -- Compliance support via seat assignment. - -- Licenses can be updated to different users dynamically, which allows you to optimize your licensing investment against changing needs. - -## How it works - -> [!NOTE] -> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions. - -The device is Microsoft Entra joined from **Settings** > **Accounts** > **Access work or school**. - -You assign Windows 10 Enterprise to a user: - - - -When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires. - -> [!NOTE] -> Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel. - -The following figure summarizes how the subscription activation model works: - - - -> [!NOTE] -> -> - A Windows 10 Pro Education device will only step-up to Windows 10 Education edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center. -> -> - A Windows 10 Pro device will only step-up to Windows 10 Enterprise edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center. - -### Scenarios - -#### Scenario #1 - -You're using a supported version of Windows 10. You purchased Windows 10 Enterprise E3 or E5 subscriptions, or you've had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise. - -All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition. - -#### Scenario #2 - -You're using Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Microsoft Entra synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Microsoft Entra ID. You then assign that license to all of your Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise. - -#### Earlier versions of Windows - -If devices are running Windows 7, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise edition. This path is supported, and completes the move in one step. This method also works for devices with Windows 8.1 Pro. - -### Licenses - -The following policies apply to acquisition and renewal of licenses on devices: - -- Devices that have been upgraded will attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license. - -- If a device is disconnected from the internet, until its current subscription expires Windows will revert to Pro or Pro Education. As soon as the device is connected to the internet again, the license will automatically renew. - -- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, on the computer to which a user hasn't logged for the longest time, Windows will revert to Pro or Pro Education. - -- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. - -Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. - -When you have the required Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal). - -### Existing Enterprise deployments - -If you're running a supported version of Windows 10 or Windows 11, subscription activation will automatically pull the firmware-embedded Windows activation key and activate the underlying Pro license. The license will then step-up to Enterprise using subscription activation. This behavior automatically migrates your devices from KMS or MAK activated Enterprise to subscription activated Enterprise. - -Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows. - -> [!CAUTION] -> Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE). - -If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console: - -```powershell -$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } } -``` - - - -### Obtaining a Microsoft Entra ID license - -If your organization has an Enterprise Agreement (EA) or Software Assurance (SA): - -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, you assign the licenses to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). - -- The license administrator can assign seats to Microsoft Entra users with the same process that's used for Microsoft 365 Apps. - -- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. - -If your organization has a Microsoft Products & Services Agreement (MPSA): - -- New customers are automatically emailed the details of the service. Take steps to process the instructions. - -- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. - -- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method. - -### Deploying licenses - -For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). - -## Virtual Desktop Access (VDA) - -Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH). - -Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). - -## Related sites - -Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) - -[Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11) - -[Windows for business](https://www.microsoft.com/windows/business) diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md index 62fb152578..2c3b28dac0 100644 --- a/windows/deployment/windows-adk-scenarios-for-it-pros.md +++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md @@ -1,83 +1,78 @@ --- -title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10) -description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. +title: Windows ADK for Windows scenarios for IT Pros +description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that IT Pros can use to deploy Windows. author: frankroj ms.author: frankroj manager: aaroncz ms.service: windows-client ms.localizationpriority: medium -ms.date: 11/23/2022 +ms.date: 02/13/2024 ms.topic: article ms.subservice: itpro-deploy +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 --- -# Windows ADK for Windows 10 scenarios for IT Pros +# Windows ADK for Windows scenarios for IT Pros -The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools). - -In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/). - -Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center. +The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that IT Pros can use to deploy Windows. For an overview of what's new in the latest version of the Windows ADK, see [What's new in the ADK tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools). For the ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/). ## Create a Windows image using command-line tools [DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images. -Here are some things you can do with DISM: +Here are some things that can be done with DISM: -- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) -- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image) -- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism) -- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism) -- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows) -- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism) -- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism) +- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). +- [Add and Remove Driver packages to an offline Windows Image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image). +- [Enable or Disable Windows Features Using DISM](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism). +- [Add or Remove Packages Offline Using DISM](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism). +- [Add languages to Windows images](/windows-hardware/manufacture/desktop/add-language-packs-to-windows). +- [Preinstall Apps Using DISM](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism). +- [Change the Windows Image to a Higher Edition Using DISM](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism). -[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation. +[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows capturing a customized Windows installation. -Here are some things you can do with Sysprep: +Here are some things that can be done with Sysprep: -- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation) -- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) -- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep) +- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation#generalize-a-windows-installation). +- [Customize the default user profile by using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile). +- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep). -[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system. +[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. Windows PE can be booted into to install a new operating system, recover data, or repair an existing operating system. -Here are ways you can create a WinPE image: +A WinPE image can be created using the article [Create bootable Windows PE media](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive). Types of bootable media include: -- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) -- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) +- [Create a bootable Windows PE USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-bootable-windows-pe-usb-drive). +- [Create a WinPE ISO, DVD, or CD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-winpe-iso-dvd-or-cd). +- [Create a Windows PE VHD to use with Hyper-V](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive#create-a-windows-pe-vhd-to-use-with-hyper-v). [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems. -Here are some things you can do with Windows RE: +Here are some things that can be done with Windows RE: -- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re) -- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) +- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re). +- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview). -[Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation. +[Windows System Image Manager (WSIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps create answer files that change Windows settings and run scripts during Windows installation. -Here are some things you can do with Windows SIM: +Here are some things that can be done with WSIM: -- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) -- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file) -- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file) -- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file) +- [Create or Open an Answer File](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file). +- [Add a Device Driver Path to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file). +- [Add a Package to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file). +- [Add a Custom Command to an Answer File](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file). -For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center. +For a list of settings that can be changed, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/). ### Create a provisioning package using Windows ICD -Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) or Windows 10 IoT Core (IoT Core) image. - -Here are some things you can do with Windows ICD: - -- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) -- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) +[Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows for desktop editions (Home, Pro, Enterprise, and Education) or a Windows IoT Core (IoT Core) image. Creating, applying, and exporting provisioning packages with the Windows ICD is covered in the article [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). ### IT Pro Windows deployment tools -There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet: +There are also a few tools included in the Windows ADK that are specific to IT Pros: - [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) - [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 53d37167e5..dd113afcfc 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview -description: This article provides an overview on how to register devices in Autopatch -ms.date: 07/25/2023 +description: This article provides an overview on how to register devices in Autopatch. +ms.date: 02/15/2024 ms.service: windows-client ms.subservice: itpro-updates ms.topic: conceptual @@ -19,13 +19,13 @@ ms.collection: Windows Autopatch must [register your existing devices](windows-autopatch-register-devices.md) into its service to manage update deployments on your behalf. -The Windows Autopatch device registration process is transparent for end-users because it doesn’t require devices to be reset. +The Windows Autopatch device registration process is transparent for end-users because it doesn't require devices to be reset. The overall device registration process is as follows: :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png"::: -1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch. +1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) before registering devices with Windows Autopatch. 2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Microsoft Entra groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md). 3. Windows Autopatch then: 1. Performs device readiness prior registration (prerequisite checks). @@ -47,12 +47,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | ----- | ----- | | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | | **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Microsoft Entra ID assigned or dynamic groups into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group when using adding existing device-based Microsoft Entra groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group- Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:
- **AzureADDeviceID**
- **OperatingSystem**
- **DisplayName (Device name)**
- **AccountEnabled**
- **RegistrationDateTime**
- **ApproximateLastSignInDateTime**
- In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
- **Serial number, model, and manufacturer.**
- Checks if the serial number already exists in the Windows Autopatch’s managed device database.
- **If the device is Intune-managed or not.**
- Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.
- If **yes**, it means this device is enrolled into Intune.
- If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.
- Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
- A common reason is when the Microsoft Entra device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
- **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
- **If the device is a Windows device or not.**
- Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
- **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
- **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
- **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
- **Enterprise**
- **Pro**
- **Pro Workstation**
- **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
- **Only managed by Intune.**
- If the device is only managed by Intune, the device is marked as Passed all prerequisites.
- **Co-managed by both Configuration Manager and Intune.**
- If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
- **Windows Updates Policies**
- **Device Configuration**
- **Office Click to Run**
- If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
- **Modern Workplace Devices-Windows Autopatch-First**
- The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
- **Modern Workplace Devices-Windows Autopatch-Fast**
- **Modern Workplace Devices-Windows Autopatch-Broad** Then the second deployment ring set, the software updates-based deployment ring set represented by the following Microsoft Entra groups:
- **Windows Autopatch - Ring1**
- The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Microsoft Entra groups (**Windows Autopatch - Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
- **Windows Autopatch - Ring2** **Windows Autopatch - Ring3**
- Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:
- **AzureADDeviceID**
- **OperatingSystem**
- **DisplayName (Device name)**
- **AccountEnabled**
- **RegistrationDateTime**
- **ApproximateLastSignInDateTime**
- In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements before registration.
- **If the device is Intune-managed or not.**
- Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.
- If **yes**, it means this device is enrolled into Intune.
- If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.
- Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn't enrolled into Intune.
- A common reason is when the Microsoft Entra device ID is stale, it doesn't have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
- **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
- **If the device is a Windows device or not.**
- Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
- **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
- **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
- **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
- **Enterprise**
- **Pro**
- **Pro Workstation**
- **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
- **Only managed by Intune.**
- If the device is only managed by Intune, the device is marked as Passed all prerequisites.
- **Co-managed by both Configuration Manager and Intune.**
- If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
- **Windows Updates Policies**
- **Device Configuration**
- **Office Click to Run**
- If Windows Autopatch determines that one of these workloads isn't enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
- If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
- If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
- **Modern Workplace Devices-Windows Autopatch-First**
- The Windows Autopatch device registration process doesn't automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). It's important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
- **Modern Workplace Devices-Windows Autopatch-Fast**
- **Modern Workplace Devices-Windows Autopatch-Broad** Then the second deployment ring set, the software updates-based deployment ring set represented by the following Microsoft Entra groups:
- **Windows Autopatch - Ring1**
- The Windows Autopatch device registration process doesn't automatically assign devices to the Test ring represented by the Microsoft Entra groups (**Windows Autopatch - Test**). It's important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
- **Windows Autopatch - Ring2** **Windows Autopatch - Ring3**
- **Modern Workplace Devices - All**
- This group has all devices managed by Windows Autopatch.
- **Modern Workplace Devices - Virtual Machine**
- This group has all **virtual devices** managed by Windows Autopatch.
- Windows Autopatch adds devices to its managed database.
- Flags devices as **Active** in the **Registered** tab.
- The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
- The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
- Windows Autopatch adds devices to its managed database.
- Flags devices as **Active** in the **Registered** tab.
- The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension's allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
- The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
- If the device was **successfully registered**, the device shows up in the **Registered** tab.
- If **not**, the device shows up in the **Not registered** tab.
- **0–500** devices: minimum **one** device.
- **500–5000** devices: minimum **five** devices.
- **5000+** devices: minimum **50** devices.
- **0-500** devices: minimum **one** device.
- **500-5000** devices: minimum **five** devices.
- **5000+** devices: minimum **50** devices.
- **Modern Workplace Devices-Windows Autopatch-Test**
- **Windows Autopatch – Test**
- **Windows Autopatch – Last** +> Windows Autopatch automated deployment ring functions don't assign or remove devices to or from the following deployment rings:
- **Modern Workplace Devices-Windows Autopatch-Test**
- **Windows Autopatch - Test**
- **Windows Autopatch - Last** diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index c7521c70a0..e541bf8d2e 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -23,7 +23,7 @@ Autopatch groups is a logical container or unit that groups several [Microsoft E ## Autopatch groups prerequisites -Before you start managing Autopatch groups, ensure you’ve met the following prerequisites: +Before you start managing Autopatch groups, ensure you've met the following prerequisites: - Review [Windows Autopatch groups overview documentation](../deploy/windows-autopatch-groups-overview.md) to understand [key benefits](../deploy/windows-autopatch-groups-overview.md#key-benefits), [concepts](../deploy/windows-autopatch-groups-overview.md#key-concepts) and [common ways to use Autopatch groups](../deploy/windows-autopatch-groups-overview.md#common-ways-to-use-autopatch-groups) within your organization. - Ensure the following [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) are created in your tenant: @@ -32,23 +32,23 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr - Modern Workplace Update Policy [Fast]-[Windows Autopatch] - Modern Workplace Update Policy [Broad]-[Windows Autopatch] - Ensure the following [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) are created in your tenant: - - Windows Autopatch – DSS Policy [Test] - - Windows Autopatch – DSS Policy [First] - - Windows Autopatch – DSS Policy [Fast] - - Windows Autopatch – DSS Policy [Broad] -- Ensure the following Microsoft Entra ID assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Microsoft Entra group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly. + - Windows Autopatch - DSS Policy [Test] + - Windows Autopatch - DSS Policy [First] + - Windows Autopatch - DSS Policy [Fast] + - Windows Autopatch - DSS Policy [Broad] +- Ensure the following Microsoft Entra ID assigned groups are in your tenant before using Autopatch groups. **Don't** modify the Microsoft Entra group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly. - Modern Workplace Devices-Windows Autopatch-Test - Modern Workplace Devices-Windows Autopatch-First - Modern Workplace Devices-Windows Autopatch-Fast - Modern Workplace Devices-Windows Autopatch-Broad - - Windows Autopatch – Test - - Windows Autopatch – Ring1 - - Windows Autopatch – Ring2 - - Windows Autopatch – Ring3 - - Windows Autopatch – Last + - Windows Autopatch - Test + - Windows Autopatch - Ring1 + - Windows Autopatch - Ring2 + - Windows Autopatch - Ring3 + - Windows Autopatch - Last - Additionally, **don't** modify the Microsoft Entra group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** enterprise application as the owner of these groups. - For more information, see [assign an owner or member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Microsoft Entra groups. -- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: +- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won't work properly. Autopatch uses app-only auth to: - Read device attributes to successfully register devices. - Manage all configurations related to the operation of the service. - Make sure that all device-based Microsoft Entra groups you intend to use with Autopatch groups are created prior to using the feature. @@ -86,7 +86,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr 1. Once the review is done, select **Create** to save your custom Autopatch group. > [!CAUTION] -> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom). +> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom). > [!IMPORTANT] > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. @@ -94,13 +94,13 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr ## Edit the Default or a Custom Autopatch group > [!TIP] -> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there’s one or more on-going Windows feature update release targeted to this Autopatch group.**" +> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there's one or more on-going Windows feature update release targeted to this Autopatch group.**" > See [Manage Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) for more information on release and phase statuses. **To edit either the Default or a Custom Autopatch group:** 1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. -1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can’t** modify the name. Once the description is modified, select **Next: Deployment rings**. +1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can't** modify the name. Once the description is modified, select **Next: Deployment rings**. 1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**. 1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**. 1. Select **Review + create** to review all changes made. @@ -111,7 +111,7 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr ## Rename a Custom Autopatch group -You **can’t** rename the Default Autopatch group. However, you can rename a Custom Autopatch group. +You **can't** rename the Default Autopatch group. However, you can rename a Custom Autopatch group. **To rename a Custom Autopatch group:** @@ -123,7 +123,7 @@ You **can’t** rename the Default Autopatch group. However, you can rename a Cu ## Delete a Custom Autopatch group -You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group. +You **can't** delete the Default Autopatch group. However, you can delete a Custom Autopatch group. **To delete a Custom Autopatch group:** @@ -131,7 +131,7 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu 1. Select **Yes** to confirm you want to delete the Custom Autopatch group. > [!CAUTION] -> You can’t delete a Custom Autopatch group when it’s being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. +> You can't delete a Custom Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. ## Manage device conflict scenarios when using Autopatch groups @@ -140,7 +140,7 @@ Overlap in device membership is a common scenario when working with device-based Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur. > [!CAUTION] -> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom). +> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom). ### Device conflict in deployment rings within an Autopatch group @@ -162,21 +162,21 @@ Device conflict across different deployment rings in different Autopatch groups | Conflict scenario | Conflict resolution | | ----- | ----- | -| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called “Marketing”.
- Windows OS (build, architecture and edition)
- Managed by either Intune or ConfigMgr co-management
- ConfigMgr co-management workloads
- Last communication with Intune
- Personal or non-Windows devices
- Windows OS (build, architecture and edition)
- Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict
- Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)
- Internet connectivity
- Passed the prerequisite checks.
- Registered with Windows Autopatch.
- **Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
- **Inactive**: Devices that haven't communicated with the Microsoft Intune service in the last 28 days.
- **Readiness failed status**: Devices that didn't pass one or more post-device registration readiness checks.
- **Inactive**: Devices that haven't communicated with the Microsoft Intune service in the last 28 days.
- Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
- The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.
- The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
- The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch’s service.
- The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
- The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.
- The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).
- Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
- The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.
- The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
- Created corresponding to the settings you defined while creating the release.
- Assigned to the Autopatch group’s deployment rings you select to be included in the release.
- Created corresponding to the settings you defined while creating the release.
- Assigned to the Autopatch group's deployment rings you select to be included in the release.
- Set your organization’s deployment cadence.
- Work like deployment rings on top of Autopatch group’s deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.
- Set your organization's deployment cadence.
- Work like deployment rings on top of Autopatch group's deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.
- Microsoft Intune
- Microsoft Entra ID P1 or P2
- Windows 10/11 Enterprise E3 or higher
- For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)
- You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.
- You have blocked or removed the permissions required for the Windows Autopatch enterprise application.
- You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.
- You have blocked or removed the permissions required for the Windows Autopatch enterprise application.
- Managing the Windows Autopatch service
- Publishing the baseline configuration updates to your tenant’s devices
- Maintaining overall service health
- Managing the Windows Autopatch service
- Publishing the baseline configuration updates to your tenant's devices
- Maintaining overall service health
- Refresh your page.
- Please repeat the same steps in To block Windows Autopatch Microsoft 365 apps updates.
- If the issue persists, [submit a support request](../operate/windows-autopatch-support-request.md). +> If the notification: *This setting couldn't be updated. Please try again or submit a support request.* appears, use the following steps:
- Refresh your page.
- Please repeat the same steps in To block Windows Autopatch Microsoft 365 apps updates.
- If the issue persists, [submit a support request](../operate/windows-autopatch-support-request.md). **To verify if the Microsoft 365 App update setting is set to Allow:** @@ -117,7 +117,7 @@ For organizations seeking greater control, you can allow or block Microsoft 365 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Configuration profiles** > **Profiles**. -3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords “Office Configuration”. The result should return *0 profiles filtered*. +3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Office Configuration". The result should return *0 profiles filtered*. 1. Windows Autopatch - Office Configuration 2. Windows Autopatch - Office Update Configuration [Test] 3. Windows Autopatch - Office Update Configuration [First] diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md index 686ad48014..208f3ef552 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md @@ -36,7 +36,7 @@ With this feature, IT admins can: - Initiate action for the Autopatch service to restore the deployment rings without having to raise an incident. > [!NOTE] -> You can rename your policies to meet your organization’s requirements. Do **not** rename the underlying Autopatch deployment groups. +> You can rename your policies to meet your organization's requirements. Do **not** rename the underlying Autopatch deployment groups. ## Check policy health diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index fa421ba564..a628585c63 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -35,15 +35,15 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | Responsibility | Description | | ----- | ----- | -| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). | +| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won't make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). | | Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Microsoft Entra device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). | ## Your responsibilities after unenrolling your tenant | Responsibility | Description | | ----- | ----- | -| Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. | -| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). | +| Updates | After the Windows Autopatch service is unenrolled, we'll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. | +| Optional Windows Autopatch configuration | Windows Autopatch won't remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don't wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). | | Microsoft Intune roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. | ## Unenroll from Windows Autopatch @@ -56,4 +56,4 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro 2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner. 1. The Windows Autopatch Service Engineering Team proceeds with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment). 1. The Windows Autopatch Service Engineering Team informs you when unenrollment is complete. -1. You’re responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant). +1. You're responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant). diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index 356655746a..5db0cf29b6 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -259,7 +259,7 @@ For example, Configuration Manager Software Update Policy settings exclude Autop | Enable management of the Office 365 Client Agent | No | > [!NOTE] -> There is no requirement to create a Configuration Manager Software Update Policy if the policies aren’t in use. +> There is no requirement to create a Configuration Manager Software Update Policy if the policies aren't in use. #### Existing Mobile Device Management (MDM) policies diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 40ab383a98..4ef883d665 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -84,7 +84,7 @@ Windows Autopatch creates and uses guest accounts using just-in-time access func | Account name | Usage | Mitigating controls | | ----- | ----- | -----| | MsAdmin@tenantDomain.onmicrosoft.com |
- This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.
- This account doesn't have interactive sign-in permissions. The account performs operations only through the service.
- This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.
- This account is used for interactive login to the customer’s tenant.
- The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.
- Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy
- Audited sign-ins
- This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.
- This account is used for interactive login to the customer's tenant.
- The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.
- Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy
- Audited sign-ins
- [Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)
- [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)
- **Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
- **Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
- **Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.
- **Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.
For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).
*Credential Guard requires- UEFI 2.3.1 or greater with Trusted Boot
- Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled
- x64 version of Windows
- IOMMU, such as Intel VT-d, AMD-Vi
- BIOS Lockdown
- TPM 2.0 recommended for device health attestation (uses software if TPM 2.0 not present)*
Device Guard protects in the following ways: - Helps protect against malware
- Helps protect the Windows system core from vulnerability and zero-day exploits
- Allows only trusted apps to run
For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).| +|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).| +|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.
For more information, see [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started).| +|User Experience Virtualization (UE-V)|With this feature, user-customized Windows and application settings can be captured and stored on a centrally managed network file share.
When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign into.
UE-V provides the following features: - Specify which application and Windows settings synchronize across user devices
- Deliver the settings anytime and anywhere users work throughout the enterprise
- Create custom templates for line-of-business applications
- Recover settings after hardware replacement or upgrade, or after reimaging a virtual machine to its initial state
For more information, see [User Experience Virtualization (UE-V) overview](/windows/configuration/ue-v/uev-for-windows).| +|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, a device can be configured for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. Access to services such as the Windows Store can also be restricted. For Windows 10, Start layout options can also be managed, such as: - Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands
- Removing Log Off (the User tile) from the Start menu
- Removing frequent programs from the Start menu
- Removing the All Programs list from the Start menu
- Preventing users from customizing their Start screen
- Forcing Start menu to be either full-screen size or menu size
- Preventing changes to Taskbar and Start menu settings|
+
+## Deployment of Windows Enterprise E3 licenses
+
+See [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Deploy Windows Enterprise features
+
+Now that Windows Enterprise edition is running on devices, how are Enterprise edition features and capabilities taken advantage of? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-pro-and-enterprise-editions)?
+
+The following sections provide with the high-level tasks that need to be performed in an environment to help users take advantage of the Windows Enterprise edition features.
+
+### Credential Guard
+
+> [!NOTE]
+>
+> Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present).
+
+Credential Guard can be implemented on Windows Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows virtualization-based (Hyper-V) security features that must be enabled on each device before Credential Guard can be turned on. Credential Guard can be turned on by using one of the following methods:
+
+- **Automated**. Credential Guard can be turned on for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
+
+- **Manual**. Credential Guard can be manually turned on by taking one of the following actions:
+
+ - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
+
+ - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+ These manual steps can be automated by using a management tool such as Microsoft Configuration Manager.
+
+For more information about implementing Credential Guard, see the following resources:
+
+- [Credential Guard overview](/windows/security/identity-protection/credential-guard/)
+- [Security considerations for Original Equipment Manufacturers](/windows-hardware/design/device-experiences/oem-security-considerations)
+- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
+
+### Device Guard
+
+Now that the devices have Windows Enterprise, Device Guard can be implemented on the Windows Enterprise devices by performing the following steps:
+
+1. **Optionally, create a signing certificate for code integrity policies**. As code integrity policies are deployed, catalog files or code integrity policies might need to be signed internally. To sign catalog files or code integrity policies internally, either a publicly issued code signing certificate (normally purchase) or an internal certificate authority (CA) is needed. If an internal CA is chosen, a code signing certificate needs to be created.
+
+2. **Create code integrity policies from "golden" computers**. Departments or roles sometimes use distinctive or partly distinctive sets of hardware and software. In these instances, "golden" computers containing the software and hardware for these departments or roles can be set up. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, a code integrity policy can be created and then decided how to manage that policy. Code integrity policies can be merged to create a broader policy or a primary policy, or each policy can be managed and deployed individually.
+
+3. **Audit the code integrity policy and capture information about applications that are outside the policy**. Microsoft recommends using "audit mode" to carefully test each code integrity policy before enforcing it. With audit mode, no application is blocked. The policy just logs an event whenever an application outside the policy is started. Later, the policy can be expanded to allow these applications, as needed.
+
+4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for the unsigned LOB applications. In later steps, the catalog file's signature can be merged into the code integrity policy so that the policy allows applications in the catalog.
+
+5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log. Once the information is captured, merge that information into the existing policy. Code integrity policies can also be merged from other sources, which allow flexibility in creating the final code integrity policies.
+
+6. **Deploy code integrity policies and catalog files**. After confirming that all the preceding steps are completed, catalog files can be deployed and the code integrity policies can be taken out of audit mode. Microsoft strongly recommends beginning this process with a test group of users. Testing provides a final quality-control validation before deploying the catalog files and code integrity policies more broadly.
+
+7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
+
+For more information about implementing Device Guard, see:
+
+- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
+- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
+
+### AppLocker management
+
+AppLocker in Windows Enterprise can be managed by using Group Policy. Group Policy requires having AD DS and that the Windows Enterprise devices are joined to an AD DS domain. AppLocker rules can be created by using Group Policy. The AppLocker rules can then be targeted to the appropriate devices.
+
+For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide).
+
+### App-V
+
+App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that are required are:
+
+- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, multiple streaming servers might exist. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
+
+- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. Apps are installed on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
+
+- **App-V client**. The App-V client must be enabled on any Windows Enterprise E3 client device that needs to run apps from the App-V server.
+
+For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
+
+- [Getting started with App-V for Windows client](/windows/application-management/app-v/appv-getting-started)
+- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
+- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
+
+### UE-V
+
+UE-V requires server and client-side components that need to be downloaded, activated, and installed. These components include:
+
+- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
+
+- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location.
+
+- **Settings storage location**. This location is a standard network share that users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.
+
+- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. Custom settings location templates can also be created, edited, or validated by using the UE-V template generator. Settings location templates aren't required for Windows applications.
+
+- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
+
+For more information about deploying UE-V, see the following resources:
+
+- [User Experience Virtualization (UE-V) overview](/windows/configuration/ue-v/uev-for-windows)
+- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
+- [Prepare a UE-V Deployment](/windows/configuration/ue-v/uev-prepare-for-deployment)
+
+### Managed User Experience
+
+The Managed User Experience feature is a set of Windows Enterprise edition features and corresponding settings that can be used to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, AD DS is required with the Windows Enterprise devices joined to an AD DS domain.
+
+#### Table 2. Managed User Experience features
+
+| Feature | Description |
+|------------------|-----------------|
+| Start layout customization | A customized Start layout can be deployed to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables customization of Start layouts for different departments or organizations, with minimal management overhead.
For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). | +| Unbranded boot | Windows elements that appear when Windows starts or resumes can be suppressed. The crash screen when Windows encounters an error from which it can't recover can also be suppressed.
For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). | +| Custom Logon | The Custom Logon feature can be used to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, all elements of the Welcome screen UI can be suppressed and a custom logon UI can be provided. The Blocked Shutdown Resolver (BSDR) screen can also be suppressed and applications can be automatically ended while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). | +| Keyboard filter | Keyboard Filter can be used to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. These keyboard actions aren't desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). | +| Unified write filter | The Unified Write Filter (UWF) can be used on a device to help protect physical storage media, including most standard writable storage types supported by Windows, such as:- Physical hard disks
- Solid-state drives
- Internal USB devices
- External SATA devices . UWF can also be used to make read-only media appear to the OS as a writable volume.
- If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password. | | Notify Unsafe App | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
- If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps. |
+Enhanced Phishing Protection allows organizations to add their custom identity provider sign-in URL as a recognized URL. Then Enhanced Phishing Protection doesn't consider Microsoft passwords typed into an internal identity provider (IdP) as unknown or password reuse. Without knowledge of an enterprise's custom identity provider URL, SmartScreen might not have enough information about the URL. If you configure warning dialogs for Enhanced Phishing Protection, it might show an unsafe password usage dialog to the user entering their Microsoft password into the URL.
+
+To add your organization's custom sign-in URL to Enhanced Phishing Protection, configure the `EnableWebSignIn` policy in the [Authentication Policy CSP](/windows/client-management/mdm/policy-csp-authentication#enablewebsignin). For more information, see [Web sign-in for Windows](../../../identity-protection/web-sign-in/index.md).
+
Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
#### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
@@ -91,7 +95,7 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n
| Setting | Default Value | Recommendation |
|---------------------------|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Automatic Data Collection | **Enabled** for domain joined devices or devices enrolled with MDM.
**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence | +| Automatic Data Collection | **Enabled** for domain joined devices or devices enrolled with MDM.
**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. | | Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. | | Notify Malicious | **Disabled** for devices onboarded to MDE.
**Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. | | Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. | @@ -99,14 +103,6 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. -| Setting | Default Value | Recommendation | -|---------------------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Automatic Data Collection | **Disabled** for domain joined devices or devices enrolled with MDM.
**Enabled** for all other devices. | **Enabled**: Turns on collection of additional content when users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. | -| Service Enabled | **Enabled** | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. | -| Notify Malicious | **Disabled** for devices onboarded to MDE.
**Enabled** for all other devices. | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. | -| Notify Password Reuse | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. | -| Notify Unsafe App | **Disabled** | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. | - #### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune) | Settings catalog element | Recommended value | diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml deleted file mode 100644 index 4f122c5d8e..0000000000 --- a/windows/security/threat-protection/auditing/TOC.yml +++ /dev/null @@ -1,767 +0,0 @@ - - name: Security auditing - href: security-auditing-overview.md - items: - - name: Basic security audit policies - href: basic-security-audit-policies.md - items: - - name: Create a basic audit policy for an event category - href: create-a-basic-audit-policy-settings-for-an-event-category.md - - name: Apply a basic audit policy on a file or folder - href: apply-a-basic-audit-policy-on-a-file-or-folder.md - - name: View the security event log - href: view-the-security-event-log.md - - name: Basic security audit policy settings - href: basic-security-audit-policy-settings.md - items: - - name: Audit account logon events - href: basic-audit-account-logon-events.md - - name: Audit account management - href: basic-audit-account-management.md - - name: Audit directory service access - href: basic-audit-directory-service-access.md - - name: Audit logon events - href: basic-audit-logon-events.md - - name: Audit object access - href: basic-audit-object-access.md - - name: Audit policy change - href: basic-audit-policy-change.md - - name: Audit privilege use - href: basic-audit-privilege-use.md - - name: Audit process tracking - href: basic-audit-process-tracking.md - - name: Audit system events - href: basic-audit-system-events.md - - name: Advanced security audit policies - href: advanced-security-auditing.md - items: - - name: Planning and deploying advanced security audit policies - href: planning-and-deploying-advanced-security-audit-policies.md - - name: Advanced security auditing FAQ - href: advanced-security-auditing-faq.yml - items: - - name: Which editions of Windows support advanced audit policy configuration - href: which-editions-of-windows-support-advanced-audit-policy-configuration.md - - name: How to list XML elements in \- href: how-to-list-xml-elements-in-eventdata.md - - name: Using advanced security auditing options to monitor dynamic access control objects - href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md - items: - - name: Monitor the central access policies that apply on a file server - href: monitor-the-central-access-policies-that-apply-on-a-file-server.md - - name: Monitor the use of removable storage devices - href: monitor-the-use-of-removable-storage-devices.md - - name: Monitor resource attribute definitions - href: monitor-resource-attribute-definitions.md - - name: Monitor central access policy and rule definitions - href: monitor-central-access-policy-and-rule-definitions.md - - name: Monitor user and device claims during sign-in - href: monitor-user-and-device-claims-during-sign-in.md - - name: Monitor the resource attributes on files and folders - href: monitor-the-resource-attributes-on-files-and-folders.md - - name: Monitor the central access policies associated with files and folders - href: monitor-the-central-access-policies-associated-with-files-and-folders.md - - name: Monitor claim types - href: monitor-claim-types.md - - name: Advanced security audit policy settings - href: advanced-security-audit-policy-settings.md - items: - - name: Audit Credential Validation - href: audit-credential-validation.md - - name: "Event 4774 S, F: An account was mapped for logon." - href: event-4774.md - - name: "Event 4775 F: An account could not be mapped for logon." - href: event-4775.md - - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." - href: event-4776.md - - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." - href: event-4777.md - - name: Audit Kerberos Authentication Service - href: audit-kerberos-authentication-service.md - items: - - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." - href: event-4768.md - - name: "Event 4771 F: Kerberos pre-authentication failed." - href: event-4771.md - - name: "Event 4772 F: A Kerberos authentication ticket request failed." - href: event-4772.md - - name: Audit Kerberos Service Ticket Operations - href: audit-kerberos-service-ticket-operations.md - items: - - name: "Event 4769 S, F: A Kerberos service ticket was requested." - href: event-4769.md - - name: "Event 4770 S: A Kerberos service ticket was renewed." - href: event-4770.md - - name: "Event 4773 F: A Kerberos service ticket request failed." - href: event-4773.md - - name: Audit Other Account Logon Events - href: audit-other-account-logon-events.md - - name: Audit Application Group Management - href: audit-application-group-management.md - - name: Audit Computer Account Management - href: audit-computer-account-management.md - items: - - name: "Event 4741 S: A computer account was created." - href: event-4741.md - - name: "Event 4742 S: A computer account was changed." - href: event-4742.md - - name: "Event 4743 S: A computer account was deleted." - href: event-4743.md - - name: Audit Distribution Group Management - href: audit-distribution-group-management.md - items: - - name: "Event 4749 S: A security-disabled global group was created." - href: event-4749.md - - name: "Event 4750 S: A security-disabled global group was changed." - href: event-4750.md - - name: "Event 4751 S: A member was added to a security-disabled global group." - href: event-4751.md - - name: "Event 4752 S: A member was removed from a security-disabled global group." - href: event-4752.md - - name: "Event 4753 S: A security-disabled global group was deleted." - href: event-4753.md - - name: Audit Other Account Management Events - href: audit-other-account-management-events.md - items: - - name: "Event 4782 S: The password hash of an account was accessed." - href: event-4782.md - - name: "Event 4793 S: The Password Policy Checking API was called." - href: event-4793.md - - name: Audit Security Group Management - href: audit-security-group-management.md - items: - - name: "Event 4731 S: A security-enabled local group was created." - href: event-4731.md - - name: "Event 4732 S: A member was added to a security-enabled local group." - href: event-4732.md - - name: "Event 4733 S: A member was removed from a security-enabled local group." - href: event-4733.md - - name: "Event 4734 S: A security-enabled local group was deleted." - href: event-4734.md - - name: "Event 4735 S: A security-enabled local group was changed." - href: event-4735.md - - name: "Event 4764 S: A group�s type was changed." - href: event-4764.md - - name: "Event 4799 S: A security-enabled local group membership was enumerated." - href: event-4799.md - - name: Audit User Account Management - href: audit-user-account-management.md - items: - - name: "Event 4720 S: A user account was created." - href: event-4720.md - - name: "Event 4722 S: A user account was enabled." - href: event-4722.md - - name: "Event 4723 S, F: An attempt was made to change an account's password." - href: event-4723.md - - name: "Event 4724 S, F: An attempt was made to reset an account's password." - href: event-4724.md - - name: "Event 4725 S: A user account was disabled." - href: event-4725.md - - name: "Event 4726 S: A user account was deleted." - href: event-4726.md - - name: "Event 4738 S: A user account was changed." - href: event-4738.md - - name: "Event 4740 S: A user account was locked out." - href: event-4740.md - - name: "Event 4765 S: SID History was added to an account." - href: event-4765.md - - name: "Event 4766 F: An attempt to add SID History to an account failed." - href: event-4766.md - - name: "Event 4767 S: A user account was unlocked." - href: event-4767.md - - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." - href: event-4780.md - - name: "Event 4781 S: The name of an account was changed." - href: event-4781.md - - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." - href: event-4794.md - - name: "Event 4798 S: A user's local group membership was enumerated." - href: event-4798.md - - name: "Event 5376 S: Credential Manager credentials were backed up." - href: event-5376.md - - name: "Event 5377 S: Credential Manager credentials were restored from a backup." - href: event-5377.md - - name: Audit DPAPI Activity - href: audit-dpapi-activity.md - items: - - name: "Event 4692 S, F: Backup of data protection master key was attempted." - href: event-4692.md - - name: "Event 4693 S, F: Recovery of data protection master key was attempted." - href: event-4693.md - - name: "Event 4694 S, F: Protection of auditable protected data was attempted." - href: event-4694.md - - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." - href: event-4695.md - - name: Audit PNP Activity - href: audit-pnp-activity.md - items: - - name: "Event 6416 S: A new external device was recognized by the System." - href: event-6416.md - - name: "Event 6419 S: A request was made to disable a device." - href: event-6419.md - - name: "Event 6420 S: A device was disabled." - href: event-6420.md - - name: "Event 6421 S: A request was made to enable a device." - href: event-6421.md - - name: "Event 6422 S: A device was enabled." - href: event-6422.md - - name: "Event 6423 S: The installation of this device is forbidden by system policy." - href: event-6423.md - - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." - href: event-6424.md - - name: Audit Process Creation - href: audit-process-creation.md - items: - - name: "Event 4688 S: A new process has been created." - href: event-4688.md - - name: "Event 4696 S: A primary token was assigned to process." - href: event-4696.md - - name: Audit Process Termination - href: audit-process-termination.md - items: - - name: "Event 4689 S: A process has exited." - href: event-4689.md - - name: Audit RPC Events - href: audit-rpc-events.md - items: - - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." - href: event-5712.md - - name: Audit Token Right Adjusted - href: audit-token-right-adjusted.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: event-4703.md - - name: Audit Detailed Directory Service Replication - href: audit-detailed-directory-service-replication.md - items: - - name: "Event 4928 S, F: An Active Directory replica source naming context was established." - href: event-4928.md - - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." - href: event-4929.md - - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." - href: event-4930.md - - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." - href: event-4931.md - - name: "Event 4934 S: Attributes of an Active Directory object were replicated." - href: event-4934.md - - name: "Event 4935 F: Replication failure begins." - href: event-4935.md - - name: "Event 4936 S: Replication failure ends." - href: event-4936.md - - name: "Event 4937 S: A lingering object was removed from a replica." - href: event-4937.md - - name: Audit Directory Service Access - href: audit-directory-service-access.md - items: - - name: "Event 4662 S, F: An operation was performed on an object." - href: event-4662.md - - name: "Event 4661 S, F: A handle to an object was requested." - href: event-4661.md - - name: Audit Directory Service Changes - href: audit-directory-service-changes.md - items: - - name: "Event 5136 S: A directory service object was modified." - href: event-5136.md - - name: "Event 5137 S: A directory service object was created." - href: event-5137.md - - name: "Event 5138 S: A directory service object was undeleted." - href: event-5138.md - - name: "Event 5139 S: A directory service object was moved." - href: event-5139.md - - name: "Event 5141 S: A directory service object was deleted." - href: event-5141.md - - name: Audit Directory Service Replication - href: audit-directory-service-replication.md - items: - - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." - href: event-4932.md - - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." - href: event-4933.md - - name: Audit Account Lockout - href: audit-account-lockout.md - items: - - name: "Event 4625 F: An account failed to log on." - href: event-4625.md - - name: Audit User/Device Claims - href: audit-user-device-claims.md - items: - - name: "Event 4626 S: User/Device claims information." - href: event-4626.md - - name: Audit Group Membership - href: audit-group-membership.md - items: - - name: "Event 4627 S: Group membership information." - href: event-4627.md - - name: Audit IPsec Extended Mode - href: audit-ipsec-extended-mode.md - - name: Audit IPsec Main Mode - href: audit-ipsec-main-mode.md - - name: Audit IPsec Quick Mode - href: audit-ipsec-quick-mode.md - - name: Audit Logoff - href: audit-logoff.md - items: - - name: "Event 4634 S: An account was logged off." - href: event-4634.md - - name: "Event 4647 S: User initiated logoff." - href: event-4647.md - - name: Audit Logon - href: audit-logon.md - items: - - name: "Event 4624 S: An account was successfully logged on." - href: event-4624.md - - name: "Event 4625 F: An account failed to log on." - href: event-4625.md - - name: "Event 4648 S: A logon was attempted using explicit credentials." - href: event-4648.md - - name: "Event 4675 S: SIDs were filtered." - href: event-4675.md - - name: Audit Network Policy Server - href: audit-network-policy-server.md - - name: Audit Other Logon/Logoff Events - href: audit-other-logonlogoff-events.md - items: - - name: "Event 4649 S: A replay attack was detected." - href: event-4649.md - - name: "Event 4778 S: A session was reconnected to a Window Station." - href: event-4778.md - - name: "Event 4779 S: A session was disconnected from a Window Station." - href: event-4779.md - - name: "Event 4800 S: The workstation was locked." - href: event-4800.md - - name: "Event 4801 S: The workstation was unlocked." - href: event-4801.md - - name: "Event 4802 S: The screen saver was invoked." - href: event-4802.md - - name: "Event 4803 S: The screen saver was dismissed." - href: event-4803.md - - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." - href: event-5378.md - - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." - href: event-5632.md - - name: "Event 5633 S, F: A request was made to authenticate to a wired network." - href: event-5633.md - - name: Audit Special Logon - href: audit-special-logon.md - items: - - name: "Event 4964 S: Special groups have been assigned to a new logon." - href: event-4964.md - - name: "Event 4672 S: Special privileges assigned to new logon." - href: event-4672.md - - name: Audit Application Generated - href: audit-application-generated.md - - name: Audit Certification Services - href: audit-certification-services.md - - name: Audit Detailed File Share - href: audit-detailed-file-share.md - items: - - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." - href: event-5145.md - - name: Audit File Share - href: audit-file-share.md - items: - - name: "Event 5140 S, F: A network share object was accessed." - href: event-5140.md - - name: "Event 5142 S: A network share object was added." - href: event-5142.md - - name: "Event 5143 S: A network share object was modified." - href: event-5143.md - - name: "Event 5144 S: A network share object was deleted." - href: event-5144.md - - name: "Event 5168 F: SPN check for SMB/SMB2 failed." - href: event-5168.md - - name: Audit File System - href: audit-file-system.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: event-4658.md - - name: "Event 4660 S: An object was deleted." - href: event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: event-4663.md - - name: "Event 4664 S: An attempt was made to create a hard link." - href: event-4664.md - - name: "Event 4985 S: The state of a transaction has changed." - href: event-4985.md - - name: "Event 5051: A file was virtualized." - href: event-5051.md - - name: "Event 4670 S: Permissions on an object were changed." - href: event-4670.md - - name: Audit Filtering Platform Connection - href: audit-filtering-platform-connection.md - items: - - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." - href: event-5031.md - - name: "Event 5150: The Windows Filtering Platform blocked a packet." - href: event-5150.md - - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: event-5151.md - - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." - href: event-5154.md - - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." - href: event-5155.md - - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." - href: event-5156.md - - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." - href: event-5157.md - - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." - href: event-5158.md - - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." - href: event-5159.md - - name: Audit Filtering Platform Packet Drop - href: audit-filtering-platform-packet-drop.md - items: - - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." - href: event-5152.md - - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: event-5153.md - - name: Audit Handle Manipulation - href: audit-handle-manipulation.md - items: - - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." - href: event-4690.md - - name: Audit Kernel Object - href: audit-kernel-object.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: event-4658.md - - name: "Event 4660 S: An object was deleted." - href: event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: event-4663.md - - name: Audit Other Object Access Events - href: audit-other-object-access-events.md - items: - - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." - href: event-4671.md - - name: "Event 4691 S: Indirect access to an object was requested." - href: event-4691.md - - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." - href: event-5148.md - - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." - href: event-5149.md - - name: "Event 4698 S: A scheduled task was created." - href: event-4698.md - - name: "Event 4699 S: A scheduled task was deleted." - href: event-4699.md - - name: "Event 4700 S: A scheduled task was enabled." - href: event-4700.md - - name: "Event 4701 S: A scheduled task was disabled." - href: event-4701.md - - name: "Event 4702 S: A scheduled task was updated." - href: event-4702.md - - name: "Event 5888 S: An object in the COM+ Catalog was modified." - href: event-5888.md - - name: "Event 5889 S: An object was deleted from the COM+ Catalog." - href: event-5889.md - - name: "Event 5890 S: An object was added to the COM+ Catalog." - href: event-5890.md - - name: Audit Registry - href: audit-registry.md - items: - - name: "Event 4663 S: An attempt was made to access an object." - href: event-4663.md - - name: "Event 4656 S, F: A handle to an object was requested." - href: event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: event-4658.md - - name: "Event 4660 S: An object was deleted." - href: event-4660.md - - name: "Event 4657 S: A registry value was modified." - href: event-4657.md - - name: "Event 5039: A registry key was virtualized." - href: event-5039.md - - name: "Event 4670 S: Permissions on an object were changed." - href: event-4670.md - - name: Audit Removable Storage - href: audit-removable-storage.md - - name: Audit SAM - href: audit-sam.md - items: - - name: "Event 4661 S, F: A handle to an object was requested." - href: event-4661.md - - name: Audit Central Access Policy Staging - href: audit-central-access-policy-staging.md - items: - - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." - href: event-4818.md - - name: Audit Audit Policy Change - href: audit-audit-policy-change.md - items: - - name: "Event 4670 S: Permissions on an object were changed." - href: event-4670.md - - name: "Event 4715 S: The audit policy, SACL, on an object was changed." - href: event-4715.md - - name: "Event 4719 S: System audit policy was changed." - href: event-4719.md - - name: "Event 4817 S: Auditing settings on object were changed." - href: event-4817.md - - name: "Event 4902 S: The Per-user audit policy table was created." - href: event-4902.md - - name: "Event 4906 S: The CrashOnAuditFail value has changed." - href: event-4906.md - - name: "Event 4907 S: Auditing settings on object were changed." - href: event-4907.md - - name: "Event 4908 S: Special Groups Logon table modified." - href: event-4908.md - - name: "Event 4912 S: Per User Audit Policy was changed." - href: event-4912.md - - name: "Event 4904 S: An attempt was made to register a security event source." - href: event-4904.md - - name: "Event 4905 S: An attempt was made to unregister a security event source." - href: event-4905.md - - name: Audit Authentication Policy Change - href: audit-authentication-policy-change.md - items: - - name: "Event 4706 S: A new trust was created to a domain." - href: event-4706.md - - name: "Event 4707 S: A trust to a domain was removed." - href: event-4707.md - - name: "Event 4716 S: Trusted domain information was modified." - href: event-4716.md - - name: "Event 4713 S: Kerberos policy was changed." - href: event-4713.md - - name: "Event 4717 S: System security access was granted to an account." - href: event-4717.md - - name: "Event 4718 S: System security access was removed from an account." - href: event-4718.md - - name: "Event 4739 S: Domain Policy was changed." - href: event-4739.md - - name: "Event 4864 S: A namespace collision was detected." - href: event-4864.md - - name: "Event 4865 S: A trusted forest information entry was added." - href: event-4865.md - - name: "Event 4866 S: A trusted forest information entry was removed." - href: event-4866.md - - name: "Event 4867 S: A trusted forest information entry was modified." - href: event-4867.md - - name: Audit Authorization Policy Change - href: audit-authorization-policy-change.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: event-4703.md - - name: "Event 4704 S: A user right was assigned." - href: event-4704.md - - name: "Event 4705 S: A user right was removed." - href: event-4705.md - - name: "Event 4670 S: Permissions on an object were changed." - href: event-4670.md - - name: "Event 4911 S: Resource attributes of the object were changed." - href: event-4911.md - - name: "Event 4913 S: Central Access Policy on the object was changed." - href: event-4913.md - - name: Audit Filtering Platform Policy Change - href: audit-filtering-platform-policy-change.md - - name: Audit MPSSVC Rule-Level Policy Change - href: audit-mpssvc-rule-level-policy-change.md - items: - - name: "Event 4944 S: The following policy was active when the Windows Firewall started." - href: event-4944.md - - name: "Event 4945 S: A rule was listed when the Windows Firewall started." - href: event-4945.md - - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." - href: event-4946.md - - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." - href: event-4947.md - - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." - href: event-4948.md - - name: "Event 4949 S: Windows Firewall settings were restored to the default values." - href: event-4949.md - - name: "Event 4950 S: A Windows Firewall setting has changed." - href: event-4950.md - - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." - href: event-4951.md - - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." - href: event-4952.md - - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." - href: event-4953.md - - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." - href: event-4954.md - - name: "Event 4956 S: Windows Firewall has changed the active profile." - href: event-4956.md - - name: "Event 4957 F: Windows Firewall did not apply the following rule." - href: event-4957.md - - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." - href: event-4958.md - - name: Audit Other Policy Change Events - href: audit-other-policy-change-events.md - items: - - name: "Event 4714 S: Encrypted data recovery policy was changed." - href: event-4714.md - - name: "Event 4819 S: Central Access Policies on the machine have been changed." - href: event-4819.md - - name: "Event 4826 S: Boot Configuration Data loaded." - href: event-4826.md - - name: "Event 4909: The local policy settings for the TBS were changed." - href: event-4909.md - - name: "Event 4910: The group policy settings for the TBS were changed." - href: event-4910.md - - name: "Event 5063 S, F: A cryptographic provider operation was attempted." - href: event-5063.md - - name: "Event 5064 S, F: A cryptographic context operation was attempted." - href: event-5064.md - - name: "Event 5065 S, F: A cryptographic context modification was attempted." - href: event-5065.md - - name: "Event 5066 S, F: A cryptographic function operation was attempted." - href: event-5066.md - - name: "Event 5067 S, F: A cryptographic function modification was attempted." - href: event-5067.md - - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." - href: event-5068.md - - name: "Event 5069 S, F: A cryptographic function property operation was attempted." - href: event-5069.md - - name: "Event 5070 S, F: A cryptographic function property modification was attempted." - href: event-5070.md - - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." - href: event-5447.md - - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." - href: event-6144.md - - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." - href: event-6145.md - - name: Audit Sensitive Privilege Use - href: audit-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: event-4985.md - - name: Audit Non Sensitive Privilege Use - href: audit-non-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: event-4985.md - - name: Audit Other Privilege Use Events - href: audit-other-privilege-use-events.md - items: - - name: "Event 4985 S: The state of a transaction has changed." - href: event-4985.md - - name: Audit IPsec Driver - href: audit-ipsec-driver.md - - name: Audit Other System Events - href: audit-other-system-events.md - items: - - name: "Event 5024 S: The Windows Firewall Service has started successfully." - href: event-5024.md - - name: "Event 5025 S: The Windows Firewall Service has been stopped." - href: event-5025.md - - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." - href: event-5027.md - - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." - href: event-5028.md - - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." - href: event-5029.md - - name: "Event 5030 F: The Windows Firewall Service failed to start." - href: event-5030.md - - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." - href: event-5032.md - - name: "Event 5033 S: The Windows Firewall Driver has started successfully." - href: event-5033.md - - name: "Event 5034 S: The Windows Firewall Driver was stopped." - href: event-5034.md - - name: "Event 5035 F: The Windows Firewall Driver failed to start." - href: event-5035.md - - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." - href: event-5037.md - - name: "Event 5058 S, F: Key file operation." - href: event-5058.md - - name: "Event 5059 S, F: Key migration operation." - href: event-5059.md - - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." - href: event-6400.md - - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." - href: event-6401.md - - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." - href: event-6402.md - - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." - href: event-6403.md - - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." - href: event-6404.md - - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." - href: event-6405.md - - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." - href: event-6406.md - - name: "Event 6407: 1%." - href: event-6407.md - - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." - href: event-6408.md - - name: "Event 6409: BranchCache: A service connection point object could not be parsed." - href: event-6409.md - - name: Audit Security State Change - href: audit-security-state-change.md - items: - - name: "Event 4608 S: Windows is starting up." - href: event-4608.md - - name: "Event 4616 S: The system time was changed." - href: event-4616.md - - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." - href: event-4621.md - - name: Audit Security System Extension - href: audit-security-system-extension.md - items: - - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." - href: event-4610.md - - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." - href: event-4611.md - - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." - href: event-4614.md - - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." - href: event-4622.md - - name: "Event 4697 S: A service was installed in the system." - href: event-4697.md - - name: Audit System Integrity - href: audit-system-integrity.md - items: - - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." - href: event-4612.md - - name: "Event 4615 S: Invalid use of LPC port." - href: event-4615.md - - name: "Event 4618 S: A monitored security event pattern has occurred." - href: event-4618.md - - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." - href: event-4816.md - - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." - href: event-5038.md - - name: "Event 5056 S: A cryptographic self-test was performed." - href: event-5056.md - - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." - href: event-5062.md - - name: "Event 5057 F: A cryptographic primitive operation failed." - href: event-5057.md - - name: "Event 5060 F: Verification operation failed." - href: event-5060.md - - name: "Event 5061 S, F: Cryptographic operation." - href: event-5061.md - - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." - href: event-6281.md - - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." - href: event-6410.md - - name: Other Events - href: other-events.md - items: - - name: "Event 1100 S: The event logging service has shut down." - href: event-1100.md - - name: "Event 1102 S: The audit log was cleared." - href: event-1102.md - - name: "Event 1104 S: The security log is now full." - href: event-1104.md - - name: "Event 1105 S: Event log automatic backup." - href: event-1105.md - - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." - href: event-1108.md - - name: "Appendix A: Security monitoring recommendations for many audit events" - href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md - - name: Registry (Global Object Access Auditing) - href: registry-global-object-access-auditing.md - - name: File System (Global Object Access Auditing) - href: file-system-global-object-access-auditing.md - - name: Windows security - href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md deleted file mode 100644 index 4c63211e0c..0000000000 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ /dev/null @@ -1,174 +0,0 @@ ---- -title: Advanced security audit policy settings -description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. -ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Advanced security audit policy settings (Windows 10) - -This reference for IT professionals provides information about: -- The advanced audit policy settings available in Windows -- The audit events that these settings generate. - -The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as: - -- A group administrator has modified settings or data on servers that contain finance information. -- An employee within a defined group has accessed an important file. -- The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following: - - every file and folder - - registry key on a computer - - file share. - -You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy. - -These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors: -- That are of little or no concern to you -- That create an excessive number of log entries. - -In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. -Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories: - -## Account Logon - -Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, Account Logon settings and events focus on the account database that is used. This category includes the following subcategories: - -- [Audit Credential Validation](audit-credential-validation.md) -- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) -- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md) -- [Audit Other Account Logon Events](audit-other-account-logon-events.md) - -## Account Management - -The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories: - -- [Audit Application Group Management](audit-application-group-management.md) -- [Audit Computer Account Management](audit-computer-account-management.md) -- [Audit Distribution Group Management](audit-distribution-group-management.md) -- [Audit Other Account Management Events](audit-other-account-management-events.md) -- [Audit Security Group Management](audit-security-group-management.md) -- [Audit User Account Management](audit-user-account-management.md) - -## Detailed Tracking - -Detailed Tracking security policy settings and audit events can be used for the following purposes: -- To monitor the activities of individual applications and users on that computer -- To understand how a computer is being used. - -This category includes the following subcategories: - -- [Audit DPAPI Activity](audit-dpapi-activity.md) -- [Audit PNP activity](audit-pnp-activity.md) -- [Audit Process Creation](audit-process-creation.md) -- [Audit Process Termination](audit-process-termination.md) -- [Audit RPC Events](audit-rpc-events.md) -- [Audit Token Right Adjusted](audit-token-right-adjusted.md) - -## DS Access - -DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories: - -- [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md) -- [Audit Directory Service Access](audit-directory-service-access.md) -- [Audit Directory Service Changes](audit-directory-service-changes.md) -- [Audit Directory Service Replication](audit-directory-service-replication.md) - -## Logon/Logoff - -Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories: - -- [Audit Account Lockout](audit-account-lockout.md) -- [Audit User/Device Claims](audit-user-device-claims.md) -- [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md) -- [Audit Group Membership](audit-group-membership.md) -- [Audit IPsec Main Mode](audit-ipsec-main-mode.md) -- [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md) -- [Audit Logoff](audit-logoff.md) -- [Audit Logon](audit-logon.md) -- [Audit Network Policy Server](audit-network-policy-server.md) -- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) -- [Audit Special Logon](audit-special-logon.md) - -## Object Access - -Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations; the Registry subcategory needs to be enabled to audit registry accesses. - -Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing). - -This category includes the following subcategories: - -- [Audit Application Generated](audit-application-generated.md) -- [Audit Certification Services](audit-certification-services.md) -- [Audit Detailed File Share](audit-detailed-file-share.md) -- [Audit File Share](audit-file-share.md) -- [Audit File System](audit-file-system.md) -- [Audit Filtering Platform Connection](audit-filtering-platform-connection.md) -- [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md) -- [Audit Handle Manipulation](audit-handle-manipulation.md) -- [Audit Kernel Object](audit-kernel-object.md) -- [Audit Other Object Access Events](audit-other-object-access-events.md) -- [Audit Registry](audit-registry.md) -- [Audit Removable Storage](audit-removable-storage.md) -- [Audit SAM](audit-sam.md) -- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md) - -## Policy Change - -Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, tracking changes (or its attempts) to these policies is an important aspect of security management for a network. This category includes the following subcategories: - -- [Audit Audit Policy Change](audit-audit-policy-change.md) -- [Audit Authentication Policy Change](audit-authentication-policy-change.md) -- [Audit Authorization Policy Change](audit-authorization-policy-change.md) -- [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md) -- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md) -- [Audit Other Policy Change Events](audit-other-policy-change-events.md) - -## Privilege Use - -Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories: - -- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md) -- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) -- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md) - -## System - -System security policy settings and audit events allow you to track the following types of system-level changes to a computer: -- Not included in other categories -- Have potential security implications. - -This category includes the following subcategories: - -- [Audit IPsec Driver](audit-ipsec-driver.md) -- [Audit Other System Events](audit-other-system-events.md) -- [Audit Security State Change](audit-security-state-change.md) -- [Audit Security System Extension](audit-security-system-extension.md) -- [Audit System Integrity](audit-system-integrity.md) - -## Global Object Access Auditing - -Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type. -Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect. - -Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by: -- Setting the Global Object Access Auditing policy to log all the activities for a specific user -- Enabling the policy to track "Access denied" events for the file system or registry can help - -> [!NOTE] -> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy. - -This category includes the following subcategories: -- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md) -- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml deleted file mode 100644 index 768de067a0..0000000000 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ /dev/null @@ -1,175 +0,0 @@ -### YamlMime:FAQ -metadata: - title: Advanced security auditing FAQ - description: This article lists common questions and answers about understanding, deploying, and managing security audit policies. - author: vinaypamnani-msft - ms.author: vinpa - manager: aaroncz - ms.topic: faq - ms.date: 05/24/2022 - -title: Advanced security auditing FAQ - -summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - -sections: - - name: Ignored - questions: - - question: | - What is Windows security auditing and why might I want to use it? - answer: | - Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is the features and services for an administrator to log and review events for specified security-related activities. - - Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities. - - - question: | - What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration? - answer: | - The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they're recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you're editing the effective audit policy. Changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. - - There are several other differences between the security audit policy settings in these two locations. - - There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy - Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking. - - In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing. - - The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** and the advanced audit policy settings are available in all supported versions of Windows. - - - question: | - What is the interaction between basic audit policy settings and advanced audit policy settings? - answer: | - Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. - - Editing and applying the advanced audit policy settings in Local Security Policy modifies the local group policy object (GPO). If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in Auditpol.exe. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. Because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied. - - > [!Important] - > Whether you apply advanced audit policies by using group policy or by using logon scripts, don't use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. - - If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored. - - - question: | - How are audit settings merged by group policy? - answer: | - By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level. - - For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing. - - The rules that govern how group policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior. - - - | Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer | - | - | - | - | -| - | Detailed File Share Auditing | Success | Failure | Success | - | Process Creation Auditing | Disabled | Success | Disabled | - | Logon Auditing | Failure | Success | Failure | - - - question: | - What is the difference between an object DACL and an object SACL? - answer: | - All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs: - - - A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access - - A system access control list (SACL) that controls how access is audited - - The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access. - - If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing isn't configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied. - - - question: | - Why are audit policies applied on a per-computer basis rather than per user? - answer: | - In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer. - - Audit policy capabilities can vary between computers running different versions of Windows. The best way to make sure that the audit policy is applied correctly is to base these settings on the computer instead of the user. - - However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. Because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. - - - question: | - Are there any differences in auditing functionality between versions of Windows? - answer: | - No. Basic and advanced audit policy settings are available in all supported versions of Windows. They can be configured and applied by local or domain group policy settings. - - - question: | - What is the difference between success and failure events? Is something wrong if I get a failure audit? - answer: | - A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully. - - A failure audit event is triggered when a defined action, such as a user sign-in, isn't completed successfully. - - The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password. - - - question: | - How can I set an audit policy that affects all objects on a computer? - answer: | - System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL. - - Security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected. It's also useful to identify when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This behavior also applies to a single registry setting SACL and a global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy. - - - question: | - How do I figure out why someone was able to access a resource? - answer: | - Often it isn't enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting. - - - question: | - How do I know when changes are made to access control settings, by whom, and what the changes were? - answer: | - To track access control changes, you need to enable the following settings, which track changes to DACLs: - - **Audit File System** subcategory: Enable for success, failure, or success and failure - - **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure - - A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor - - - question: | - How can I roll back security audit policies from the advanced audit policy to the basic audit policy? - answer: | - Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings: - - 1. Set all Advanced Audit Policy subcategories to **Not configured**. - 2. Delete all audit.csv files from the `%SYSVOL%` folder on the domain controller. - 3. Reconfigure and apply the basic audit policy settings. - - Unless you complete all of these steps, the basic audit policy settings won't be restored. - - - question: | - How can I monitor if changes are made to audit policy settings? - answer: | - Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place: - - - Permissions and audit settings on the audit policy object are changed - - The system audit policy is changed - - Security event sources are registered or unregistered - - Per-user audit settings are changed - - The value of **CrashOnAuditFail** is modified - - Audit settings on a file or registry key are changed - - A Special Groups list is changed - - - question: | - How can I minimize the number of events that are generated? - answer: | - Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md). - - - question: | - What are the best tools to model and manage audit policies? - answer: | - The integration of advanced audit policy settings with domain is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy group policy objects for a domain can also be used to plan and deploy security audit policies. - On an individual computer, the `Auditpol` command-line tool can be used to complete many important audit policy-related management tasks. - - There are also other computer management products, such as the Audit Collection Services in System Center Operations Manager, which can be used to collect and filter event data. For more information, see [How to install an Audit Collection Services (ACS) collector and database](/system-center/scom/deploy-install-acs). - - - question: | - Where can I find information about all the possible events that I might receive? - answer: | - Users who examine the security event log for the first time can be a bit overwhelmed. The number of audit events that are stored there can quickly number in the thousands. The structured information that's included for each audit event can also be confusing. For more information about these events, and the settings used to generate them, see the following resources: - - - [Windows security audit events](https://www.microsoft.com/download/details.aspx?id=50034) - - [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630) - - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - - question: | - Where can I find more detailed information? - answer: | - To learn more about security audit policies, see the following resources: - - - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) - - [Windows 8 and Windows Server 2012 security event details](https://www.microsoft.com/download/details.aspx?id=35753) - - [Security audit events for Windows 7 and Windows Server 2008 R2](https://www.microsoft.com/download/details.aspx?id=21561) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md deleted file mode 100644 index 84c93ea504..0000000000 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Advanced security audit policies -description: Advanced security audit policy settings might appear to overlap with basic policies, but they're recorded and applied differently. Learn more about them here. -ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/6/2021 ---- - -# Advanced security audit policies - -Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently. -When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you're editing the effective audit policy, so changes made to basic audit policy settings appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy. - -## In this section - -| Article | Description | -| - | - | -| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This article for IT professionals explains the options that security policy planners must consider, and the tasks that they must complete, to deploy an effective security audit policy in a network that includes advanced security audit policies | -| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. -| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. -| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings in Windows and the audit events that they generate. diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md deleted file mode 100644 index 2ddc4a8249..0000000000 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Appendix A, Security monitoring recommendations for many audit events -description: Learn about recommendations for the type of monitoring required for certain classes of security audit events. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# Appendix A: Security monitoring recommendations for many audit events - - -This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix. - -| **Type of monitoring required** | **Recommendation** | -|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the allowlist of accounts. | -| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. | -| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md deleted file mode 100644 index 5e7b8bfd19..0000000000 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: Apply a basic audit policy on a file or folder -description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log. -ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.collection: - - highpri - - tier3 -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Apply a basic audit policy on a file or folder - -You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. - -To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights. - -**To apply or modify auditing policy settings for a local file or folder** - -1. Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab. -2. Select **Advanced**. -3. In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**. -4. Do one of the following tasks: - - To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**. - - To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure. - - To view or change auditing for an existing group or user, select its name, and then select **Edit.** -5. In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes: - - To audit successful events, select **Success.** - - To audit failure events, select **Fail.** - - To audit all events, select **All.** - - - -6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include: - - - **This folder only** - - **This folder, subfolders and files** - - **This folder and subfolders** - - **This folder and files** - - **Subfolders and files only** - - **Subfolders only** - - **Files only** - -7. By default, the selected **Basic Permissions** to audit are the following: - - **Read and execute** - - **List folder contents** - - **Read** - - Additionally, with your selected audit combination, you can select any combination of the following permissions: - - **Full control** - - **Modify** - - **Write** - -> [!IMPORTANT] -> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited. - -## More considerations - -- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes. -- You can set up file and folder auditing only on NTFS drives. -- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer. - - diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md deleted file mode 100644 index e4bbde6028..0000000000 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Audit Account Lockout -description: The policy setting, Audit Account Lockout, enables you to audit security events generated by a failed attempt to log on to an account that is locked out. -ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Account Lockout - -Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out. - -If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. - -Account lockout events are essential for understanding user activity and detecting potential attacks. - -**Event volume**: Low. - -This subcategory failure logon attempts, when account was already locked out. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. | -| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. | -| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. | - -**Events List:** - -- [4625](event-4625.md)(F): An account failed to log on. - diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md deleted file mode 100644 index 3c22b0237f..0000000000 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Audit Application Generated -description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs. -ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Application Generated - -Audit Application Generated generates events for actions related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)). - -Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------| -| Domain Controller | IF | IF | IF | IF | IF – if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. | -| Member Server | IF | IF | IF | IF | IF – if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. | -| Workstation | IF | IF | IF | IF | IF – if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. | - -**Events List:** - -- 4665: An attempt was made to create an application client context. - -- 4666: An application attempted an operation. - -- 4667: An application client context was deleted. - -- 4668: An application was initialized. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md deleted file mode 100644 index fd489adaac..0000000000 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Audit Application Group Management -description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed. -ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Application Group Management - -Audit Application Group Management generates events for actions related to [application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)), such as group creation, modification, addition or removal of group member and some other actions. - -[Application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)) are used by [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)). - -Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------| -| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. | -| Member Server | - | - | - | - | This subcategory is outside the scope of this document. | -| Workstation | - | - | - | - | This subcategory is outside the scope of this document. | - -- 4783(S): A basic application group was created. - -- 4784(S): A basic application group was changed. - -- 4785(S): A member was added to a basic application group. - -- 4786(S): A member was removed from a basic application group. - -- 4787(S): A non-member was added to a basic application group. - -- 4788(S): A non-member was removed from a basic application group. - -- 4789(S): A basic application group was deleted. - -- 4790(S): An LDAP query group was created. - -- 4791(S): An LDAP query group was changed. - -- 4792(S): An LDAP query group was deleted. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md deleted file mode 100644 index d1291e568e..0000000000 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: Audit Audit Policy Change -description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy. -ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Audit Policy Change - - -Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -Changes to audit policy that are audited include: - -- Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command). - -- Changing the system audit policy. - -- Registering and unregistering security event sources. - -- Changing per-user audit settings. - -- Changing the value of CrashOnAuditFail. - -- Changing audit settings on an object (for example, modifying the system access control list ([SACL](/windows/win32/secauthz/access-control-lists)) for a file or registry key). - -> **Note** [SACL](/windows/win32/secauthz/access-control-lists) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change. - -- Changing anything in the Special Groups list. - -The following events will be enabled with Success auditing in this subcategory: - -- [4902](event-4902.md)(S): The Per-user audit policy table was created. - -- [4907](event-4907.md)(S): Auditing settings on object were changed. - -- [4904](event-4904.md)(S): An attempt was made to register a security event source. - -- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. - -All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting. - -**Events List:** - -- [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed. - -- [4719](event-4719.md)(S): System audit policy was changed. - -- [4817](event-4817.md)(S): Auditing settings on object were changed. - -- [4902](event-4902.md)(S): The Per-user audit policy table was created. - -- [4906](event-4906.md)(S): The CrashOnAuditFail value has changed. - -- [4907](event-4907.md)(S): Auditing settings on object were changed. - -- [4908](event-4908.md)(S): Special Groups Logon table modified. - -- [4912](event-4912.md)(S): Per User Audit Policy was changed. - -- [4904](event-4904.md)(S): An attempt was made to register a security event source. - -- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md deleted file mode 100644 index 7ab38720e0..0000000000 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Audit Authentication Policy Change -description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed. -ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Authentication Policy Change - -Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy. - -Changes made to authentication policy include: - -- Creation, modification, and removal of forest and domain trusts. - -- Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy. - -- When any of the following user logon rights is granted to a user or group: - - - Access this computer from the network - - - Allow logon locally - - - Allow logon through Remote Desktop - - - Logon as a batch job - - - Logon as a service - -- Namespace collision, such as when an added trust collides with an existing namespace name. - -This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4670](event-4670.md)(S): Permissions on an object were changed - -- [4706](event-4706.md)(S): A new trust was created to a domain. - -- [4707](event-4707.md)(S): A trust to a domain was removed. - -- [4716](event-4716.md)(S): Trusted domain information was modified. - -- [4713](event-4713.md)(S): Kerberos policy was changed. - -- [4717](event-4717.md)(S): System security access was granted to an account. - -- [4718](event-4718.md)(S): System security access was removed from an account. - -- [4739](event-4739.md)(S): Domain Policy was changed. - -- [4864](event-4864.md)(S): A namespace collision was detected. - -- [4865](event-4865.md)(S): A trusted forest information entry was added. - -- [4866](event-4866.md)(S): A trusted forest information entry was removed. - -- [4867](event-4867.md)(S): A trusted forest information entry was modified. - diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md deleted file mode 100644 index 5ad0e5fff3..0000000000 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Audit Authorization Policy Change -description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy. -ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Authorization Policy Change - -Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects. - -**Event volume**: Medium to High. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4703](event-4703.md)(S): A user right was adjusted. - -- [4704](event-4704.md)(S): A user right was assigned. - -- [4705](event-4705.md)(S): A user right was removed. - -- [4670](event-4670.md)(S): Permissions on an object were changed. - -- [4911](event-4911.md)(S): Resource attributes of the object were changed. - -- [4913](event-4913.md)(S): Central Access Policy on the object was changed. - diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md deleted file mode 100644 index dbadfb80dd..0000000000 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Audit Central Access Policy Staging -description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy. -ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Central Access Policy Staging - -Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object. - -If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows: - -- Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access. - -- Failure audits, when configured, record access attempts when: - - - The current central access policy does not grant access, but the proposed policy grants access. - - - A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md deleted file mode 100644 index 1818d6abea..0000000000 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: Audit Certification Services -description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed. -ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Certification Services - -Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed. - -Examples of AD CS operations include: - -- AD CS starts, shuts down, is backed up, or is restored. - -- Certificate revocation list (CRL)-related tasks are performed. - -- Certificates are requested, issued, or revoked. - -- Certificate manager settings for AD CS are changed. - -- The configuration and properties of the certification authority (CA) are changed. - -- AD CS templates are modified. - -- Certificates are imported. - -- A CA certificate is published to Active Directory Domain Services. - -- Security permissions for AD CS role services are modified. - -- Keys are archived, imported, or retrieved. - -- The OCSP Responder Service is started or stopped. - -Monitoring these operational events is important to ensure that AD CS role services are functioning properly. - -**Event volume: Low to medium on servers that provide AD CS role services.** - -Role-specific subcategories are outside the scope of this document. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | -| Member Server | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | -| Workstation | No | No | No | No | [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role cannot be installed on client OS. | - -- 4868: The certificate manager denied a pending certificate request. - -- 4869: Certificate Services received a resubmitted certificate request. - -- 4870: Certificate Services revoked a certificate. - -- 4871: Certificate Services received a request to publish the certificate revocation list (CRL). - -- 4872: Certificate Services published the certificate revocation list (CRL). - -- 4873: A certificate request extension changed. - -- 4874: One or more certificate request attributes changed. - -- 4875: Certificate Services received a request to shut down. - -- 4876: Certificate Services backup started. - -- 4877: Certificate Services backup completed. - -- 4878: Certificate Services restore started. - -- 4879: Certificate Services restore completed. - -- 4880: Certificate Services started. - -- 4881: Certificate Services stopped. - -- 4882: The security permissions for Certificate Services changed. - -- 4883: Certificate Services retrieved an archived key. - -- 4884: Certificate Services imported a certificate into its database. - -- 4885: The audit filter for Certificate Services changed. - -- 4886: Certificate Services received a certificate request. - -- 4887: Certificate Services approved a certificate request and issued a certificate. - -- 4888: Certificate Services denied a certificate request. - -- 4889: Certificate Services set the status of a certificate request to pending. - -- 4890: The certificate manager settings for Certificate Services changed. - -- 4891: A configuration entry changed in Certificate Services. - -- 4892: A property of Certificate Services changed. - -- 4893: Certificate Services archived a key. - -- 4894: Certificate Services imported and archived a key. - -- 4895: Certificate Services published the CA certificate to Active Directory Domain Services. - -- 4896: One or more rows have been deleted from the certificate database. - -- 4897: Role separation enabled. - -- 4898: Certificate Services loaded a template. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md deleted file mode 100644 index 836f66077c..0000000000 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Audit Computer Account Management -description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted. -ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Computer Account Management - - -Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted. - -This policy setting is useful for tracking account-related changes to computers that are members of a domain. - -**Event volume**: Low on domain controllers. - -This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.
Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.
Typically volume of these events is low on domain controllers.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. | -| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. | - -**Events List:** - -- [4741](event-4741.md)(S): A computer account was created. - -- [4742](event-4742.md)(S): A computer account was changed. - -- [4743](event-4743.md)(S): A computer account was deleted. - diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md deleted file mode 100644 index 776717c166..0000000000 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Audit Credential Validation -description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted. -ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Credential Validation - - -Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request. - -These events occur on the computer that is authoritative for the credentials as follows: - -- For domain accounts, the domain controller is authoritative. - -- For local accounts, the local computer is authoritative. - -**Event volume**: - -- High on domain controllers. - -- Low on member servers and workstations. - -Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events. - -The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | Yes | Yes | Yes | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication.
IF – We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative.
We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. | -| Member Server | Yes | Yes | Yes | Yes | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.
We recommend Success auditing, to keep track of authentication events by local accounts.
We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. | -| Workstation | Yes | Yes | Yes | Yes | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.
We recommend Success auditing, to keep track of authentication events by local accounts.
We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. | - -**Events List:** - -- [4774](event-4774.md)(S, F): An account was mapped for logon. - -- [4775](event-4775.md)(F): An account could not be mapped for logon. - -- [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account. - -- [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account. - diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md deleted file mode 100644 index 7f07a68413..0000000000 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Audit Detailed Directory Service Replication -description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers -ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Detailed Directory Service Replication - - -Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. - -This audit subcategory can be useful to diagnose replication issues. - -**Event volume**: These events can create a very high volume of event data on domain controllers. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. | -| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | -| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | - -**Events List:** - -- [4928](event-4928.md)(S, F): An Active Directory replica source naming context was established. - -- [4929](event-4929.md)(S, F): An Active Directory replica source naming context was removed. - -- [4930](event-4930.md)(S, F): An Active Directory replica source naming context was modified. - -- [4931](event-4931.md)(S, F): An Active Directory replica destination naming context was modified. - -- [4934](event-4934.md)(S): Attributes of an Active Directory object were replicated. - -- [4935](event-4935.md)(F): Replication failure begins. - -- [4936](event-4936.md)(S): Replication failure ends. - -- [4937](event-4937.md)(S): A lingering object was removed from a replica. - diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md deleted file mode 100644 index 0b41ec8acd..0000000000 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Audit Detailed File Share -description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder. -ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Detailed File Share - - -Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder. - -The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. - -There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. - -**Event volume**: - -- High on file servers. - -- High on domain controllers because of SYSVOL network access required by Group Policy. - -- Low on member servers and workstations. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume shouldn't be high. You will be able to see who wasn't able to get access to a file or folder on a network share on a computer. | -| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers shouldn't be high (if they aren't File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. | -| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations shouldn't be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer. | - -**Events List:** - -- [5145](event-5145.md)(S, F): A network share object was checked to see whether client can be granted desired access. - diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md deleted file mode 100644 index 2a83b4b3ec..0000000000 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Audit Directory Service Access -description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed. -ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Directory Service Access - - -Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed. - -**Event volume**: High on servers running AD DS role services. - -This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](/windows/win32/secauthz/access-control-lists) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. | -| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | -| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | - -**Events List:** - -- [4662](event-4662.md)(S, F): An operation was performed on an object. - -- [4661](event-4661.md)(S, F): A handle to an object was requested. diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md deleted file mode 100644 index d746cc2a12..0000000000 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Audit Directory Service Changes -description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed -ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Directory Service Changes - - -Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). - -Auditing of directory service objects can provide information about the old and new properties of the objects that were changed. - -Audit events are generated only for objects with configured system access control lists ([SACLs](/windows/win32/secauthz/access-control-lists)), and only when they are accessed in a manner that matches their [SACL](/windows/win32/secauthz/access-control-lists) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. - -This subcategory only logs events on domain controllers. - -**Event volume**: High on domain controllers. - -This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) container or Domain Admins group objects.
This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](/windows/win32/secauthz/access-control-lists) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | -| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | - -**Events List:** - -- [5136](event-5136.md)(S): A directory service object was modified. - -- [5137](event-5137.md)(S): A directory service object was created. - -- [5138](event-5138.md)(S): A directory service object was undeleted. - -- [5139](event-5139.md)(S): A directory service object was moved. - -- [5141](event-5141.md)(S): A directory service object was deleted. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md deleted file mode 100644 index c3efe2134f..0000000000 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Audit Directory Service Replication -description: Audit Directory Service Replication is a policy setting that decides if audit events are created when replication between two domain controllers begins or ends. -ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Directory Service Replication - - -Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends. - -**Event volume**: Medium on domain controllers. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. | -| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | -| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | - -**Events List:** - -- [4932](event-4932.md)(S): Synchronization of a replica of an Active Directory naming context has begun. - -- [4933](event-4933.md)(S, F): Synchronization of a replica of an Active Directory naming context has ended. - diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md deleted file mode 100644 index 87cfeca376..0000000000 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: Audit Distribution Group Management -description: The policy setting, Audit Distribution Group Management, determines if audit events are generated for specific distribution-group management tasks. -ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Distribution Group Management - - -Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks. - -This subcategory generates events only on domain controllers. - -**Event volume**: Low on domain controllers. - -This subcategory allows you to audit events generated by changes to distribution groups such as the following: - -- Distribution group is created, changed, or deleted. - -- Member is added or removed from a distribution group. - -If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------| -| Domain Controller | IF | No | IF | No | IF - Typically, actions related to distribution groups have low security relevance. It is much more important to monitor Security Group changes. However, if you want to monitor for critical distribution groups changes, such as if a member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.
Typically, volume of these events is low on domain controllers.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. | -| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. | - -**Events List:** - -- [4749](event-4749.md)(S): A security-disabled global group was created. - -- [4750](event-4750.md)(S): A security-disabled global group was changed. - -- [4751](event-4751.md)(S): A member was added to a security-disabled global group. - -- [4752](event-4752.md)(S): A member was removed from a security-disabled global group. - -- [4753](event-4753.md)(S): A security-disabled global group was deleted. - -- 4759(S): A security-disabled universal group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4759 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4760(S): A security-disabled universal group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4760 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4761(S): A member was added to a security-disabled universal group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4761 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4762(S): A member was removed from a security-disabled universal group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4762 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4763(S): A security-disabled universal group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4763 is the same, except it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4744(S): A security-disabled local group was created. See event _[4749](event-4749.md): A security-disabled global group was created._ Event 4744 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4745(S): A security-disabled local group was changed. See event _[4750](event-4750.md): A security-disabled global group was changed._ Event 4745 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4746(S): A member was added to a security-disabled local group. See event _[4751](event-4751.md): A member was added to a security-disabled global group._ Event 4746 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4747(S): A member was removed from a security-disabled local group. See event _[4752](event-4752.md): A member was removed from a security-disabled global group._ Event 4747 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - -- 4748(S): A security-disabled local group was deleted. See event _[4753](event-4753.md): A security-disabled global group was deleted._ Event 4748 is the same, except it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference. diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md deleted file mode 100644 index f7a7cf3eaa..0000000000 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Audit DPAPI Activity -description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls to the data protection application interface (DPAPI) generate audit events. -ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit DPAPI Activity - - -Audit [DPAPI](/previous-versions/ms995355(v=msdn.10)) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](/previous-versions/ms995355(v=msdn.10))). - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. | -| Member Server | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. | -| Workstation | IF | IF | IF | IF | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. | - -**Events List:** - -- [4692](event-4692.md)(S, F): Backup of data protection master key was attempted. - -- [4693](event-4693.md)(S, F): Recovery of data protection master key was attempted. - -- [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted. - -- [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md deleted file mode 100644 index c57ba2e002..0000000000 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Audit File Share -description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed. -ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit File Share - - -Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks. - -There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited. - -Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. - -**Event volume**: - -- High on file servers. - -- High on domain controllers because of SYSVOL network access required by Group Policy. - -- Low on member servers and workstations. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing for domain controllers, because it’s important to track deletion, creation, and modification events for network shares.
We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. | -| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification, and access attempts to network share objects.
We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. | -| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification and access attempts to network share objects.
We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. | - -**Events List:** - -- [5140](event-5140.md)(S, F): A network share object was accessed. - -- [5142](event-5142.md)(S): A network share object was added. - -- [5143](event-5143.md)(S): A network share object was modified. - -- [5144](event-5144.md)(S): A network share object was deleted. - -- [5168](event-5168.md)(F): SPN check for SMB/SMB2 failed. - diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md deleted file mode 100644 index 689b7bd0e5..0000000000 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Audit File System -description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects. -ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit File System - - -> [!NOTE] -> For more details about applicability on older operating system versions, read the article [Audit File System](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)). - -Audit File System determines whether the operating system generates audit events when users attempt to access file system objects. - -Audit events are generated only for objects that have configured system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](/windows/win32/secauthz/access-control-lists). - -If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. - -These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring. - -**Event volume**: Varies, depending on how file system [SACL](/windows/win32/secauthz/access-control-lists)s are configured. - -No audit events are generated for the default file system [SACL](/windows/win32/secauthz/access-control-lists)s. - -This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions. - -Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](/windows/win32/secauthz/access-control-lists)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](/windows/win32/secauthz/access-control-lists)s. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific file system objects.
Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. | -| Member Server | IF | IF | IF | IF | | -| Workstation | IF | IF | IF | IF | | - -**Events List:** - -- [4656](event-4656.md)(S, F): A handle to an object was requested. - -- [4658](event-4658.md)(S): The handle to an object was closed. - -- [4660](event-4660.md)(S): An object was deleted. - -- [4663](event-4663.md)(S): An attempt was made to access an object. - -- [4664](event-4664.md)(S): An attempt was made to create a hard link. - -- [4985](event-4985.md)(S): The state of a transaction has changed. - -- [5051](event-5051.md)(-): A file was virtualized. - -- [4670](event-4670.md)(S): Permissions on an object were changed. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md deleted file mode 100644 index 8393e5be1c..0000000000 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Audit Filtering Platform Connection -description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform. -ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Filtering Platform Connection - - -Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). - -Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). - -This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications. - -**Event volume**: High. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. | -| Member Server | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. | -| Workstation | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. | - -**Events List:** - -- [5031](event-5031.md)(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. - -- [5150](event-5150.md)(-): The Windows Filtering Platform blocked a packet. - -- [5151](event-5151.md)(-): A more restrictive Windows Filtering Platform filter has blocked a packet. - -- [5154](event-5154.md)(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. - -- [5155](event-5155.md)(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. - -- [5156](event-5156.md)(S): The Windows Filtering Platform has permitted a connection. - -- [5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection. - -- [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port. - -- [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md deleted file mode 100644 index 9c77101ee8..0000000000 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Audit Filtering Platform Packet Drop -description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform. -ms.assetid: 95457601-68d1-4385-af20-87916ddab906 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Filtering Platform Packet Drop - - -Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). - -Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). - -A high rate of dropped packets *may* indicate that there have been attempts to gain unauthorized access to computers on your network. - -**Event volume**: High. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. | -| Member Server | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. | -| Workstation | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.
There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. | - -**Events List:** - -- [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet. - -- [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md deleted file mode 100644 index 9ab9af405b..0000000000 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: Audit Filtering Platform Policy Change -description: The policy setting, Audit Filtering Platform Policy Change, determines if audit events are generated for certain IPsec and Windows Filtering Platform actions. -ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Filtering Platform Policy Change - - -Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following: - -- IPsec services status. - -- Changes to IPsec policy settings. - -- Changes to Windows Filtering Platform Base Filtering Engine policy settings. - -- Changes to WFP providers and engine. - -Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). - -- 4709(S): IPsec Services was started. - -- 4710(S): IPsec Services was disabled. - -- 4711(S): May contain any one of the following: - -- 4712(F): IPsec Services encountered a potentially serious failure. - -- 5040(S): A change has been made to IPsec settings. An Authentication Set was added. - -- 5041(S): A change has been made to IPsec settings. An Authentication Set was modified. - -- 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted. - -- 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added. - -- 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified. - -- 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted. - -- 5046(S): A change has been made to IPsec settings. A Crypto Set was added. - -- 5047(S): A change has been made to IPsec settings. A Crypto Set was modified. - -- 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted. - -- 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started. - -- 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started. - -- 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started. - -- 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. - -- 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. - -- 5446(S): A Windows Filtering Platform callout has been changed. - -- 5448(S): A Windows Filtering Platform provider has been changed. - -- 5449(S): A Windows Filtering Platform provider context has been changed. - -- 5450(S): A Windows Filtering Platform sub-layer has been changed. - -- 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer. - -- 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. - -- 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. - -- 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. - -- 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer. - -- 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer. - -- 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. - -- 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes. - -- 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. - -- 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. - -- 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. - -- 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. - -- 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. - -- 5471(S): PAStore Engine loaded local storage IPsec policy on the computer. - -- 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer. - -- 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer. - -- 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer. - -- 5477(F): PAStore Engine failed to add quick mode filter. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md deleted file mode 100644 index 771769f0be..0000000000 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Audit Group Membership -description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC. -ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Group Membership - - -By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer. - -This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. - -For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -You must also enable the [Audit Logon](audit-logon.md) subcategory. - -Multiple events are generated if the group membership information cannot fit in a single security audit event - -**Event volume**: - -- Low on a client computer. - -- Medium on a domain controller or network servers. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | -| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | -| Workstation | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. | - -**Events List:** - -- [4627](event-4627.md)(S): Group membership information. - diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md deleted file mode 100644 index 2452d552c4..0000000000 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Audit Handle Manipulation -description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed. -ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Handle Manipulation - - -Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions. - -**Event volume**: High. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------| -| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. | -| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. | -| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. | - -**Events List:** - -- [4658](event-4658.md)(S): The handle to an object was closed. - -- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object. - -- 4658(S): The handle to an object was closed. For a description of the event, see _[4658](event-4658.md)(S): The handle to an object was closed._ in the Audit File System subcategory. This event doesn’t generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md deleted file mode 100644 index 20882eebbc..0000000000 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ /dev/null @@ -1,70 +0,0 @@ ---- -title: Audit IPsec Driver -description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver. -ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit IPsec Driver - - -Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following: - -- Startup and shutdown of the IPsec services. - -- Network packets dropped due to integrity check failure. - -- Network packets dropped due to replay check failure. - -- Network packets dropped due to being in plaintext. - -- Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. - -- Inability to process IPsec filters. - -A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems. - -Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter. This subcategory is outside the scope of this document. - -**Event volume:** Medium - -**Default:** Not configured - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. | -| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. | -| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. | - -**Events List:** - -- 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. - -- 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. - -- 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. - -- 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. - -- 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. - -- 5478(S): IPsec Services has started successfully. - -- 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - -- 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - -- 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started. - -- 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - -- 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md deleted file mode 100644 index 45b5d1ef63..0000000000 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Audit IPsec Extended Mode -description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations. -ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit IPsec Extended Mode - - -Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. - -Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------| -| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | -| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | -| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | - -- 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. - -- 4979(S): IPsec Main Mode and Extended Mode security associations were established. - -- 4980(S): IPsec Main Mode and Extended Mode security associations were established. - -- 4981(S): IPsec Main Mode and Extended Mode security associations were established. - -- 4982(S): IPsec Main Mode and Extended Mode security associations were established. - -- 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. - -- 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md deleted file mode 100644 index f1c660e1e8..0000000000 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Audit IPsec Main Mode -description: Learn about the policy setting, Audit IPsec Main Mode, which determines if the results of certain protocols generate events during Main Mode negotiations. -ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit IPsec Main Mode - - -Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. - -Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------| -| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | -| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | -| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | - -- 4646(S): Security ID: %1 - -- 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. - -- 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. - -- 4652(F): An IPsec Main Mode negotiation failed. - -- 4653(F): An IPsec Main Mode negotiation failed. - -- 4655(S): An IPsec Main Mode security association ended. - -- 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. - -- 5049(S): An IPsec Security Association was deleted. - -- 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md deleted file mode 100644 index c456fc1f21..0000000000 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Audit IPsec Quick Mode -description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations. -ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit IPsec Quick Mode - - -Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. - -Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------| -| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | -| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | -| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | - -- 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. - -- 5451(S): An IPsec Quick Mode security association was established. - -- 5452(S): An IPsec Quick Mode security association ended. diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md deleted file mode 100644 index 6ec1fcf9e4..0000000000 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Audit Kerberos Authentication Service -description: The policy setting Audit Kerberos Authentication Service decides if audit events are generated for Kerberos authentication ticket-granting ticket (TGT) requests -ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Kerberos Authentication Service - - -Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests. - -If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts. - -**Event volume**: High on Kerberos Key Distribution Center servers. - -This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the user’s password has expired. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on.
We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts.
Expected volume is high on domain controllers. | -| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | -| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | - -**Events List:** - -- [4768](event-4768.md)(S, F): A Kerberos authentication ticket (TGT) was requested. - -- [4771](event-4771.md)(F): Kerberos pre-authentication failed. - -- [4772](event-4772.md)(F): A Kerberos authentication ticket request failed. - diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md deleted file mode 100644 index 2d13eeaf23..0000000000 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Audit Kerberos Service Ticket Operations -description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests. -ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Kerberos Service Ticket Operations - - -Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests. - -Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity. - -**Event volume**: Very High on Kerberos Key Distribution Center servers. - -This subcategory contains events about issued TGSs and failed TGS requests. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.
IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. | -| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | -| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | - -**Events List:** - -- [4769](event-4769.md)(S, F): A Kerberos service ticket was requested. - -- [4770](event-4770.md)(S): A Kerberos service ticket was renewed. - -- [4773](event-4773.md)(F): A Kerberos service ticket request failed. diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md deleted file mode 100644 index ae38545e9f..0000000000 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Audit Kernel Object -description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events. -ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Kernel Object - - -Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. - -Only kernel objects with a matching system access control list ([SACL](/windows/win32/secauthz/access-control-lists)) generate security audit events. The audits generated are usually useful only to developers. - -Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled. - -The “[Audit: Audit the access of global system objects](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852233(v=ws.11))” policy setting controls the default SACL of kernel objects. - -**Event volume**: High. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. | -| Member Server | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. | -| Workstation | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. | - -**Events List:** - -- [4656](event-4656.md)(S, F): A handle to an object was requested. - -- [4658](event-4658.md)(S): The handle to an object was closed. - -- [4660](event-4660.md)(S): An object was deleted. - -- [4663](event-4663.md)(S): An attempt was made to access an object. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md deleted file mode 100644 index 0525d84b24..0000000000 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Audit Logoff -description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated. -ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Logoff - - -Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated. - -These events occur on the computer that was accessed. For an interactive logon, these events are generated on the computer that was logged on to. - -There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. - -Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated. - -**Event volume**: High. - -This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff, the security audit event is generated on the computer that the user account logged on to. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4634](event-4634.md)(S): An account was logged off. - -- [4647](event-4647.md)(S): User initiated logoff. - diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md deleted file mode 100644 index 1437ead2f9..0000000000 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Audit Logon -description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer. -ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Logon - - -Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer. - -These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed. - -The following events are recorded: - -- Logon success and failure. - -- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the **RunAs** command. - -- Security identifiers (SIDs) are filtered. - -Logon events are essential to tracking user activity and detecting potential attacks. - -**Event volume**: - -- Low on a client computer. - -- Medium on a domain controllers or network servers. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.
Failure events will show you failed logon attempts and the reason why these attempts failed. | -| Member Server | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.
Failure events will show you failed logon attempts and the reason why these attempts failed. | -| Workstation | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.
Failure events will show you failed logon attempts and the reason why these attempts failed. | - -**Events List:** - -- [4624](event-4624.md)(S): An account was successfully logged on. - -- [4625](event-4625.md)(F): An account failed to log on. - -- [4648](event-4648.md)(S): A logon was attempted using explicit credentials. - -- [4675](event-4675.md)(S): SIDs were filtered. - diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md deleted file mode 100644 index d00998a052..0000000000 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: Audit MPSSVC Rule-Level Policy Change -description: Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe). -ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit MPSSVC Rule-Level Policy Change - - -Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). - -The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include: - -- Active policies when the Windows Firewall service starts. - -- Changes to Windows Firewall rules. - -- Changes to the Windows Firewall exception list. - -- Changes to Windows Firewall settings. - -- Rules ignored or not applied by the Windows Firewall service. - -- Changes to Windows Firewall Group Policy settings. - -Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. - -**Event volume**: Medium. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.
Failure events may help to identify configuration problems with Windows Firewall rules or settings. | -| Member Server | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.
Failure events may help to identify configuration problems with Windows Firewall rules or settings. | -| Workstation | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.
Failure events may help to identify configuration problems with Windows Firewall rules or settings. | - -**Events List:** - -- [4944](event-4944.md)(S): The following policy was active when the Windows Firewall started. - -- [4945](event-4945.md)(S): A rule was listed when the Windows Firewall started. - -- [4946](event-4946.md)(S): A change has been made to Windows Firewall exception list. A rule was added. - -- [4947](event-4947.md)(S): A change has been made to Windows Firewall exception list. A rule was modified. - -- [4948](event-4948.md)(S): A change has been made to Windows Firewall exception list. A rule was deleted. - -- [4949](event-4949.md)(S): Windows Firewall settings were restored to the default values. - -- [4950](event-4950.md)(S): A Windows Firewall setting has changed. - -- [4951](event-4951.md)(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. - -- [4952](event-4952.md)(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - -- [4953](event-4953.md)(F): A rule has been ignored by Windows Firewall because it could not parse the rule. - -- [4954](event-4954.md)(S): Windows Firewall Group Policy settings have changed. The new settings have been applied. - -- [4956](event-4956.md)(S): Windows Firewall has changed the active profile. - -- [4957](event-4957.md)(F): Windows Firewall did not apply the following rule: - -- [4958](event-4958.md)(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: - diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md deleted file mode 100644 index 9af80769b0..0000000000 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Audit Network Policy Server -description: The policy setting, Audit Network Policy Server, determines if audit events are generated for RADIUS (IAS) and NAP activity on user access requests. -ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Network Policy Server - - -Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. - -If you configure this subcategory, an audit event is generated for each IAS and NAP user access request. - -This subcategory generates events only if NAS or IAS role is installed on the server. - -NAP events can be used to help understand the overall health of the network. - -**Event volume**: Medium to High on servers that are running [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS). - -Role-specific subcategories are outside the scope of this document. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------| -| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | -| Member Server | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | -| Workstation | No | No | No | No | [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role cannot be installed on client OS. | - -- 6272: Network Policy Server granted access to a user. - -- 6273: Network Policy Server denied access to a user. - -- 6274: Network Policy Server discarded the request for a user. - -- 6275: Network Policy Server discarded the accounting request for a user. - -- 6276: Network Policy Server quarantined a user. - -- 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. - -- 6278: Network Policy Server granted full access to a user because the host met the defined health policy. - -- 6279: Network Policy Server locked the user account due to repeated failed authentication attempts. - -- 6280: Network Policy Server unlocked the user account. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md deleted file mode 100644 index 937e8bc34c..0000000000 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Audit Non-Sensitive Privilege Use -description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used. -ms.assetid: 8fd74783-1059-443e-aa86-566d78606627 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Non-Sensitive Privilege Use - - -Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges: - -- Access Credential Manager as a trusted caller - -- Add workstations to domain - -- Adjust memory quotas for a process - -- Bypass traverse checking - -- Change the system time - -- Change the time zone - -- Create a page file - -- Create global objects - -- Create permanent shared objects - -- Create symbolic links - -- Force shutdown from a remote system - -- Increase a process working set - -- Increase scheduling priority - -- Lock pages in memory - -- Modify an object label - -- Perform volume maintenance tasks - -- Profile single process - -- Profile system performance - -- Remove computer from docking station - -- Shut down the system - -- Synchronize directory service data - -This subcategory also contains informational events from filesystem Transaction Manager. - -If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts. - -**Event volume**: Very High. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | -| Member Server | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | -| Workstation | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.
IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. | - -**Events List:** - -- [4673](event-4673.md)(S, F): A privileged service was called. - -- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object. - -- [4985](event-4985.md)(S): The state of a transaction has changed. - - - diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md deleted file mode 100644 index 9b973c0b7b..0000000000 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Audit Other Account Logon Events -description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons. -ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Other Account Logon Events - -**General Subcategory Information:** - -This auditing subcategory does not contain any events. It is intended for future use. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | -| Member Server | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | -| Workstation | No | No | No | No | This auditing subcategory does not contain any events. Intended for future use, no reason to enable it. | - diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md deleted file mode 100644 index 670cf6612d..0000000000 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Audit Other Account Management Events -description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated. -ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Other Account Management Events - - -Audit Other Account Management Events determines whether the operating system generates user account management audit events. - -**Event volume:** Typically Low on all types of computers. - -This subcategory allows you to audit next events: - -- The password hash of a user account was accessed. This happens during an Active Directory Management Tool password migration. - -- The Password Policy Checking API was called. Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4782](event-4782.md)(S): The password hash of an account was accessed. - -- [4793](event-4793.md)(S): The Password Policy Checking API was called. - diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md deleted file mode 100644 index 86e40c99ae..0000000000 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Audit Other Logon/Logoff Events -description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events. -ms.assetid: 76d987cd-1917-4907-a739-dd642609a458 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Other Logon/Logoff Events - - -Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. - -These other logon or logoff events include: - -- A Remote Desktop session connects or disconnects. - -- A workstation is locked or unlocked. - -- A screen saver is invoked or dismissed. - -- A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration. - -- A user is granted access to a wireless network. It can be either a user account or the computer account. - -- A user is granted access to a wired 802.1x network. It can be either a user account or the computer account. - -Logon events are essential to understanding user activity and detecting potential attacks. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | -| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | -| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | - -**Events List:** - -- [4649](event-4649.md)(S): A replay attack was detected. - -- [4778](event-4778.md)(S): A session was reconnected to a Window Station. - -- [4779](event-4779.md)(S): A session was disconnected from a Window Station. - -- [4800](event-4800.md)(S): The workstation was locked. - -- [4801](event-4801.md)(S): The workstation was unlocked. - -- [4802](event-4802.md)(S): The screen saver was invoked. - -- [4803](event-4803.md)(S): The screen saver was dismissed. - -- [5378](event-5378.md)(F): The requested credentials delegation was disallowed by policy. - -- [5632](event-5632.md)(S): A request was made to authenticate to a wireless network. - -- [5633](event-5633.md)(S): A request was made to authenticate to a wired network. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md deleted file mode 100644 index 5807ad6849..0000000000 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Audit Other Object Access Events -description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects. -ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Other Object Access Events - - -Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | -| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | -| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | - -**Events List:** - -- [4671](event-4671.md)(-): An application attempted to access a blocked ordinal through the TBS. - -- [4691](event-4691.md)(S): Indirect access to an object was requested. - -- [5148](event-5148.md)(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. - -- [5149](event-5149.md)(F): The DoS attack has subsided and normal processing is being resumed. - -- [4698](event-4698.md)(S): A scheduled task was created. - -- [4699](event-4699.md)(S): A scheduled task was deleted. - -- [4700](event-4700.md)(S): A scheduled task was enabled. - -- [4701](event-4701.md)(S): A scheduled task was disabled. - -- [4702](event-4702.md)(S): A scheduled task was updated. - -- [5888](event-5888.md)(S): An object in the COM+ Catalog was modified. - -- [5889](event-5889.md)(S): An object was deleted from the COM+ Catalog. - -- [5890](event-5890.md)(S): An object was added to the COM+ Catalog. - diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md deleted file mode 100644 index b05830fca8..0000000000 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Audit Other Policy Change Events -description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited. -ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Other Policy Change Events - - -Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. | -| Member Server | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. | -| Workstation | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. | - -**Events List:** - -- [4714](event-4714.md)(S): Encrypted data recovery policy was changed. - -- [4819](event-4819.md)(S): Central Access Policies on the machine have been changed. - -- [4826](event-4826.md)(S): Boot Configuration Data loaded. - -- [4909](event-4909.md)(-): The local policy settings for the TBS were changed. - -- [4910](event-4910.md)(-): The group policy settings for the TBS were changed. - -- [5063](event-5063.md)(S, F): A cryptographic provider operation was attempted. - -- [5064](event-5064.md)(S, F): A cryptographic context operation was attempted. - -- [5065](event-5065.md)(S, F): A cryptographic context modification was attempted. - -- [5066](event-5066.md)(S, F): A cryptographic function operation was attempted. - -- [5067](event-5067.md)(S, F): A cryptographic function modification was attempted. - -- [5068](event-5068.md)(S, F): A cryptographic function provider operation was attempted. - -- [5069](event-5069.md)(S, F): A cryptographic function property operation was attempted. - -- [5070](event-5070.md)(S, F): A cryptographic function property modification was attempted. - -- [5447](event-5447.md)(S): A Windows Filtering Platform filter has been changed. - -- [6144](event-6144.md)(S): Security policy in the group policy objects has been applied successfully. - -- [6145](event-6145.md)(F): One or more errors occurred while processing security policy in the group policy objects. - diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md deleted file mode 100644 index 123145fdaf..0000000000 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Audit Other Privilege Use Events -description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S). -ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Other Privilege Use Events - - -This auditing subcategory should not have any events in it, but for some reason Success auditing will enable the generation of event [4985(S): The state of a transaction has changed](/windows/security/threat-protection/auditing/event-4985). - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------| -| Domain Controller | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. | -| Member Server | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. | -| Workstation | No | No | No | No | This auditing subcategory doesn’t have any informative events inside. | - -**Events List:** - -- [4985](event-4985.md)(S): The state of a transaction has changed. - - diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md deleted file mode 100644 index 5472834fd9..0000000000 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Audit Other System Events -description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events. -ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Other System Events - - -Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures. - -Audit Other System Events determines whether the operating system audits various system events. - -The system events in this category include: - -- Startup and shutdown of the Windows Firewall service and driver. - -- Security policy processing by the Windows Firewall service. - -- Cryptography key file and migration operations. - -- BranchCache events. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. | -| Member Server | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. | -| Workstation | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. | - -**Events List:** - -- [5024](event-5024.md)(S): The Windows Firewall Service has started successfully. - -- [5025](event-5025.md)(S): The Windows Firewall Service has been stopped. - -- [5027](event-5027.md)(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. - -- [5028](event-5028.md)(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. - -- [5029](event-5029.md)(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. - -- [5030](event-5030.md)(F): The Windows Firewall Service failed to start. - -- [5032](event-5032.md)(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. - -- [5033](event-5033.md)(S): The Windows Firewall Driver has started successfully. - -- [5034](event-5034.md)(S): The Windows Firewall Driver was stopped. - -- [5035](event-5035.md)(F): The Windows Firewall Driver failed to start. - -- [5037](event-5037.md)(F): The Windows Firewall Driver detected critical runtime error. Terminating. - -- [5058](event-5058.md)(S, F): Key file operation. - -- [5059](event-5059.md)(S, F): Key migration operation. - -- [6400](event-6400.md)(-): BranchCache: Received an incorrectly formatted response while discovering availability of content. - -- [6401](event-6401.md)(-): BranchCache: Received invalid data from a peer. Data discarded. - -- [6402](event-6402.md)(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted. - -- [6403](event-6403.md)(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client. - -- [6404](event-6404.md)(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. - -- [6405](event-6405.md)(-): BranchCache: %2 instance(s) of event id %1 occurred. - -- [6406](event-6406.md)(-): %1 registered to Windows Firewall to control filtering for the following: %2 - -- [6407](event-6407.md)(-): 1% - -- [6408](event-6408.md)(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 - -- [6409](event-6408.md)(-): BranchCache: A service connection point object could not be parsed. - diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md deleted file mode 100644 index bd82df1b1e..0000000000 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Audit PNP Activity -description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device. -ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit PNP Activity - - -Audit PNP Activity determines when Plug and Play detects an external device. - -A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered. - -**Event volume**: Varies, depending on how the computer is used. Typically Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [6416](event-6416.md)(S): A new external device was recognized by the System - -- [6419](event-6419.md)(S): A request was made to disable a device - -- [6420](event-6420.md)(S): A device was disabled. - -- [6421](event-6421.md)(S): A request was made to enable a device. - -- [6422](event-6422.md)(S): A device was enabled. - -- [6423](event-6423.md)(S): The installation of this device is forbidden by system policy. - -- [6424](event-6424.md)(S): The installation of this device was allowed, after having previously been forbidden by policy. - diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md deleted file mode 100644 index c19e613f2c..0000000000 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Audit Process Creation -description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts). -ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 03/16/2022 -ms.topic: reference ---- - -# Audit Process Creation - - -Audit Process Creation determines whether the operating system generates audit events when a process is created (starts). - -These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process. - -**Event volume**: Medium to High, depending on the process activity on the computer. - -This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4688](event-4688.md)(S): A new process has been created. - -- [4696](event-4696.md)(S): A primary token was assigned to process. - diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md deleted file mode 100644 index 0ecd8f1351..0000000000 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Audit Process Termination -description: The Advanced Security Audit policy setting, Audit Process Termination, determines if audit events are generated when an attempt is made to end a process. -ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Process Termination - - -Audit Process Termination determines whether the operating system generates audit events when process has exited. - -Success audits record successful attempts and Failure audits record unsuccessful attempts. - -This policy setting can help you track user activity and understand how the computer is used. - -**Event volume**: Low to Medium, depending on system usage. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event.
If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4689](event-4689.md)(S): A process has exited. - diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md deleted file mode 100644 index a4cea25938..0000000000 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Audit Registry -description: The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects. -ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 01/05/2021 -ms.topic: reference ---- - -# Audit Registry - - -Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. - -If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL. - -**Event volume**: Low to Medium, depending on how registry SACLs are configured. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](/windows/win32/secauthz/access-control-lists)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](/windows/win32/secauthz/access-control-lists)s. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific registry objects.
Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. | -| Member Server | IF | IF | IF | IF | | -| Workstation | IF | IF | IF | IF | | - -**Events List:** - -- [4663](event-4663.md)(S): An attempt was made to access an object. - -- [4656](event-4656.md)(S, F): A handle to an object was requested. - -- [4658](event-4658.md)(S): The handle to an object was closed. - -- [4660](event-4660.md)(S): An object was deleted. - -- [4657](event-4657.md)(S): A registry value was modified. - -- [5039](event-5039.md)(-): A registry key was virtualized. - -- [4670](event-4670.md)(S): Permissions on an object were changed. - - -> [!NOTE] -> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". This behavior is expected only on later versions of the operating system (Windows 11, Windows Server 2022, and later). On previous versions, 4656 events are not generated during subkey creation. -> -> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md deleted file mode 100644 index 5ef92d1b38..0000000000 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Audit Removable Storage -description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive. -ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Removable Storage - - -Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](/windows/win32/secauthz/access-control-lists). - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | This subcategory will help identify when and which files or folders were accessed or modified on removable devices.
It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device.
You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed.
We recommend Failure auditing to track failed access attempts. | -| Member Server | Yes | Yes | Yes | Yes | | -| Workstation | Yes | Yes | Yes | Yes | | - -**Events List:** - -- [4656](event-4656.md)(S, F): A handle to an object was requested. - -- [4658](event-4658.md)(S): The handle to an object was closed. - -- [4663](event-4663.md)(S): An attempt was made to access an object. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md deleted file mode 100644 index b5dd671672..0000000000 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Audit RPC Events -description: Audit RPC Events is an audit policy setting that determines if audit events are generated when inbound remote procedure call (RPC) connections are made. -ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit RPC Events - - -Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------| -| Domain Controller | No | No | No | No | Events in this subcategory occur rarely. | -| Member Server | No | No | No | No | Events in this subcategory occur rarely. | -| Workstation | No | No | No | No | Events in this subcategory occur rarely. | - -**Events List:** - -- [5712](event-5712.md)(S): A Remote Procedure Call (RPC) was attempted. - diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md deleted file mode 100644 index c0253c800f..0000000000 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Audit SAM -description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects. -ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit SAM - - -Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects. - -The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer. - -- SAM objects include the following: - -- SAM\_ALIAS: A local group - -- SAM\_GROUP: A group that is not a local group - -- SAM\_USER: A user account - -- SAM\_DOMAIN: A domain - -- SAM\_SERVER: A computer account - -If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts. - -Only a [SACL](/windows/win32/secauthz/access-control-lists) for SAM\_SERVER can be modified. - -Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events. - -**Event volume**: High on domain controllers. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. | -| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. | -| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. | - -**Events List:** - -- [4661](event-4661.md)(S, F): A handle to an object was requested. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md deleted file mode 100644 index ce479065a5..0000000000 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ /dev/null @@ -1,102 +0,0 @@ ---- -title: Audit Security Group Management -description: The policy setting, Audit Security Group Management, determines if audit events are generated when specific security group management tasks are performed. -ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Security Group Management - - -Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed. - -**Event volume**: Low. - -This subcategory allows you to audit events generated by changes to security groups such as the following: - -- Security group is created, changed, or deleted. - -- Member is added or removed from a security group. - -- Group type is changed. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------| -| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4731](event-4731.md)(S): A security-enabled local group was created. - -- [4732](event-4732.md)(S): A member was added to a security-enabled local group. - -- [4733](event-4733.md)(S): A member was removed from a security-enabled local group. - -- [4734](event-4734.md)(S): A security-enabled local group was deleted. - -- [4735](event-4735.md)(S): A security-enabled local group was changed. - -- [4764](event-4764.md)(S): A group’s type was changed. - -- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated. - -- 4727(S): A security-enabled global group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4727(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply. - -- 4737(S): A security-enabled global group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4737(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. - -- 4728(S): A member was added to a security-enabled global group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4728(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply. - -- 4729(S): A member was removed from a security-enabled global group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4729(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply. - -- 4730(S): A security-enabled global group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4730(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply. - -- 4754(S): A security-enabled universal group was created. See event _[4731](event-4731.md): A security-enabled local group was created._ Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply. - -- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. - -- 4756(S): A member was added to a security-enabled universal group. See event _[4732](event-4732.md): A member was added to a security-enabled local group._ Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4756(S) generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply. - -- 4757(S): A member was removed from a security-enabled universal group. See event _[4733](event-4733.md): A member was removed from a security-enabled local group._ Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - > [!IMPORTANT] - > Event 4757(S) generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply. - -- 4758(S): A security-enabled universal group was deleted. See event _[4734](event-4734.md): A security-enabled local group was deleted._ Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. - - >[!IMPORTANT] - > Event 4758(S) generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply. diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md deleted file mode 100644 index c1a71e863e..0000000000 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Audit Security State Change -description: The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. -ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Security State Change - - -Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4608](event-4608.md)(S): Windows is starting up. - -- [4616](event-4616.md)(S): The system time was changed. - -- [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail. - ->[!NOTE] ->Event **4609(S): Windows is shutting down** doesn't currently generate. It is a defined event, but it is never invoked by the operating system. - diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md deleted file mode 100644 index a058f09795..0000000000 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Audit Security System Extension -description: The Advanced Security Audit policy setting, Audit Security System Extension, determines if audit events related to security system extensions are generated. -ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Security System Extension - - -Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events. - -Changes to security system extensions in the operating system include the following activities: - -- Security extension code is loaded (for example, an authentication, notification, or security package). Security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM. - -- A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. - -Attempts to install or load security system extensions or services are critical system events that could indicate a security breach. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4610](event-4610.md)(S): An authentication package has been loaded by the Local Security Authority. - -- [4611](event-4611.md)(S): A trusted logon process has been registered with the Local Security Authority. - -- [4614](event-4614.md)(S): A notification package has been loaded by the Security Account Manager. - -- [4622](event-4622.md)(S): A security package has been loaded by the Local Security Authority. - -- [4697](event-4697.md)(S): A service was installed in the system. - diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md deleted file mode 100644 index 3f5fa3f97d..0000000000 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: Audit Sensitive Privilege Use -description: The policy setting, Audit Sensitive Privilege Use, determines if the operating system generates audit events when sensitive privileges (user rights) are used. -ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Sensitive Privilege Use - - -Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges: - -- Act as part of the operating system - -- Back up files and directories - -- Restore files and directories - -- Create a token object - -- Debug programs - -- Enable computer and user accounts to be trusted for delegation - -- Generate security audits - -- Impersonate a client after authentication - -- Load and unload device drivers - -- Manage auditing and security log - -- Modify firmware environment values - -- Replace a process-level token - -- Take ownership of files or other objects - -The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852206(v=ws.11))” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded. - -This subcategory also contains informational events from the file system Transaction Manager. - -If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts. - -**Event volume**: High. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. | -| Member Server | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. | -| Workstation | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. | - -**Events List:** - -- [4673](event-4673.md)(S, F): A privileged service was called. - -- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object. - -- [4985](event-4985.md)(S): The state of a transaction has changed. - ->[!NOTE] -> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md deleted file mode 100644 index 291c011a68..0000000000 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Audit Special Logon -description: The Advanced Security Audit policy setting, Audit Special Logon, determines if audit events are generated under special sign in (or logon) circumstances. -ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit Special Logon - - -Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances. - -This subcategory allows you to audit events generated by special logons such as the following: - -- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - -- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. - -**Event volume**: - -- Low on a client computer. - -- Medium on a domain controllers or network servers. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4964](event-4964.md)(S): Special groups have been assigned to a new logon. - -- [4672](event-4672.md)(S): Special privileges assigned to new logon. - diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md deleted file mode 100644 index 85cd8f762c..0000000000 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Audit System Integrity -description: The policy setting, Audit System Integrity, determines if the operating system audits events that violate the integrity of the security subsystem. -ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit System Integrity - - -Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem. - -Activities that violate the integrity of the security subsystem include the following: - -- Audited events are lost due to a failure of the auditing system. - -- A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space. - -- A remote procedure call (RPC) integrity violation is detected. - -- A code integrity violation with an invalid hash value of an executable file is detected. - -- Cryptographic tasks are performed. - -Violations of security subsystem integrity are critical and could indicate a potential security attack. - -**Event volume**: Low. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. | -| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. | -| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. | - -**Events List:** - -- [4612](event-4612.md)(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - -- [4615](event-4615.md)(S): Invalid use of LPC port. - -- [4618](event-4618.md)(S): A monitored security event pattern has occurred. - -- [4816](event-4816.md)(S): RPC detected an integrity violation while decrypting an incoming message. - -- [5038](event-5038.md)(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. - -- [5056](event-5056.md)(S): A cryptographic self-test was performed. - -- [5062](event-5062.md)(S): A kernel-mode cryptographic self-test was performed. - -- [5057](event-5057.md)(F): A cryptographic primitive operation failed. - -- [5060](event-5060.md)(F): Verification operation failed. - -- [5061](event-5061.md)(S, F): Cryptographic operation. - -- [6281](event-6281.md)(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. - -- [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md deleted file mode 100644 index ca2b5b0186..0000000000 --- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Audit Token Right Adjusted -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token. -manager: aaroncz -author: vinaypamnani-msft -ms.author: vinpa -ms.pagetype: security -ms.date: 12/31/2017 -ms.topic: reference ---- - -# Audit Token Right Adjusted - - -Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token. - -For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](/archive/blogs/nathangau/security-monitoring-a-possible-new-way-to-detect-privilege-escalation). - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.
However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4703](event-4703.md)(S): A user right was adjusted. - -**Event volume**: High. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md deleted file mode 100644 index 22bd1134da..0000000000 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Audit User Account Management -description: Audit User Account Management is an audit policy setting that determines if the operating system generates audit events when certain tasks are performed. -ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit User Account Management - - -Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed. - -**Event volume**: Low. - -This policy setting allows you to audit changes to user accounts. Events include the following: - -- A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked. - -- A user account’s password is set or changed. - -- A security identifier (SID) is added to the SID History of a user account, or fails to be added. - -- The Directory Services Restore Mode password is configured. - -- Permissions on administrative user accounts are changed. - -- A user's local group membership was enumerated. - -- Credential Manager credentials are backed up or restored. - -Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer accounts. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | This subcategory contains many useful events for monitoring, especially for critical domain accounts, such as domain admins, service accounts, database admins, and so on.
We recommend Failure auditing, mostly to see invalid password change and reset attempts for domain accounts, DSRM account password change failures, and failed SID History add attempts. | -| Member Server | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.
We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. | -| Workstation | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.
We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. | - -**Events List:** - -- [4720](event-4720.md)(S): A user account was created. - -- [4722](event-4722.md)(S): A user account was enabled. - -- [4723](event-4723.md)(S, F): An attempt was made to change an account's password. - -- [4724](event-4724.md)(S, F): An attempt was made to reset an account's password. - -- [4725](event-4725.md)(S): A user account was disabled. - -- [4726](event-4726.md)(S): A user account was deleted. - -- [4738](event-4738.md)(S): A user account was changed. - -- [4740](event-4740.md)(S): A user account was locked out. - -- [4765](event-4765.md)(S): SID History was added to an account. - -- [4766](event-4766.md)(F): An attempt to add SID History to an account failed. - -- [4767](event-4767.md)(S): A user account was unlocked. - -- [4780](event-4780.md)(S): The ACL was set on accounts which are members of administrators groups. - -- [4781](event-4781.md)(S): The name of an account was changed. - -- [4794](event-4794.md)(S, F): An attempt was made to set the Directory Services Restore Mode administrator password. - -- [4798](event-4798.md)(S): A user's local group membership was enumerated. - -- [5376](event-5376.md)(S): Credential Manager credentials were backed up. - -- [5377](event-5377.md)(S): Credential Manager credentials were restored from a backup. - diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md deleted file mode 100644 index 748184d302..0000000000 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Audit User/Device Claims -description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims. -ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/06/2021 -ms.topic: reference ---- - -# Audit User/Device Claims - - -Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. - -For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. - -***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory. - -**Event volume**: - -- Low on a client computer. - -- Medium on a domain controller or network servers. - -| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | -|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | - -**Events List:** - -- [4626](event-4626.md)(S): User/Device claims information. - diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md deleted file mode 100644 index 7c8b3b1d1a..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Audit account logon events -description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account. -ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit account logon events - - -Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account. - -This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated. - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails. -To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes. - -**Default**: Success - -## Configure this audit setting - -You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - -| Logon events | Description | -|--------------|--------------------------------------------------------------------------------------------------------------------------------------| -| 672 | An authentication service (AS) ticket was successfully issued and validated. | -| 673 | A ticket granting service (TGS) ticket was granted. | -| 674 | A security principal renewed an AS ticket or TGS ticket. | -| 675 | Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password. | -| 676 | Authentication ticket request failed. This event is not generated in Windows XP or in the Windows Server 2003 family. | -| 677 | A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family. | -| 678 | An account was successfully mapped to a domain account. | -| 681 | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. | -| 682 | A user has reconnected to a disconnected terminal server session. | -| 683 | A user disconnected a terminal server session without logging off. | - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md deleted file mode 100644 index 0f902b9980..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ /dev/null @@ -1,92 +0,0 @@ ---- -title: Audit account management -description: Determines whether to audit each event of account management on a device. -ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit account management - - -Determines whether to audit each event of account management on a device. - -Examples of account management events include: - -- A user account or group is created, changed, or deleted. -- A user account is renamed, disabled, or enabled. -- A password is set or changed. - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To -set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes. - -**Default:** - -- Success on domain controllers. -- No auditing on member servers. - -## Configure this audit setting - -You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - - -| Account management events | Description | -| :-----------------------: | :---------- | -| 4720 | A user account was created. | -| 4723 | A user password was changed. | -| 4724 | A user password was set. | -| 4726 | A user account was deleted. | -| 4727 | A global group was created. | -| 4728 | A member was added to a global group. | -| 4729 | A member was removed from a global group. | -| 4730 | A global group was deleted. | -| 4731 | A new local group was created. | -| 4732 | A member was added to a local group. | -| 4733 | A member was removed from a local group. | -| 4734 | A local group was deleted. | -| 4735 | A local group account was changed. | -| 4737 | A global group account was changed. | -| 4738 | A user account was changed. | -| 4739 | A domain policy was modified. | -| 4740 | A user account was auto locked. | -| 4741 | A computer account was created. | -| 4742 | A computer account was changed. | -| 4743 | A computer account was deleted. | -| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks | -| 4745 | A local security group with security disabled was changed. | -| 4746 | A member was added to a security-disabled local security group. | -| 4747 | A member was removed from a security-disabled local security group. | -| 4748 | A security-disabled local group was deleted. | -| 4749 | A security-disabled global group was created. | -| 4750 | A security-disabled global group was changed. | -| 4751 | A member was added to a security-disabled global group. | -| 4752 | A member was removed from a security-disabled global group. | -| 4753 | A security-disabled global group was deleted. | -| 4754 | A security-enabled universal group was created. | -| 4755 | A security-enabled universal group was changed. | -| 4756 | A member was added to a security-enabled universal group. | -| 4757 | A member was removed from a security-enabled universal group. | -| 4758 | A security-enabled universal group was deleted. | -| 4759 | A security-disabled universal group was created. | -| 4760 | A security-disabled universal group was changed. | -| 4761 | A member was added to a security-disabled universal group. | -| 4762 | A member was removed from a security-disabled universal group. | -| 4763 | A security-disabled universal group was deleted. | -| 4764 | A group type was changed. | -| 4780 | Set the security descriptor of members of administrative groups. | -| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md deleted file mode 100644 index fb7213123d..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Basic audit directory service access -description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. -ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit directory service access - - -Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. - -By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning. - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes. -> **Note:** You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects. - -**Default:** - -- Success on domain controllers. -- Undefined for a member server. - -## Configure this audit setting - -You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - -There is only one directory service access event, which is identical to the Object Access security event message 566. - -| Directory service access events | Description | -|---------------------------------|----------------------------------------| -| 566 | A generic object operation took place. | - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md deleted file mode 100644 index 6019102b0e..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Audit logon events -description: Determines whether to audit each instance of a user logging on to or logging off from a device. -ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.collection: - - highpri - - tier3 -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit logon events - - -Determines whether to audit each instance of a user logging on to or logging off from a device. - -Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more info about account logon events, see [Audit account logon events](basic-audit-account-logon-events.md). - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails. - -To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes. - -For information about advanced security policy settings for logon events, see the [Logon/logoff](advanced-security-audit-policy-settings.md#logonlogoff) section in [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). - -## Configure this audit setting - -You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - -| Logon events | Description | -| - | - | -| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. | -| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. | -| 4634 | The logoff process was completed for a user. | -| 4647 | A user initiated the logoff process. | -| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. | -| 4779 | A user disconnected a terminal server session without logging off. | - - -When event 4624 (Legacy Windows Event ID 528) is logged, a logon type is also listed in the event log. The following table describes each logon type. - -| Logon type | Logon title | Description | -| - | - | - | -| 2 | Interactive | A user logged on to this computer.| -| 3 | Network | A user or computer logged on to this computer from the network.| -| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.| -| 5 | Service | A service was started by the Service Control Manager.| -| 7 | Unlock | This workstation was unlocked.| -| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | -| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.| -| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.| -| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.| - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md deleted file mode 100644 index a27f9b77a0..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Audit object access -description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified. -ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit object access - - -Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified. - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. - -To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes. - -> [!NOTE] -> You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box. - -**Default:** No auditing. - -## Configure this audit setting - -You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - - -| Object access events | Description | -|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 560 | Access was granted to an already existing object. | -| 562 | A handle to an object was closed. | -| 563 | An attempt was made to open an object with the intent to delete it.
**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). | -| 564 | A protected object was deleted. | -| 565 | Access was granted to an already existing object type. | -| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. | -| 568 | An attempt was made to create a hard link to a file that is being audited. | -| 569 | The resource manager in Authorization Manager attempted to create a client context. | -| 570 | A client attempted to access an object.
**Note:** An event will be generated for every attempted operation on the object. | -| 571 | The client context was deleted by the Authorization Manager application. | -| 572 | The administrator manager initialized the application. | -| 772 | The certificate manager denied a pending certificate request. | -| 773 | Certificate Services received a resubmitted certificate request. | -| 774 | Certificate Services revoked a certificate. | -| 775 | Certificate Services received a request to publish the certificate revocation list (CRL). | -| 776 | Certificate Services published the certificate revocation list (CRL). | -| 777 | A certificate request extension was made. | -| 778 | One or more certificate request attributes changed. | -| 779 | Certificate Services received a request to shutdown. | -| 780 | Certificate Services backup started. | -| 781 | Certificate Services backup completed | -| 782 | Certificate Services restore started. | -| 783 | Certificate Services restore completed. | -| 784 | Certificate Services started. | -| 785 | Certificate Services stopped. | -| 786 | The security permissions for Certificate Services changed. | -| 787 | Certificate Services retrieved an archived key. | -| 788 | Certificate Services imported a certificate into its database. | -| 789 | The audit filter for Certificate Services changed. | -| 790 | Certificate Services received a certificate request. | -| 791 | Certificate Services approved a certificate request and issued a certificate. | -| 792 | Certificate Services denied a certificate request. | -| 793 | Certificate Services set the status of a certificate request to pending. | -| 794 | The certificate manager settings for Certificate Services changed. | -| 795 | A configuration entry changed in Certificate Services. | -| 796 | A property of Certificate Services changed. | -| 797 | Certificate Services archived a key. | -| 798 | Certificate Services imported and archived a key. | -| 799 | Certificate Services published the CA certificate to Active Directory. | -| 800 | One or more rows have been deleted from the certificate database. | -| 801 | Role separation enabled. | - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md deleted file mode 100644 index c8c2ed48d0..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Audit policy change -description: Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. -ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit policy change - - -Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment policies, audit policies, or trust policies fails. - -To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes. - -**Default:** - -- Success on domain controllers. -- No auditing on member servers. - -## Configure this audit setting - -You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - -| Policy change events | Description | -| - | - | -| 608 | A user right was assigned.| -| 609 | A user right was removed. | -| 610 | A trust relationship with another domain was created.| -| 611 | A trust relationship with another domain was removed.| -| 612 | An audit policy was changed.| -| 613 | An Internet Protocol security (IPSec) policy agent started.| -| 614 | An IPSec policy agent was disabled. | -| 615 | An IPSec policy agent changed. | -| 616 | An IPSec policy agent encountered a potentially serious failure.| -| 617 | A Kerberos policy changed. | -| 618 | Encrypted Data Recovery policy changed.| -| 620 | A trust relationship with another domain was modified.| -| 621 | System access was granted to an account. | -| 622 | System access was removed from an account.| -| 623 | Per user auditing policy was set for a user.| -| 625 | Per user audit policy was refreshed. | -| 768 | A collision was detected between a namespace element in one forest and a namespace element in another forest.
**Note** When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName'.| -| 769 | Trusted forest information was added.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".| -| 770 | Trusted forest information was deleted.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".| -| 771 | Trusted forest information was modified.
**Note:** This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".| -| 805 | The event log service read the security log configuration for a session. - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md deleted file mode 100644 index 1275bd3206..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Audit privilege use -description: Determines whether to audit each instance of a user exercising a user right. -ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit privilege use - - -Determines whether to audit each instance of a user exercising a user right. - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails. - -To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes. - -**Default:** No auditing. - -Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for **Audit privilege use**. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the **FullPrivilegeAuditing** registry key. - -- Bypass traverse checking -- Debug programs -- Create a token object -- Replace process level token -- Generate security audits -- Back up files and directories -- Restore files and directories - -## Configure this audit setting - -You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - -| Privilege use events | Description | -| - | - | -| 576 | Specified privileges were added to a user's access token.
**Note:** This event is generated when the user logs on.| -| 577 | A user attempted to perform a privileged system service operation. | -| 578 | Privileges were used on an already open handle to a protected object. | - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md deleted file mode 100644 index 71a2c2735c..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Audit process tracking -description: Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. -ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit process tracking - - -Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits generate an audit entry when the process being tracked fails. - -To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes. - -**Default:** No auditing. - -## Configure this security setting - -You can configure this security setting under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - -| Process tracking events | Description | -| - | - | -| 592 | A new process was created.| -| 593 | A process exited. | -| 594 | A handle to an object was duplicated.| -| 595 | Indirect access to an object was obtained.| -| 596 | A data protection master key was backed up.
**Note:** The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up to a domain controller.| -| 597 | A data protection master key was recovered from a recovery server.| -| 598 | Auditable data was protected. | -| 599 | Auditable data was unprotected.| -| 600 | A process was assigned a primary token.| -| 601 | A user attempted to install a service. | -| 602 | A scheduler job was created. | - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md deleted file mode 100644 index d29c89b90f..0000000000 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Audit system events -description: Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. -ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Audit system events - - -Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. - -If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails. - -To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes. - -**Default:** - -- Success on domain controllers. -- No auditing on member servers. - -## Configure this audit setting - -You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - -| Logon events | Description | -| - | - | -| 512 | Windows is starting up. | -| 513 | Windows is shutting down. | -| 514 | An authentication package was loaded by the Local Security Authority.| -| 515 | A trusted logon process has registered with the Local Security Authority.| -| 516 | Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.| -| 517 | The audit log was cleared. | -| 518 | A notification package was loaded by the Security Accounts Manager.| -| 519 | A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.| -| 520 | The system time was changed.
**Note:** This audit normally appears twice.| - -## Related topics - -- [Basic security audit policy settings](basic-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md deleted file mode 100644 index a238c70e5c..0000000000 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Basic security audit policies -description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization. -ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Basic security audit policies - - -Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. - -The event categories that you can choose to audit are: - -- Audit account logon events -- Audit account management -- Audit directory service access -- Audit logon events -- Audit object access -- Audit policy change -- Audit privilege use -- Audit process tracking -- Audit system events - -If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory service access category, for auditing objects on a domain controller, or the audit object access category, for auditing objects on a member server or workstation. After you enable the object access category, you can specify the types of access you want to audit for each group or user. - -## In this section - -| Article | Description | -| - | - | -| [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) | By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. | -| [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful or failed access attempts in the security log. | -| [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.| -| [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.| - - diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md deleted file mode 100644 index 1b496de6ee..0000000000 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Basic security audit policy settings -description: Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. -ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/06/2021 ---- - -# Basic security audit policy settings - - -Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. - -## In this section - -| Topic | Description | -| - | - | -| [Audit account logon events](basic-audit-account-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.| -| [Audit account management](basic-audit-account-management.md) | Determines whether to audit each event of account management on a device.| -| [Audit directory service access](basic-audit-directory-service-access.md) | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.| -| [Audit logon events](basic-audit-logon-events.md) | Determines whether to audit each instance of a user logging on to or logging off from a device. | -| [Audit object access](basic-audit-object-access.md) | Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.| -| [Audit policy change](basic-audit-policy-change.md) | Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. | -| [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. | -| [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.| -| [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. | - -## Related topics - -- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - - diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md deleted file mode 100644 index 0dbeef18fc..0000000000 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: Create a basic audit policy for an event category -description: By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. -ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3 -ms.reviewer: -ms.author: vinpa -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: low -author: vinaypamnani-msft -manager: aaroncz -audience: ITPro -ms.topic: reference -ms.date: 09/07/2021 ---- - -# Create a basic audit policy for an event category - - -By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default. - -To complete this procedure, you must be logged on as a member of the built-in Administrators group. - -**To define or modify auditing policy settings for an event category for your local computer** - -1. Open the Local Security Policy snap-in (secpol.msc), and then click **Local Policies**. -2. Click **Audit Policy**. -3. In the results pane, double-click an event category that you want to change the auditing policy settings for. -4. Do one or both of the following, and then click **OK.** - - - To audit successful attempts, select the **Success** check box. - - To audit unsuccessful attempts, select the **Failure** check box. - -To complete this procedure, you must be logged on as a member of the Domain Admins group. - -**To define or modify auditing policy settings for an event category for a domain or organizational unit, when you are on a member server or on a workstation that is joined to a domain** - -1. Open the Group Policy Management Console (GPMC). -2. In the console tree, double-click **Group Policy objects** in the forest and domain containing the **Default Domain Policy** Group Policy object (GPO) that you want to edit. -3. Right-click the **Default Domain Policy** GPO, and then click **Edit**. -4. In the GPMC, go to **Computer Configuration**, **Windows Settings**, **Security Settings**, and then click **Audit Policy**. -5. In the results pane, double-click an event category that you want to change the auditing policy settings for. -6. If you are defining auditing policy settings for this event category for the first time, select the **Define these policy settings** check box. -7. Do one or both of the following, and then click **OK.** - - - To audit successful attempts, select the **Success** check box. - - To audit unsuccessful attempts, select the **Failure** check box. - -## Additional considerations - -- To audit object access, enable auditing of the object access event category by following the steps above. Then, enable auditing on the specific object. -- After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view these events. -- The default auditing policy setting for domain controllers is **No Auditing**. This means that even if auditing is enabled in the domain, the domain controllers do not inherit auditing policy locally. If you want domain auditing policy to apply to domain controllers, you must modify this policy setting. diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md deleted file mode 100644 index fd669405ba..0000000000 --- a/windows/security/threat-protection/auditing/event-1100.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: 1100(S) The event logging service has shut down. -description: Describes security event 1100(S) The event logging service has shut down. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 1100(S): The event logging service has shut down. - - -
-
-***Subcategory:*** [Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates every time Windows Event Log service has shut down.
-
-It also generates during normal system shutdown.
-
-This event doesn’t generate during emergency system reset.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -For 1100(S): The event logging service has shut down. - -- With this event, you can track system shutdowns and restarts. - -- This event also can be a sign of malicious action when someone tried to shut down the Log Service to cover his or her activity. - diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md deleted file mode 100644 index 3f66f12f17..0000000000 --- a/windows/security/threat-protection/auditing/event-1102.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: 1102(S) The audit log was cleared. -description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S). -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 1102(S): The audit log was cleared. - - -- --- 1100 -0 -4 -103 -0 -0x4020000000000000 -- 1048124 -- - Security -DC01.contoso.local -- - -- 
-
-***Subcategory:*** [Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates every time Windows Security audit log was cleared.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that cleared the system security audit log. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that cleared the system security audit log. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -## Security Monitoring Recommendations - -For 1102(S): The audit log was cleared. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- Typically you should not see this event. There is no need to manually clear the Security event log in most cases. We recommend monitoring this event and investigating why this action was performed. - diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md deleted file mode 100644 index 60114513f7..0000000000 --- a/windows/security/threat-protection/auditing/event-1104.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: 1104(S) The security log is now full. -description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 1104(S): The security log is now full. - - -- --- 1102 -0 -4 -104 -0 -0x4020000000000000 -- 1087729 -- - Security -DC01.contoso.local -- -- -- -S-1-5-21-3457937927-2839227994-823803824-1104 -dadmin -CONTOSO -0x55cd1d -
-
-***Subcategory:*** [Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates every time Windows security log becomes full.
-
-This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](/previous-versions/windows/it-pro/windows-server-2003/cc778402(v=ws.10))”.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -- If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](/previous-versions/windows/it-pro/windows-server-2003/cc778402(v=ws.10))”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md deleted file mode 100644 index ab01840a97..0000000000 --- a/windows/security/threat-protection/auditing/event-1105.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -title: 1105(S) Event log automatic backup. -description: This event generates every time Windows security log becomes full and new event log file was created. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 1105(S): Event log automatic backup - - -- --- 1104 -0 -2 -101 -0 -0x4020000000000000 -- 1087728 -- - Security -DC01.contoso.local -- - -- 
-
-***Subcategory:*** [Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates every time Windows security log becomes full and new event log file was created.
-
-This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721981(v=ws.11))”.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Log** \[Type = UnicodeString\]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs. - -**File**: \[Type = FILETIME\]: full path and filename of archived log file. - -The format of archived log file name is: “Archive-LOG\_FILE\_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx”. Where: - -- LOG\_FILE\_NAME – the name of archived file. - -- Y – years. - -- M – months. - -- D – days. - -- h – hours. - -- m – minutes. - -- s – seconds. - -- n – fractional seconds. - -The time in this event is always in ***GMT+0/UTC+0*** time zone. - -## Security Monitoring Recommendations - -For 1105(S): Event log automatic backup. - -- Typically it’s an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721981(v=ws.11)), then this event will be a sign that some settings are not set to baseline settings or were changed. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md deleted file mode 100644 index df61026142..0000000000 --- a/windows/security/threat-protection/auditing/event-1108.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: The event logging service encountered an error -description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 1108(S): The event logging service encountered an error while processing an incoming event published from %1. - - -- --- 1105 -0 -4 -105 -0 -0x4020000000000000 -- 1128551 -- - Security -DC01.contoso.local -- -- -- -Security -C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2015-10-16-00-50-12-621.evtx -
-
-***Subcategory:*** [Other Events](other-events.md)
-
-***Event Description:***
-
-This event generates when event logging service encountered an error while processing an incoming event.
-
-It typically generates when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.
-
-For example, event 1108 might be generated after an incorrect [4703](event-4703.md) event:
-
-
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008 R2, Windows 7. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**%1** \[Type = UnicodeString\]: the name of [security event source](/windows/win32/eventlog/event-sources) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example: - -- --- 1108 -0 -2 -101 -0 -0x4020000000000000 -- 5599 -- - Security -WIN-GG82ULGC9GO.contoso.local -- -- -- -- 0 -Microsoft-Windows-Security-Auditing -
-
-## Security Monitoring Recommendations
-
-For 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
-
-- We recommend monitoring for all events of this type and checking what the cause of the error was.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
deleted file mode 100644
index 4d229afc2d..0000000000
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: 4608(S) Windows is starting up.
-description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4608(S): Windows is starting up.
-
-
-
-
-***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
-
-***Event Description:***
-
-This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized.
-
-It typically generates during operating system startup process.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -```xml ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -For 4608(S): Windows is starting up. - -- With this event, you can track system startup events. - diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md deleted file mode 100644 index a277e58ec7..0000000000 --- a/windows/security/threat-protection/auditing/event-4610.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: 4610(S) An authentication package has been loaded by the Local Security Authority. -description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4610(S): An authentication package has been loaded by the Local Security Authority. - - -- -- 4608 -0 -0 -12288 -0 -0x8020000000000000 -- 1101704 -- - Security -DC01.contoso.local -- - 
-
-***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event generates every time [Authentication Package](/windows/win32/secauthn/authentication-packages) has been loaded by the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)).
-
-Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](/windows/win32/secauthn/authentication-packages). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME. - -By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](/windows/win32/secauthn/msv1-0-authentication-package)”. - -## Security Monitoring Recommendations - -For 4610(S): An authentication package has been loaded by the Local Security Authority. - -- Report all “**Authentication Package Name**” not equals “C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0”, because by default this is the only Authentication Package loaded by Windows 10. - -- Typically this event has an informational purpose. If you have a pre-defined list of allowed Authentication Packages in the system, then you can check whether “**Authentication Package Name”** is in your defined list. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md deleted file mode 100644 index 27574efa40..0000000000 --- a/windows/security/threat-protection/auditing/event-4611.md +++ /dev/null @@ -1,109 +0,0 @@ ---- -title: 4611(S) A trusted logon process has been registered with the Local Security Authority. -description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4611(S): A trusted logon process has been registered with the Local Security Authority. - - -- --- 4610 -0 -0 -12289 -0 -0x8020000000000000 -- 1048138 -- - Security -DC01.contoso.local -- - C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0 - -
-
-***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event indicates that a logon process has registered with the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)). Also, logon requests will now be accepted from this source.
-
-At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
-
-A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).
-
-You typically see these events during operating system startup or user logon and authentication actions.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that registered the trusted logon process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the trusted logon process. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Logon Process Name** \[Type = UnicodeString\]**:** the name of registered logon process. - -## Security Monitoring Recommendations - -For 4611(S): A trusted logon process has been registered with the Local Security Authority. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. - -- Typically this event has an informational purpose. If you defined the list of allowed Logon Processes in the system, then you can check is “**Logon Process Name”** field value in the allow list or not. - -- \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md deleted file mode 100644 index fba5b23479..0000000000 --- a/windows/security/threat-protection/auditing/event-4612.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. -description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - - -This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk. - -This event doesn't generate when the event log service is stopped or event log is full and events retention is disabled. - -There is no example of this event in this document. - -***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) - -***Event Schema:*** - -*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.* - -*Number of audit messages discarded: %1* - -*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.* - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -- This event can be a sign of hardware issues or lack of system resources (for example, RAM). We recommend monitoring this event and investigating the reason for the condition. - diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md deleted file mode 100644 index 7742a34ee9..0000000000 --- a/windows/security/threat-protection/auditing/event-4614.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: 4614(S) A notification package has been loaded by the Security Account Manager. -description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4614(S): A notification package has been loaded by the Security Account Manager. - - -- --- 4611 -0 -0 -12289 -0 -0x8020000000000000 -- 1048175 -- - Security -DC01.contoso.local -- - S-1-5-18 - DC01$ - CONTOSO - 0x3e7 - Winlogon - -
-
-***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event generates every time a Notification Package has been loaded by the [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)).
-
-In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](/windows/win32/secmgmt/password-filters).
-
-Password Filters are DLLs that are loaded or called when passwords are set or changed.
-
-Each time a system starts, it loads the notification package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages** registry value and performs the initialization sequence for every package.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Notification Package Name** \[Type = UnicodeString\]**:** the name of loaded Notification Package. - -## Security Monitoring Recommendations - -For 4614(S): A notification package has been loaded by the Security Account Manager. - -- Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the allow list or not. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md deleted file mode 100644 index c8a16371bd..0000000000 --- a/windows/security/threat-protection/auditing/event-4615.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: 4615(S) Invalid use of LPC port. -description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4615(S): Invalid use of LPC port. - - -It appears that this event never occurs. - -***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) - -***Event Schema:*** - -*Invalid use of LPC port.* - -*Subject:* - -> *Security ID%1* -> -> *Account Name:%2* -> -> *Account Domain:%3* -> -> *Logon ID:%4* - -*Process Information:* - -> *PID:%7* -> -> *Name:%8* - -*Invalid Use:%5* - -*LPC Server Port Name:%6* - -*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."* - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -- There is no recommendation for this event in this document. - diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md deleted file mode 100644 index 91890bb297..0000000000 --- a/windows/security/threat-protection/auditing/event-4616.md +++ /dev/null @@ -1,176 +0,0 @@ ---- -title: 4616(S) The system time was changed. -description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4616(S): The system time was changed. - - -- --- 4614 -0 -0 -12289 -0 -0x8020000000000000 -- 1048140 -- - Security -DC01.contoso.local -- - WDIGEST - -
-
-***Subcategory:*** [Audit Security State Change](audit-security-state-change.md)
-
-***Event Description:***
-
-This event generates every time system time was changed.
-
-This event is always logged regardless of the "Audit Security State Change" sub-category setting.
-
-You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -```xml ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** - -- 0 - Windows Server 2008, Windows Vista. - -- 1 - Windows Server 2008 R2, Windows 7. - - - Added “Process Information” section. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - - > [!NOTE] - > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Process Information** \[Version 1\]**:** - -- **Process ID** \[Type = Pointer\] \[Version 1\]: hexadecimal Process ID of the process that changed the system time. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4616 -1 -0 -12288 -0 -0x8020000000000000 -- 1101699 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x48f29 - 2015-10-09T05:04:30.000941900Z - 2015-10-09T05:04:30.000000000Z - 0x1074 - C:\\Windows\\WinSxS\\amd64\_microsoft-windows-com-surrogate-core\_31bf3856ad364e35\_6.3.9600.16384\_none\_25a8f00faa8f185c\\dllhost.exe - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Name** \[Type = UnicodeString\] \[Version 1\]**:** full path and the name of the executable for the process.
-
-**Previous Time** \[Type = FILETIME\]: previous time in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
-
-- Y - years
-
-- M - months
-
-- D - days
-
-- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
-
-- h - hours
-
-- m - minutes
-
-- s - seconds
-
-- n - fractional seconds
-
-- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
-
-**New Time** \[Type = FILETIME\]: new time that was set in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
-
-- Y - years
-
-- M - months
-
-- D - days
-
-- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
-
-- h - hours
-
-- m - minutes
-
-- s - seconds
-
-- n - fractional seconds
-
-- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
-
-## Security Monitoring Recommendations
-
-For 4616(S): The system time was changed.
-
-> [!IMPORTANT]
-> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made by Windows Time service.
-
-- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made by Windows Time service.
-
-
-
-- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
-- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
deleted file mode 100644
index 888ba46e90..0000000000
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: 4618(S) A monitored security event pattern has occurred.
-description: Describes security event 4618(S) A monitored security event pattern has occurred.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4618(S): A monitored security event pattern has occurred.
-
-
-***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
-
-This event can be generated (invoked) only externally using the following command:
-
-**%windir%\\system32\\rundll32 %windir%\\system32\\authz.dll,AuthziGenerateAdminAlertAudit OrgEventId ComputerName UserSid UserName UserDomain UserLogonId EventCount Duration**
-
-Account must have **SeAuditPrivilege** (Generate security audits) to be able to generate this event.
-
-- **UserSid** is resolved when viewing the event in event viewer.
-
-- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
-
-- If a field doesn’t match the expected data type, the event is not generated. That is, if **EventCount** = “XYZ”, then no event is generated.
-
-- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
-
-- Parameters are space delimited, even if a parameter is enclosed in double-quotes.
-
-- Here are the expected data types for the parameters:
-
-| Parameter | Expected Data Type |
-|--------------|--------------------------------------------------|
-| OrgEventID | Ulong |
-| ComputerName | String |
-| UserSid | SID (in string format) |
-| UserName | String |
-| UserDomain | String |
-| UserLogonID | Luid (a ULongLong converted to Hex in the event) |
-| EventCount | Ulong |
-| Duration | String |
-
-
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -For 4618(S): A monitored security event pattern has occurred. - -- This event can be invoked only manually/intentionally, it is up to you how to interpret this event depends on information you put inside of it. - diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md deleted file mode 100644 index 23a502abad..0000000000 --- a/windows/security/threat-protection/auditing/event-4621.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 4621(S) Administrator recovered system from CrashOnAuditFail. -description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4621(S): Administrator recovered system from CrashOnAuditFail. - - - -This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2. - -There is no example of this event in this document. - -***Subcategory:*** [Audit Security State Change](audit-security-state-change.md) - -***Event Schema:*** - -*Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.* - -*Value of CrashOnAuditFail:%1* - -*This event is logged after a system reboots following CrashOnAuditFail.* - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -- We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). - -- If your computers don’t have the [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md deleted file mode 100644 index c55bf6a9b2..0000000000 --- a/windows/security/threat-protection/auditing/event-4622.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: 4622(S) A security package has been loaded by the Local Security Authority. -description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4622(S): A security package has been loaded by the Local Security Authority. - - -- --- 4618 -0 -0 -12290 -0 -0x8020000000000000 -- 1198759 -- - Security -DC01.contoso.local -- - 4624 - DC01.contoso.local - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x1 - 10 - “Hour" - -
-
-***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event generates every time [Security Package](/windows/win32/secauthn/ssp-aps-versus-ssps) has been loaded by the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)).
-
-Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
-
-Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
-
-It is also possible to add security package dynamically using [AddSecurityPackage](/windows/win32/api/sspi/nf-sspi-addsecuritypackagea) function, not only during system startup process.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Security Package Name** \[Type = UnicodeString\]**:** the name of loaded Security Package. The format is: DLL\_PATH\_AND\_NAME: SECURITY\_PACKAGE\_NAME. - -These are some Security Package DLLs loaded by default in Windows 10: - -- C:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider - -- C:\\Windows\\system32\\schannel.DLL : Schannel - -- C:\\Windows\\system32\\cloudAP.DLL : CloudAP - -- C:\\Windows\\system32\\wdigest.DLL : WDigest - -- C:\\Windows\\system32\\pku2u.DLL : pku2u - -- C:\\Windows\\system32\\tspkg.DLL : TSSSP - -- C:\\Windows\\system32\\msv1\_0.DLL : NTLM - -- C:\\Windows\\system32\\kerberos.DLL : Kerberos - -- C:\\Windows\\system32\\negoexts.DLL : NegoExtender - -- C:\\Windows\\system32\\lsasrv.dll : Negotiate - -## Security Monitoring Recommendations - -For 4622(S): A security package has been loaded by the Local Security Authority. - -- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md deleted file mode 100644 index 84e8eaa64e..0000000000 --- a/windows/security/threat-protection/auditing/event-4624.md +++ /dev/null @@ -1,322 +0,0 @@ ---- -title: 4624(S) An account was successfully logged on. -description: Describes security event 4624(S) An account was successfully logged on. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.collection: tier3 -ms.topic: reference ---- - -# 4624(S): An account was successfully logged on. - - -- --- 4622 -0 -0 -12289 -0 -0x8020000000000000 -- 1048131 -- - Security -DC01.contoso.local -- - C:\\Windows\\system32\\kerberos.DLL : Kerberos - -
-
-***Subcategory:*** [Audit Logon](audit-logon.md)
-
-***Event Description:***
-
-This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -```xml - -- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** - -- 0 - Windows Server 2008, Windows Vista. - -- 1 - Windows Server 2012, Windows 8. - - - Added "Impersonation Level" field. - -- 2 - Windows 10. - - - Added "Logon Information:" section. - - - **Logon Type** moved to "Logon Information:" section. - - - Added "Restricted Admin Mode" field. - - - Added "Virtual Account" field. - - - Added "Elevated Token" field. - - - Added "Linked Logon ID" field. - - - Added "Network Account Name" field. - - - Added "Network Account Domain" field. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** [Type = SID]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. - - This field can also contain no subject user information, but the NULL Sid "S-1-0-0" and no user or domain information. - - > [!NOTE] - > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon. - -- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following information: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - - For local user accounts, this field contains the name of the computer or device that this account belongs to, for example: `Win81`. - -- **Logon ID** [Type = HexInt64]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4672](event-4672.md)(S): Special privileges assigned to new logon." - -**Logon Information** [Version 2]**:** - -- **Logon Type** [Version 0, 1, 2] [Type = UInt32]**:** the type of logon that happened. The following table contains the list of possible values for this field. - -## Logon types and descriptions - -| Logon Type | Logon Title | Description | -|:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `0` | `System` | Used only by the System account, for example at system startup. | -| `2` | `Interactive` | A user logged on to this computer. | -| `3` | `Network` | A user or computer logged on to this computer from the network. | -| `4` | `Batch` | Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention. | -| `5` | `Service` | The Service Control Manager started a service. | -| `7` | `Unlock` | This workstation was unlocked. | -| `8` | `NetworkCleartext` | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials don't traverse the network in plaintext (also called cleartext). | -| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | -| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | -| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller wasn't contacted to verify the credentials. | -| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This type is used for internal auditing. | -| `13` | `CachedUnlock` | Workstation logon. | - -- **Restricted Admin Mode** [Version 2] [Type = UnicodeString]**:** Only populated for **RemoteInteractive** logon type sessions. This value is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Windows 8.1 and Windows Server 2012 R2, but this flag was added to the event in Windows 10. - - Reference:- -- 4624 -2 -0 -12544 -0 -0x8020000000000000 -- 211 -- - Security -WIN-GG82ULGC9GO -- - S-1-5-18 - WIN-GG82ULGC9GO$ - WORKGROUP - 0x3e7 - S-1-5-21-1377283216-344919071-3415362939-500 - Administrator - WIN-GG82ULGC9GO - 0x8dcdc - 2 - User32 - Negotiate - WIN-GG82ULGC9GO - {00000000-0000-0000-0000-000000000000} - - - - - 0 - 0x44c - C:\\Windows\\System32\\svchost.exe - 127.0.0.1 - 0 - %%1833 - - - - - - - %%1843 - 0x0 - %%1842 - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
-
-- **Process Name** [Type = UnicodeString]**:** full path and the name of the executable for the process.
-
-**Network Information:**
-
-- **Workstation Name** [Type = UnicodeString]**:** machine name from which a logon attempt was performed.
-
-- **Source Network Address** [Type = UnicodeString]**:** IP address of machine from which logon attempt was performed.
-
- - IPv6 address or IPv4 address of a client.
-
- - `::1` or `127.0.0.1` means localhost.
-
-- **Source Port** [Type = UnicodeString]: The source port that was used for logon attempt from remote machine.
-
- - 0 for interactive logons.
-
-> [!NOTE]
-> The fields for IP address/port and workstation name are populated depending on the authentication context and protocol used. LSASS will audit the information the authenticating service shares with LSASS. For example, network logons with Kerberos likely have no workstation information, and NTLM logons have no TCP/IP details.
-
-**Detailed Authentication Information:**
-
-- **Logon Process** [Type = UnicodeString]**:** the name of the trusted logon process that was used for the logon. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
-
-- **Authentication Package** [Type = UnicodeString]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
-
- - **NTLM** - NTLM-family Authentication
-
- - **Kerberos** - Kerberos authentication.
-
- - **Negotiate** - the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it can't be used by one of the systems involved in the authentication or the calling application didn't provide sufficient information to use Kerberos.
-
-- **Transited Services** [Type = UnicodeString] [Kerberos-only]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have nonactive, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. | -| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an "allowlist-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allowlist. | -| **Accounts of different types**: Make sure that certain actions run only by certain account types. For example, local or domain account, machine or user account, or vendor or employee account. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. | -| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that aren't allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) shouldn't typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you're concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions. | - -- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** isn't SYSTEM. - -- If "**Restricted Admin**" mode must be used for logons by certain accounts, use this event to monitor logons by "**New Logon\\Security ID**" in relation to "**Logon Type**"=10 and "**Restricted Admin Mode**"="Yes". If "**Restricted Admin Mode**"="No" for these accounts, trigger an alert. - -- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with "**Elevated Token**"="Yes". - -- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with "**Virtual Account**"="Yes". - -- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event. - -- If your organization restricts logons in the following ways, you can use this event to monitor accordingly: - - - If the user account **"New Logon\\Security ID"** should never be used to log on from the specific **Computer:**. - - - If **New Logon\\Security ID** credentials shouldn't be used from **Workstation Name** or **Source Network Address**. - - - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses. - - - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** doesn't equal **NTLM V2**. - - - If NTLM isn't used in your organization, or shouldn't be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM. - - - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length. - -- If you monitor for potentially malicious software, or software that isn't authorized to request logon actions, monitor this event for **Process Name**. - -- If you have a trusted logon processes list, monitor for a **Logon Process** that isn't from the list. diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md deleted file mode 100644 index 0cb398d228..0000000000 --- a/windows/security/threat-protection/auditing/event-4625.md +++ /dev/null @@ -1,270 +0,0 @@ ---- -title: 4625(F) An account failed to log on. -description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 01/03/2022 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.collection: - - highpri - - tier3 -ms.topic: reference ---- - -# 4625(F): An account failed to log on. - - -
-
-***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
-
-***Event Description:***
-
-This event is logged for any logon failure.
-
-It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation.
-
-This event generates on domain controllers, member servers, and workstations.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -```xml ---- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - - > [!NOTE] - > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure. - -- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Here are some examples of formats: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". - -- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. "Table 11. Windows Logon Types" contains the list of possible values for this field. - - - **Table 11: Windows Logon Types** - - | Logon Type | Logon Title | Description | - |-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | 2 | Interactive | A user logged on to this computer. | - | 3 | Network | A user or computer logged on to this computer from the network. | - | 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | - | 5 | Service | A service was started by the Service Control Manager. | - | 7 | Unlock | This workstation was unlocked. | - | 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | - | 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | - | 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | - | 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | - - -**Account For Which Logon Failed:** - -- **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - - > [!NOTE] - > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt. - -- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Here are some examples of formats: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on." - -**Failure Information:** - -- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has "**Account locked out**" value. - -- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has "**0xC0000234**" value. - -- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. - -> [!NOTE] -> For more information about various Status or Sub Status codes, see [NTSTATUS Values](/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55). - -**Process Information:** - -- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):- --- 4625 -0 -0 -12546 -0 -0x8010000000000000 -- 229977 -- - Security -DC01.contoso.local -- - S-1-5-18 - DC01$ - CONTOSO - 0x3e7 - S-1-0-0 - Auditor - CONTOSO - 0xc0000234 - %%2307 - 0x0 - 2 - User32 - Negotiate - DC01 - - - - - 0 - 0x1bc - C:\\Windows\\System32\\winlogon.exe - 127.0.0.1 - 0 - -
- -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
-
-- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Network Information:**
-
-- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
-
-- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
-
- - IPv6 address or ::ffff:IPv4 address of a client.
-
- - ::1 or 127.0.0.1 means localhost.
-
-- **Source Port** \[Type = UnicodeString\]: source port that was used for logon attempt from remote machine.
-
- - 0 for interactive logons.
-
-**Detailed Authentication Information:**
-
-- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
-
-- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
-
- - **NTLM** – NTLM-family Authentication
-
- - **Kerberos** – Kerberos authentication.
-
- - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
-
-- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see
**Failure Information\\Sub Status** | 0XC000005E – "There are currently no logon servers available to service the logon request."
This issue is typically not a security issue, but it can be an infrastructure or availability issue. | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – "User logon with misspelled or bad user account".
Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – "User logon with misspelled or bad password" for critical accounts or service accounts.
Especially watch for a number of such events in a row. | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – "This is either due to a bad username or authentication information" for critical accounts or service accounts.
Especially watch for a number of such events in a row. | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – "User logon outside authorized hours". | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – "User logon from unauthorized workstation". | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – "User logon to account disabled by administrator". | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – "The user has not been granted the requested logon type (aka logon right) at this machine". | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – "An attempt was made to logon, but the Netlogon service was not started".
This issue is typically not a security issue but it can be an infrastructure or availability issue. | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – "User logon with expired account". | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine". | diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md deleted file mode 100644 index 3e4a81e7d5..0000000000 --- a/windows/security/threat-protection/auditing/event-4626.md +++ /dev/null @@ -1,181 +0,0 @@ ---- -title: 4626(S) User/Device claims information. -description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4626(S): User/Device claims information. - - -
-
-***Subcategory:*** [Audit User/Device Claims](audit-user-device-claims.md)
-
-***Event Description:***
-
-This event generates for new account logons and contains user/device claims which were associated with a new logon session.
-
-This event does not generate if the user/device doesn’t have claims.
-
-For computer account logons you will also see device claims listed in the “**User Claims**” field.
-
-You will typically get “[4624](event-4624.md): An account was successfully logged on” and after it a 4626 event with the same information in **Subject**, **Logon Type** and **New Logon** sections.
-
-This event generates on the computer to which the logon was performed (target computer). For example, for Interactive logons it will be the same computer.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2012, Windows 8. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that reported information about claims. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about claims. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field: - -| Logon Type | Logon Title | Description | -|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 2 | Interactive | A user logged on to this computer. | -| 3 | Network | A user or computer logged on to this computer from the network. | -| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | -| 5 | Service | A service was started by the Service Control Manager. | -| 7 | Unlock | This workstation was unlocked. | -| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | -| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | -| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | -| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | - -**New Logon:** - -- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all claims, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value. - -**User Claims** \[Type = UnicodeString\]**:** list of user claims for new logon session. This field contains user claims if user account was logged in and device claims if computer account was logged in. Here is an example how to parse the entrance of this field: - -- ad://ext/cn:88d2b96fdb2b4c49 <String> : “dadmin” - - - cn – claim display name. - - - 88d2b96fdb2b4c49 – unique claim ID. - - - <String> - claim type. - - - “dadmin” – claim value. - -**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed. - -## Security Monitoring Recommendations - -For 4626(S): User/Device claims information. - -- Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”. - -- If you need to monitor account logons with specific claims, you can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields. - -- If you have specific requirements, such as: - - - Users with specific claims should not access specific computers; - - - Computer account should not have specific claims; - - - User account should not have specific claims; - - - Claim should not be empty - - - And so on… - - You can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields. - -- If you need to monitor computer/user logon attempts only and you don’t need information about claims, then it is better to monitor “[4624](event-4624.md): An account was successfully logged on.” - diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md deleted file mode 100644 index bb08d6bfd0..0000000000 --- a/windows/security/threat-protection/auditing/event-4627.md +++ /dev/null @@ -1,158 +0,0 @@ ---- -title: 4627(S) Group membership information. -description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4627(S): Group membership information. - - -- --- 4626 -0 -0 -12553 -0 -0x8020000000000000 -- 232648 -- - Security -DC01.contoso.local -- - S-1-0-0 - - - - - 0x0 - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x136f7b - 3 - 1 - 1 - ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b <%%1818> : "IT" - - - -
-
-***Subcategory:*** [Audit Group Membership](audit-group-membership.md)
-
-***Event Description:***
-
-This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
-
-You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event.
-
-Multiple events are generated if the group membership information cannot fit in a single security audit event.
-
-> [!NOTE]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** - -```xml ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2016, Windows 10. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - - > [!NOTE] - > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.” - -- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field: - -| Logon Type | Logon Title | Description | -|------------|-------------------|----------------------| -| 2 | Interactive | A user logged on to this computer. | -| 3 | Network | A user or computer logged on to this computer from the network. | -| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | -| 5 | Service | A service was started by the Service Control Manager. | -| 7 | Unlock | This workstation was unlocked. | -| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | -| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | -| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | -| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | - -**New Logon:** - -- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - - > [!NOTE] - > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.” - -**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all groups, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value. - -**Group Membership** \[Type = UnicodeString\]**:** the list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -## Security Monitoring Recommendations - -For 4627(S): Group membership information. - -> [!IMPORTANT] -> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”. - - - -- If you need to track that a member of a specific group logged on to a computer, check the “**Group Membership**” field. - diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md deleted file mode 100644 index 6d1dd284e6..0000000000 --- a/windows/security/threat-protection/auditing/event-4634.md +++ /dev/null @@ -1,118 +0,0 @@ ---- -title: 4634(S) An account was logged off. -description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4634(S): An account was logged off. - - -- --- 4627 -0 -0 -12554 -0 -0x8020000000000000 -- 3081 -- - Security -WIN-GG82ULGC9GO.contoso.local -- - S-1-0-0 - - - - - 0x0 - S-1-5-21-1377283216-344919071-3415362939-1104 - dadmin - CONTOSO - 0x569860 - 3 - 1 - 1 - %{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288} - -
-
-***Subcategory:*** [Audit Logoff](audit-logoff.md)
-
-***Event Description:***
-
-This event shows that logon session was terminated and no longer exists.
-
-The main difference between “[4647](event-4647.md): User initiated logoff.” and 4634 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
-
-4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
-
-It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that was logged off. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was logged off. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Logon Type** \[Type = UInt32\]**:** the type of logon which was used. The table below contains the list of possible values for this field: - -| Logon Type | Logon Title | Description | -|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 2 | Interactive | A user logged on to this computer. | -| 3 | Network | A user or computer logged on to this computer from the network. | -| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | -| 5 | Service | A service was started by the Service Control Manager. | -| 7 | Unlock | This workstation was unlocked. | -| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | -| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | -| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | -| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | - -## Security Monitoring Recommendations - -For 4634(S): An account was logged off. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- If a particular **Logon Type** should not be used by a particular account (for example if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor this event for such actions. - diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md deleted file mode 100644 index d7ba93610b..0000000000 --- a/windows/security/threat-protection/auditing/event-4647.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: 4647(S) User initiated logoff. -description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4647(S): User initiated logoff. - - -- --- 4634 -0 -0 -12545 -0 -0x8020000000000000 -- 230019 -- - Security -DC01.contoso.local -- - S-1-5-90-1 - DWM-1 - Window Manager - 0x1a0992 - 2 - -
-
-***Subcategory:*** [Audit Logoff](audit-logoff.md)
-
-***Event Description:***
-
-This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
-
-The main difference with “[4634](event-4634.md)(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
-
-4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
-
-It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “logoff” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “logoff” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -## Security Monitoring Recommendations - -For 4647(S): User initiated logoff. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md deleted file mode 100644 index bd172bb754..0000000000 --- a/windows/security/threat-protection/auditing/event-4648.md +++ /dev/null @@ -1,195 +0,0 @@ ---- -title: 4648(S) A logon was attempted using explicit credentials. -description: Describes security event 4648(S) A logon was attempted using explicit credentials. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4648(S): A logon was attempted using explicit credentials. - - -- --- 4647 -0 -0 -12545 -0 -0x8020000000000000 -- 230200 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x29b379 - -
-
-***Subcategory:*** [Audit Logon](audit-logon.md)
-
-***Event Description:***
-
-This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.
-
-This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
-
-It is also a routine event which periodically occurs during normal operating system activity.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the new logon session with explicit credentials. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the new logon session with explicit credentials. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller. - - It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.” - - This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”. - -> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. - -**Account Whose Credentials Were Used:** - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account whose credentials were used. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller. - - It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.” - - This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”. - -> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. - -**Target Server:** - -- **Target Server Name** \[Type = UnicodeString\]**:** the name of the server on which the new process was run. Has “**localhost**” value if the process was run locally. - -- **Additional Information** \[Type = UnicodeString\]**:** there is no detailed information about this field in this document. - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was run using explicit credentials. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4648 -0 -0 -12544 -0 -0x8020000000000000 -- 233200 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x31844 - {00000000-0000-0000-0000-000000000000} - ladmin - CONTOSO - {0887F1E4-39EA-D53C-804F-31D568A06274} - localhost - localhost - 0x368 - C:\\Windows\\System32\\svchost.exe - ::1 - 0 - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Network Information:**
-
-- **Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
-
- - IPv6 address or ::ffff:IPv4 address of a client.
-
- - ::1 or 127.0.0.1 means localhost.
-
-- **Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
-
- - 0 for interactive logons.
-
-## Security Monitoring Recommendations
-
-For 4648(S): A logon was attempted using explicit credentials.
-
-The following table is similar to the table in [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**”
-
-| **Type of monitoring required** | **Recommendation** |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.
Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. | -| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.
For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions. | - -- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. - -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - - - -- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” - -- If **Subject\\Security ID** should not know or use credentials for **Account Whose Credentials Were Used\\Account Name**, monitor this event. - -- If credentials for **Account Whose Credentials Were Used\\Account Name** should not be used from **Network Information\\Network Address**, monitor this event. - -- Check that **Network Information\\Network Address** is from internal IP address list. For example, if you know that a specific account (for example, a service account) should be used only from specific IP addresses, you can monitor for all events where **Network Information\\Network Address** is not one of the allowed IP addresses. - diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md deleted file mode 100644 index 81ceab6ec4..0000000000 --- a/windows/security/threat-protection/auditing/event-4649.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: 4649(S) A replay attack was detected. -description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4649(S): A replay attack was detected. - - -This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client. - -Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB\_AP\_ERR\_REPEAT. You can read more about this in [RFC-1510](http://www.ietf.org/rfc/rfc1510.txt). One potential cause for this is a misconfigured network device between the client and server that could send the same packet(s) repeatedly. - -There is no example of this event in this document. - -***Subcategory:*** [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) - -***Event Schema:*** - -*A replay attack was detected.* - -*Subject:* - -> *Security ID:%1* -> -> *Account Name:%2* -> -> *Account Domain:%3* -> -> *Logon ID:%4* - -*Credentials Which Were Replayed:* - -> *Account Name:%5* -> -> *Account Domain:%6* - -*Process Information:* - -> *Process ID:%12* -> -> *Process Name:%13* - -*Network Information:* - -> *Workstation Name:%10* - -*Detailed Authentication Information:* - -> *Request Type:%7* -> -> *Logon Process:%8* -> -> *Authentication Package:%9* -> -> *Transited Services:%11* - -*This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration."* - -***Required Server Roles:*** Active Directory domain controller. - -***Minimum OS Version:*** Windows Server 2008. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -For 4649(S): A replay attack was detected. - -- This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated. - diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md deleted file mode 100644 index 8441566c4f..0000000000 --- a/windows/security/threat-protection/auditing/event-4656.md +++ /dev/null @@ -1,277 +0,0 @@ ---- -title: 4656(S, F) A handle to an object was requested. -description: Describes security event 4656(S, F) A handle to an object was requested. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4656(S, F): A handle to an object was requested. - - -
-
-***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
-
-***Event Description:***
-
-This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
-
-If access was declined, a Failure event is generated.
-
-This event generates only if the object’s [SACL](/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
-
-This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.”
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-***Event XML***:
-```
-- -- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** - -- 0 - Windows Server 2008, Windows Vista. - -- 1 - Windows Server 2012, Windows 8. - - - Added “Resource Attributes” field. - - - Added “Access Reasons” field. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object**: - -- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event. - -- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. - - The following table contains the list of the most common **Object Types**: - -| Directory | Event | Timer | Device | -|-------------------------|--------------|----------------------|--------------| -| Mutant | Type | File | Token | -| Thread | Section | WindowStation | DebugObject | -| FilterCommunicationPort | EventPair | Driver | IoCompletion | -| Controller | SymbolicLink | WmiGuid | Process | -| Profile | Desktop | KeyedEvent | Adapter | -| Key | WaitablePort | Callback | Semaphore | -| Job | Port | FilterConnectionPort | ALPC Port | - -- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included. - -- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”. - -- **Resource Attributes** \[Type = UnicodeString\] \[Version 1\]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed. - - For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000)) - - - Impact\_MS: Resource Property ***ID***. - - - 3000: Recourse Property ***Value***. - -- --- 4656 -1 -0 -12800 -0 -0x8010000000000000 -- 274057 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x4367b - Security - File - C:\\Documents\\HBI Data.txt - 0x0 - {00000000-0000-0000-0000-000000000000} - %%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - %%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809 - 0x12019f - - - 0 - 0x1074 - C:\\Windows\\System32\\notepad.exe - S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000)) - -
-
-**Process Information:**
-
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Access Request Information:**
-
-- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
-
- This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
-
-| Access | Hexadecimal Value,
Schema Value | Description | -|---------------------------------------------------------------------------------------|-------------------------------------|----------------| -| ReadData (or ListDirectory)
(For registry objects, this is “Query key value.”) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | -| WriteData (or AddFile)
(For registry objects, this is “Set key value.”) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | -| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | -| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. | -| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | -| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. | -| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | -| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | -| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | -| DELETE | 0x10000,
%%1537 | The right to delete the object. | -| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | -| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | -| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | -| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | -| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | - -> Table 14. File System objects access rights. - -- **Access Reasons** \[Type = UnicodeString\] \[Version 1\]: the list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply. - -- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table. - - - -- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below: - -| Privilege Name | User Right Group Policy Name | Description | -|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | -| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | -| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | -| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | -| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | -| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | -| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | -| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | -| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | -| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | -| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. | - -- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken) in the token. Applicable to only specific **Object Types**. - -## Security Monitoring Recommendations - -For 4656(S, F): A handle to an object was requested. - -For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level. - -For other types of objects, the following recommendations apply. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. - -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - - - -- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” - -- If **Object Name** is a sensitive or critical object for which you need to monitor any access attempt, monitor all [4656](event-4656.md) events. - -- If **Object Name** is a sensitive or critical object for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4656](event-4656.md) events with the corresponding **Access Request Information\\Accesses** values. - -- If you need to monitor files and folders with specific Resource Attribute values, monitor for all [4656](event-4656.md) events with specific **Resource Attributes** field values. - - For file system objects, we recommend that you monitor these **Access Request Information\\Accesses** rights (especially for Failure events): - - - WriteData (or AddFile) - - - AppendData (or AddSubdirectory or CreatePipeInstance) - - - WriteEA - - - DeleteChild - - - WriteAttributes - - - DELETE - - - WRITE\_DAC - - - WRITE\_OWNER \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md deleted file mode 100644 index c6279c1fa1..0000000000 --- a/windows/security/threat-protection/auditing/event-4657.md +++ /dev/null @@ -1,179 +0,0 @@ ---- -title: 4657(S) A registry value was modified. -description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4657(S): A registry value was modified. - - -
-
-***Subcategory:*** [Audit Registry](audit-registry.md)
-
-***Event Description:***
-
-This event generates when a registry key ***value*** was modified. It doesn’t generate when a registry key was modified.
-
-This event generates only if “Set Value" auditing is set in registry key’s [SACL](/windows/win32/secauthz/access-control-lists).
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify registry value” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify registry value” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object:** - -- **Object Name** \[Type = UnicodeString\]: full path and name of the registry key which value was modified. The format is: \\REGISTRY\\HIVE\\PATH where: - - - HIVE: - - - HKEY\_LOCAL\_MACHINE = \\REGISTRY\\MACHINE - - - HKEY\_CURRENT\_USER = \\REGISTRY\\USER\\\[USER\_SID\], where \[USER\_SID\] is the SID of current user. - - - HKEY\_CLASSES\_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes - - - HKEY\_USERS = \\REGISTRY\\USER - - - HKEY\_CURRENT\_CONFIG = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current - - - PATH – path to the registry key. - -- **Object Value Name** \[Type = UnicodeString\]**:** the name of modified registry key value. - -- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4656](event-4656.md): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”. - -- **Operation Type** \[Type = UnicodeString\]**:** the type of performed operation with registry key value. Most common operations are: - - - New registry value created - - - Registry value deleted - - - Existing registry value modified - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the registry key value was modified. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4657 -0 -0 -12801 -0 -0x8020000000000000 -- 744725 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x364eb - \\REGISTRY\\MACHINE - Name\_New - 0x54 - %%1905 - %%1873 - - %%1873 - Andrei - 0xce4 - C:\\Windows\\regedit.exe - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Change Information:**
-
-- **Old Value Type** \[Type = UnicodeString\]**:** old type of changed registry key value. Registry key value types:
-
-| Value Type | Description |
-|-----------------|-------------------------|
-| REG\_SZ | String |
-| REG\_BINARY | Binary |
-| REG\_DWORD | DWORD (32-bit) Value |
-| REG\_QWORD | QWORD (64-bit) Value |
-| REG\_MULTI\_SZ | Multi-String Value |
-| REG\_EXPAND\_SZ | Expandable String Value |
-
-- **Old Value** \[Type = UnicodeString\]: old value for changed registry key value.
-
-- **New Value Type** \[Type = UnicodeString\]**:** new type of changed registry key value. See table above for possible values.
-
-- **New Value** \[Type = UnicodeString\]: new value for changed registry key value.
-
-## Security Monitoring Recommendations
-
-For 4657(S): A registry value was modified.
-
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
-- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-
-
-- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
-- If **Object Name** is a sensitive or critical registry key for which you need to monitor any modification of its values, monitor all [4657](event-4657.md) events.
-
-- If **Object Name** has specific values (**Object Value Name**) and you need to monitor modifications of these values, monitor for all [4657](event-4657.md) events.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
deleted file mode 100644
index 346730e603..0000000000
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: 4658(S) The handle to an object was closed.
-description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4658(S): The handle to an object was closed.
-
-
-
-
-***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Handle Manipulation](audit-handle-manipulation.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
-
-***Event Description:***
-
-This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
-
-This event generates only if Success auditing is enabled for [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
-
-Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “close object’s handle” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “close object’s handle” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object**: - -- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event. - -- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”. - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that requested that the handle be closed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4658 -0 -0 -12800 -0 -0x8020000000000000 -- 276724 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x4367b - Security - 0x18a8 - 0xef0 - C:\\Windows\\explorer.exe - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-## Security Monitoring Recommendations
-
-For 4658(S): The handle to an object was closed.
-
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
-
-- This event can be used to track all actions or operations related to a specific object handle.
-
-- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
-- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-
-
-- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
deleted file mode 100644
index 820e2eed6f..0000000000
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: 4660(S) An object was deleted.
-description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4660(S): An object was deleted.
-
-
-
-
-***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), and [Audit Registry](audit-registry.md)
-
-***Event Description:***
-
-This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
-
-This event generates only if “Delete" auditing is set in object’s [SACL](/windows/win32/secauthz/access-control-lists).
-
-This event doesn’t contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion.
-
-The advantage of this event is that it’s generated only during real delete operations. In contrast, “4663(S): An attempt was made to access an object” also generates during other actions, such as object renaming.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object**: - -- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event. - -- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”. - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that deleted the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4660 -0 -0 -12800 -0 -0x8020000000000000 -- 270188 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x4367b - Security - 0x1678 - 0xef0 - C:\\Windows\\explorer.exe - {00000000-0000-0000-0000-000000000000} - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-
-
-- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
-
- This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-## Security Monitoring Recommendations
-
-For 4660(S): An object was deleted.
-
-- This event doesn’t contains the name of deleted object (only **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object.” events with DELETE access to track object deletion actions.
-
-- For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
deleted file mode 100644
index ea83c3bcec..0000000000
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ /dev/null
@@ -1,219 +0,0 @@
----
-title: 4661(S, F) A handle to an object was requested.
-description: Describes security event 4661(S, F) A handle to an object was requested.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4661(S, F): A handle to an object was requested.
-
-
-
-
-***Subcategories:*** [Audit Directory Service Access](audit-directory-service-access.md) and [Audit SAM](audit-sam.md)
-
-***Event Description:***
-
-This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.
-
-If access was declined, then Failure event is generated.
-
-This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML***: -``` ---- -``` - -***Required Server Roles:*** For an Active Directory object, the domain controller role is required. For a SAM object, there is no required role. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object**: - -- **Object Server** \[Type = UnicodeString\]: has “**Security Account Manager**” value for this event. - -- **Object Type** \[Type = UnicodeString\]: the type or class of the object that was accessed. The following list contains possible values for this field: - - - SAM\_ALIAS - a local group. - - - SAM\_GROUP - a group that is not a local group. - - - SAM\_USER - a user account. - - - SAM\_DOMAIN - a domain. For Active Directory events, this is the typical value. - - - SAM\_SERVER - a computer account. - -- **Object Name** \[Type = UnicodeString\]: the name of an object for which access was requested. Depends on **Object Type.** This event can have the following format: - - - SAM\_ALIAS – SID of the group. - - - SAM\_GROUP - SID of the group. - - - SAM\_USER - SID of the account. - - - SAM\_DOMAIN – distinguished name of the accessed object. - - - SAM\_SERVER - distinguished name of the accessed object. - -> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas. -> -> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes: -> -> • DC - domainComponent -> -> • CN - commonName -> -> • OU - organizationalUnitName -> -> • O - organizationName - -- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4662](event-4662.md): An operation was performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”. - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that requested the handle. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4661 -0 -0 -14080 -0 -0x8020000000000000 -- 1048009 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x4280e - Security Account Manager - SAM\_DOMAIN - DC=contoso,DC=local - 0xdd64d36870 - {00000000-0000-0000-0000-000000000000} - %%5400 - 0x2d - Ā - - - 2949165 - 0x9000a000d002d - {bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501} - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Access Request Information:**
-
-- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
-
- This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
-
-> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-
-- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | -| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | -| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | -| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | -| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | -| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | -| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | -| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | -| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | -| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | -| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. | - -- **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory. - -- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken) in the token. Applicable to only specific **Object Types**. - -## Security Monitoring Recommendations - -For 4661(S, F): A handle to an object was requested. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md deleted file mode 100644 index 13b91b7666..0000000000 --- a/windows/security/threat-protection/auditing/event-4662.md +++ /dev/null @@ -1,247 +0,0 @@ ---- -title: 4662(S, F) An operation was performed on an object. -description: Describes security event 4662(S, F) An operation was performed on an object. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4662(S, F): An operation was performed on an object. - - -
-
-***Subcategory:*** [Audit Directory Service Access](audit-directory-service-access.md)
-
-***Event Description:***
-
-This event generates every time when an operation was performed on an Active Directory object.
-
-This event generates only if appropriate [SACL](/windows/win32/secauthz/access-control-lists) was set for Active Directory object and performed operation meets this SACL.
-
-If operation failed then Failure event will be generated.
-
-You will get one 4662 for each operation type which was performed.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- -``` - -***Required Server Roles:*** Active Directory domain controller. - -***Minimum OS Version:*** Windows Server 2008. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object:** - -- **Object Server** \[Type = UnicodeString\]: has “**DS**” value for this event. - -- **Object Type** \[Type = UnicodeString\]: type or class of the object that was accessed. Some of the common Active Directory object types and classes are: - - - container – for containers. - - - user – for users. - - - group – for groups. - - - domainDNS – for domain object. - - - groupPolicyContainer – for group policy objects. - - For all possible values of **Object Type** open Active Directory Schema snap-in (see how to enable this snap-in:- --- 4662 -0 -0 -14080 -0 -0x8020000000000000 -- 407230 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x35867 - DS - %{bf967a86-0de6-11d0-a285-00aa003049e2} - %{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2} - Object Access - 0x0 - %%1537 - 0x10000 - %%1537 {bf967a86-0de6-11d0-a285-00aa003049e2} - - - - -
The right to perform an operation controlled by an extended access right. | -| 0x10000 | DELETE | The right to delete the object.
DELETE also generated when object was moved. | -| 0x20000 | READ\_CONTROL | The right to read data from the security descriptor of the object, not including the data in the SACL. | -| 0x40000 | WRITE\_DAC | The right to modify the discretionary access-control list (DACL) in the object security descriptor. | -| 0x80000 | WRITE\_OWNER | The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users. | -| 0x100000 | SYNCHRONIZE | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. | -| 0x1000000 | ADS\_RIGHT\_ACCESS\_SYSTEM\_SECURITY | The right to get or set the SACL in the object security descriptor. | -| 0x80000000 | ADS\_RIGHT\_GENERIC\_READ | The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container. | -| 0x40000000 | ADS\_RIGHT\_GENERIC\_WRITE | The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object. | -| 0x20000000 | ADS\_RIGHT\_GENERIC\_EXECUTE | The right to read permissions on, and list the contents of, a container object. | -| 0x10000000 | ADS\_RIGHT\_GENERIC\_ALL | The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right. | - -> Table 9. Active Directory Access Codes and Rights. - -- **Properties** \[Type = UnicodeString\]: first part is the type of access that was used. Typically has the same value as **Accesses** field. - - Second part is a tree of **GUID** values of Active Directory classes or property sets, for which operation was performed. - -> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. - -To translate this GUID, use the following procedure: - -- Perform the following LDAP search using LDP.exe tool: - - - Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX - - - Filter: (&(objectClass=\*)(schemaIDGUID=GUID)) - - - Perform the following operations with the GUID before using it in a search request: - - - We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2 - - - Take first 3 sections bf967a86-0de6-11d0. - - - For each of these 3 sections you need to change (Invert) the order of bytes, like this 867a96bf-e60d-d011 - - - Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-00aa003049e2 - - - Delete - : 867a96bfe60dd011a28500aa003049e2 - - - Divide bytes with backslashes: \\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2 - - - Filter example: (&(objectClass=\*)(schemaIDGUID=\\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2)) - - - Scope: Subtree - - - Attributes: schemaIDGUID - -
-
-Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here:
{91e647de-d96f-4b70-9557-d63ff4f3ccd8}
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
{b3f93023-9239-4f7c-b99c-6745d87adbc2}
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} | Computer
Private-Information property set
ms-PKI-RoamingTimeStamp
ms-PKI-DPAPIMasterKeys
ms-PKI-AccountCredentials | - -**Additional Information:** - -- **Parameter 1** \[Type = UnicodeString\]**:** there is no information about this field in this document. - -- **Parameter 2** \[Type = UnicodeString\]**:** there is no information about this field in this document. - -## Security Monitoring Recommendations - -For 4662(S, F): An operation was performed on an object. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- If you need to monitor operations attempts to specific Active Directory classes, monitor for **Object Type** field with specific class name. For example, we recommend that you monitor all operations attempts to **domainDNS** class. - -- If you need to monitor operations attempts to specific Active Directory objects, monitor for **Object Name** field with specific object name. For example, we recommend that you monitor all operations attempts to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object. - -- Some access types are more important to monitor, for example: - - - Write Property - - - Control Access - - - DELETE - - - WRITE\_DAC - - - WRITE\_OWNER - - You can decide to monitor these (or one of these) access types for specific Active Directory objects. To do so, monitor for **Accesses** field with specific access type. - -- If you need to monitor operations attempts to specific Active Directory properties, monitor for **Properties** field with specific property GUID. - -- Do not forget that **Failure** attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md deleted file mode 100644 index 3568c87841..0000000000 --- a/windows/security/threat-protection/auditing/event-4663.md +++ /dev/null @@ -1,223 +0,0 @@ ---- -title: 4663(S) An attempt was made to access an object. -description: Describes security event 4663(S) An attempt was made to access an object. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4663(S): An attempt was made to access an object. - - -
-
-***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
-
-***Event Description:***
-
-This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
-
-This event generates only if object’s [SACL](/windows/win32/secauthz/access-control-lists) has required ACE to handle specific access right use.
-
-The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** - -- 0 - Windows Server 2008, Windows Vista. - -- 1 - Windows Server 2012, Windows 8. - - - Added “Resource Attributes” field. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to access an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to access an object. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object**: - -- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event. - -- **Object Type** \[Type = UnicodeString\]: The type of object that was accessed during the operation. - - The following table contains the list of the most common **Object Types**: - -| Directory | Event | Timer | Device | -|-------------------------|--------------|----------------------|--------------| -| Mutant | Type | File | Token | -| Thread | Section | WindowStation | DebugObject | -| FilterCommunicationPort | EventPair | Driver | IoCompletion | -| Controller | SymbolicLink | WmiGuid | Process | -| Profile | Desktop | KeyedEvent | Adapter | -| Key | WaitablePort | Callback | Semaphore | -| Job | Port | FilterConnectionPort | ALPC Port | - -- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included. - -- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can be used for correlation with other events, for example with **Handle ID** field in “[4656](event-4656.md)(S, F): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”. - -- **Resource Attributes** \[Type = UnicodeString\] \[Version 1\]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed. - - For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000)) - - - Impact\_MS: Resource Property ***ID***. - - - 3000: Recourse Property ***Value***. - -- --- 4663 -1 -0 -12800 -0 -0x8020000000000000 -- 273866 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x4367b - Security - File - C:\\Documents\\HBI Data.txt - 0x1bc - %%4417 %%4418 - 0x6 - 0x458 - C:\\Windows\\System32\\notepad.exe - S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000)) - -
-
-**Process Information:**
-
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that accessed the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
-
-
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Access Request Information:**
-
-- **Accesses** \[Type = UnicodeString\]: the list of access rights which were used by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
-
-| Access | Hex Value,
Schema Value | Description | -|----------------------------------------------------------------------------------------|-----------------------------|---------------------| -| ReadData (or ListDirectory)
(For registry objects, this is “Query key value.”) | 0x1,
%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | -| WriteData (or AddFile)
(For registry objects, this is “Set key value.”) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | -| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | -| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. | -| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | -| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. | -| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | -| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | -| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | -| DELETE | 0x10000,
%%1537 | The right to delete the object. | -| READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | -| WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | -| WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | -| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | -| ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | - -> Table 15. File System objects access rights. - -- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table. - -## Security Monitoring Recommendations - -For 4663(S): An attempt was made to access an object. - -For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level. - -For other types of objects, the following recommendations apply. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- If you have critical file system objects for which you need to monitor all access attempts, monitor this event for **Object Name**. - -- If you have critical file system objects for which you need to monitor certain access attempts (for example, write actions), monitor this event for **Object Name** in relation to **Access Request Information\\Accesses**. - -- If you have file system objects with specific attributes, for which you need to monitor access attempts, monitor this event for **Resource Attributes**. - -- If **Object Name** is a sensitive or critical registry key for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4663](event-4663.md) events with the corresponding **Access Request Information\\Accesses**. - - - -- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. - -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - - - -- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” - -- For file system objects, we recommend that you monitor for these **Access Request Information\\Accesses** rights: - - - WriteData (or AddFile) - - - AppendData (or AddSubdirectory or CreatePipeInstance) - - - WriteEA - - - DeleteChild - - - WriteAttributes - - - DELETE - - - WRITE\_DAC - - - WRITE\_OWNER \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md deleted file mode 100644 index 79af8c22de..0000000000 --- a/windows/security/threat-protection/auditing/event-4664.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: 4664(S) An attempt was made to create a hard link. -description: Describes security event 4664(S) An attempt was made to create a hard link. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4664(S): An attempt was made to create a hard link. - - -
-
-***Subcategory:*** [Audit File System](audit-file-system.md)
-
-***Event Description:***
-
-This event generates when an NTFS hard link was successfully created.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to create the hard link. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to create the hard link. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Link Information:** - -- **File Name** \[Type = UnicodeString\]**:** the name of a file or folder that new hard link refers to. - -- **Link Name** \[Type = UnicodeString\]**:** full path name with new hard link file name. - -- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.” - - This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”. - -> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. - -## Security Monitoring Recommendations - -For 4664(S): An attempt was made to create a hard link. - -- We recommend monitoring for any [4664](event-4664.md) event, because this action is not typical for normal operating system behavior and can be a sign of malicious activity. - diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md deleted file mode 100644 index 45d44238be..0000000000 --- a/windows/security/threat-protection/auditing/event-4670.md +++ /dev/null @@ -1,273 +0,0 @@ ---- -title: 4670(S) Permissions on an object were changed. -description: Describes security event 4670(S) Permissions on an object were changed. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4670(S): Permissions on an object were changed. - - -- --- 4664 -0 -0 -12800 -0 -0x8020000000000000 -- 276680 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x43659 - C:\\notepad.exe - C:\\Docs\\My.exe - {00000000-0000-0000-0000-000000000000} - -
-
-***Subcategories:*** [Audit File System](audit-file-system.md), [Audit Registry](audit-registry.md), [Audit Authentication Policy Change](audit-authentication-policy-change.md), and [Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
-
-This event does not generate if the [SACL](/windows/win32/secauthz/access-control-lists) (Auditing ACL) was changed.
-
-Before this event can generate, certain ACEs might need to be set in the object’s [SACL](/windows/win32/secauthz/access-control-lists). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “change object’s permissions” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change object’s permissions” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object**: - -- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event. - -- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. - - The following table contains the list of the most common **Object Types**: - -| Directory | Event | Timer | Device | -|-------------------------|--------------|----------------------|--------------| -| Mutant | Type | File | Token | -| Thread | Section | WindowStation | DebugObject | -| FilterCommunicationPort | EventPair | Driver | IoCompletion | -| Controller | SymbolicLink | WmiGuid | Process | -| Profile | Desktop | KeyedEvent | Adapter | -| Key | WaitablePort | Callback | Semaphore | -| Job | Port | FilterConnectionPort | ALPC Port | - -- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which permissions were changed. For example, for a file, the path would be included. For Token objects, this field typically equals “-“. - -- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”. - -**Process:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the permissions were changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4670 -0 -0 -13570 -0 -0x8020000000000000 -- 269529 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x43659 - Security - File - C:\\Documents\\netcat-1.11 - 0x3f0 - D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA) - D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA) - 0xdb0 - C:\\Windows\\System32\\dllhost.exe - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Permissions Change:**
-
-- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
-
-- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
-
-> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
->
-> Example:
->
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
->
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
-> See the list of possible values in the table below:
-
-| Value | Description | Value | Description |
-|-------|--------------------------------------|-------|---------------------------------|
-| "AO" | Account operators | "PA" | Group Policy administrators |
-| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
-| "AN" | Anonymous logon | "LA" | Local administrator |
-| "AU" | Authenticated users | "LG" | Local guest |
-| "BA" | Built-in administrators | "LS" | Local service account |
-| "BG" | Built-in guests | "SY" | Local system |
-| "BO" | Backup operators | "NU" | Network logon user |
-| "BU" | Built-in users | "NO" | Network configuration operators |
-| "CA" | Certificate server administrators | "NS" | Network service account |
-| "CG" | Creator group | "PO" | Printer operators |
-| "CO" | Creator owner | "PS" | Personal self |
-| "DA" | Domain administrators | "PU" | Power users |
-| "DC" | Domain computers | "RS" | RAS servers group |
-| "DD" | Domain controllers | "RD" | Terminal server users |
-| "DG" | Domain guests | "RE" | Replicator |
-| "DU" | Domain users | "RC" | Restricted code |
-| "EA" | Enterprise administrators | "SA" | Schema administrators |
-| "ED" | Enterprise domain controllers | "SO" | Server operators |
-| "WD" | Everyone | "SU" | Service logon user |
-
-- *G*: = Primary Group.
-- *D*: = DACL Entries.
-- *S*: = SACL Entries.
-
-*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
-
-Example: D:(A;;FA;;;WD)
-
-- entry\_type:
-
-“D” - DACL
-
-“S” - SACL
-
-- inheritance\_flags:
-
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
-
-"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
-
-- ace\_type:
-
-"A" - ACCESS ALLOWED
-
-"D" - ACCESS DENIED
-
-"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
-
-"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
-
-"AU" - SYSTEM AUDIT
-
-"A" - SYSTEM ALARM
-
-"OU" - OBJECT SYSTEM AUDIT
-
-"OL" - OBJECT SYSTEM ALARM
-
-- ace\_flags:
-
-"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-
-"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
-
-"NP" - NO PROPAGATE: only immediate children inherit this ace.
-
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
-
-"ID" - ACE IS INHERITED
-
-"SA" - SUCCESSFUL ACCESS AUDIT
-
-"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
-
-| Value | Description | Value | Description |
-|----------------------------|---------------------------------|----------------------|--------------------------|
-| Generic access rights | Directory service access rights |
-| "GA" | GENERIC ALL | "RC" | Read Permissions |
-| "GR" | GENERIC READ | "SD" | Delete |
-| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
-| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
-| File access rights | | "RP" | Read All Properties |
-| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
-| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
-| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
-| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
-| Registry key access rights | | "SW" | Self Write |
-| "KA" | KEY ALL ACCESS | "LO" | List Object |
-| "KR" | KEY READ | "DT" | Delete Subtree |
-| "KW" | KEY WRITE | "CR" | All Extended Rights |
-| "KX" | KEY EXECUTE | | |
-
-- object\_guid: N/A
-- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
-
-For more information about SDDL syntax, see these articles: 
-
-Subcategory: Audit Special Logon
-
-***Event Description:***
-
-This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:
-
-- SeTcbPrivilege - Act as part of the operating system
-
-- SeBackupPrivilege - Back up files and directories
-
-- SeCreateTokenPrivilege - Create a token object
-
-- SeDebugPrivilege - Debug programs
-
-- SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation
-
-- SeAuditPrivilege - Generate security audits
-
-- SeImpersonatePrivilege - Impersonate a client after authentication
-
-- SeLoadDriverPrivilege - Load and unload device drivers
-
-- SeSecurityPrivilege - Manage auditing and security log
-
-- SeSystemEnvironmentPrivilege - Modify firmware environment values
-
-- SeAssignPrimaryTokenPrivilege - Replace a process-level token
-
-- SeRestorePrivilege - Restore files and directories,
-
-- SeTakeOwnershipPrivilege - Take ownership of files or other objects
-
-You typically will see many of these events in the event log, because every logon of SYSTEM (Local System) account triggers this event.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account to which special privileges were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account to which special privileges were assigned. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Privileges** \[Type = UnicodeString\]**:** the list of sensitive privileges, assigned to the new logon. The following table contains the list of possible privileges for this event: - -| Privilege Name | User Right Group Policy Name | Description | -|-------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.- --- 4672 -0 -0 -12548 -0 -0x8020000000000000 -- 237692 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x671101 - SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege - -
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | -| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | -| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | -| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | -| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | - -## Security Monitoring Recommendations - -For 4672(S): Special privileges assigned to new logon. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. - -- If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for example, SeDebugPrivilege), use this event to monitor for those “**Privileges**.” - - - -- If you are required to monitor any of the sensitive privileges in the [Event Description for this event](event-4672.md), search for those specific privileges in the event. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md deleted file mode 100644 index 492ddbcfe0..0000000000 --- a/windows/security/threat-protection/auditing/event-4673.md +++ /dev/null @@ -1,195 +0,0 @@ ---- -title: 4673(S, F) A privileged service was called. -description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4673(S, F): A privileged service was called. - - -
-
-***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
-
-***Event Description:***
-
-This event generates when an attempt was made to perform privileged system service operations.
-
-This event generates, for example, when **SeSystemtimePrivilege**, **SeCreateGlobalPrivilege**, or **SeTcbPrivilege** privilege was used.
-
-Failure event generates when service call attempt fails.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Service**: - -- **Server** \[Type = UnicodeString\]: contains the name of the Windows subsystem calling the routine. Subsystems examples are: - - - Security - - - Security Account Manager - - - NT Local Security Authority / Authentication Service - - - SC Manager - - - Win32 SystemShutdown module - - - LSA - -- **Service Name** \[Type = UnicodeString\] \[Optional\]: supplies a name of the privileged subsystem service or function. For example, "RESET RUNTIME LOCAL SECURITY" might be specified by a **Local Security Authority** service used to update the local security policy database or **LsaRegisterLogonProcess()** might be specified by a **NT Local Security Authority / Authentication Service** used to register new logon process. - -**Process:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to call the privileged service. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4673 -0 -0 -13056 -0 -0x8020000000000000 -- 1099777 -- - Security -DC01.contoso.local -- - S-1-5-18 - DC01$ - CONTOSO - 0x3e7 - NT Local Security Authority / Authentication Service - LsaRegisterLogonProcess() - SeTcbPrivilege - 0x1f0 - C:\\Windows\\System32\\lsass.exe - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Service Request Information**:
-
-- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
-
-| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** | -|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. | -| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | -| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | -| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. | -| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. | -| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. | -| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | - -| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** | -|-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. | -| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| Audit Sensitive Privilege Use | SeTcbPrivilege:
Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | - -## Security Monitoring Recommendations - -For 4673(S, F): A privileged service was called. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. See subcategories [Audit Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use) and [Audit Non Sensitive Privilege Use](/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use) for more details. - -- If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.” - -- If you need to monitor events related to specific Windows security services or functions (“**Service\\Service Name**”), for example **LsaRegisterLogonProcess()**, monitor this event for the corresponding “**Service\\Service Name**.” - - - -- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. - -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - - - -- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” - -- For a specific “**Subject\\Security ID**,” if there is a defined list of allowed privileges, monitor for “**Privileges**” that it should not be able to use. - -- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.” - -- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.” diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md deleted file mode 100644 index 6f571b60ea..0000000000 --- a/windows/security/threat-protection/auditing/event-4674.md +++ /dev/null @@ -1,223 +0,0 @@ ---- -title: 4674(S, F) An operation was attempted on a privileged object. -description: Describes security event 4674(S, F) An operation was attempted on a privileged object. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4674(S, F): An operation was attempted on a privileged object. - - -
-
-***Subcategories:*** [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
-
-***Event Description:***
-
-This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
-
-This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.
-
-Failure event generates when operation attempt fails.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object**: - -- **Object Server** \[Type = UnicodeString\] \[Optional\]: Contains the name of the Windows subsystem calling the routine. Subsystems examples are: - - - Security - - - Security Account Manager - - - NT Local Security Authority / Authentication Service - - - SC Manager - - - Win32 SystemShutdown module - - - LSA - -- **Object Type** \[Type = UnicodeString\] \[Optional\]: The type of an object that was accessed during the operation. - - The following table contains the list of the most common **Object Types**: - -| Directory | Event | Timer | Device | -|-------------------------|--------------|----------------------|--------------------| -| Mutant | Type | File | Token | -| Thread | Section | WindowStation | DebugObject | -| FilterCommunicationPort | EventPair | Driver | IoCompletion | -| Controller | SymbolicLink | WmiGuid | Process | -| Profile | Desktop | KeyedEvent | SC\_MANAGER OBJECT | -| Key | WaitablePort | Callback | | -| Job | Port | FilterConnectionPort | | -| ALPC Port | Semaphore | Adapter | | - -- **Object Name** \[Type = UnicodeString\] \[Optional\]: the name of the object that was accessed during the operation. - -- **Object Handle** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle to an object was requested” event in appropriate/other subcategory. This parameter might not be captured in the event, and in that case appears as “0x0”. - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the operation on the privileged object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4674 -0 -0 -13056 -0 -0x8010000000000000 -- 1099680 -- - Security -DC01.contoso.local -- - S-1-5-19 - LOCAL SERVICE - NT AUTHORITY - 0x3e5 - LSA - - - - - 0x0 - 16777216 - SeSecurityPrivilege - 0x1f0 - C:\\Windows\\System32\\lsass.exe - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-**Requested Operation**:
-
-- **Desired Access** \[Type = UnicodeString\]: The desired access mask. This mask depends on **Object Server** and **Object Type** parameters values. The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If **Desired Access** is not presented, then this parameter will have “**0**” value.
-
-- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
-
-| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** | -|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
Create symbolic links | Required to create a symbolic link. | -| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | -| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. | -| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
Modify an object label | Required to modify the mandatory integrity level of an object. | -| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
Force shutdown from a remote system | Required to shut down a system using a network request. | -| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
Shut down the system | Required to shut down a local system. | -| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | - -| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** | -|-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. | -| Audit Sensitive Privilege Use | SeBackupPrivilege:
Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | -| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
This user right provides complete access to sensitive and critical operating system components. | -| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Sensitive Privilege Use | SeRestorePrivilege:
Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| Audit Sensitive Privilege Use | SeSecurityPrivilege:
Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. | -| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | - -## Security Monitoring Recommendations - -For 4674(S, F): An operation was attempted on a privileged object. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - -- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events. - - - -- If you need to monitor events related to specific Windows subsystems (“**Object Server**”), for example **LSA** or **Security Account Manager**, monitor this event for the corresponding “**Object Server**.” - -- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.” - -- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. - -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - - - -- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.” - - - -- If you know that specific “**Subject\\Security ID**” should only be able to use the privileges in a pre-defined list, monitor for events in which “**Subject\\Security ID**” used “**Privileges**” that are not on that list. - - - -- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.” - -- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.” \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md deleted file mode 100644 index 50f41a4220..0000000000 --- a/windows/security/threat-protection/auditing/event-4675.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -title: 4675(S) SIDs were filtered. -description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4675(S): SIDs were filtered. - - -This event generates when SIDs were filtered for specific Active Directory trust. - -See more information about SID filtering here:
-
-***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
-
-***Event Description:***
-
-This event generates every time a new process starts.
-
-> [Note]
-> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** - -- 0 - Windows Server 2008, Windows Vista. - -- 1 - Windows Server 2012 R2, Windows 8.1. - - - Added "Process Command Line" field. - -- 2 - Windows 10. - - - **Subject** renamed to **Creator Subject**. - - - Added "**Target Subject**" section. - - - Added "**Mandatory Label**" field. - - - Added "**Creator Process Name**" field. - -***Field Descriptions:*** - -**Creator Subject** \[Value for versions 0 and 1 – **Subject**\]**:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the "create process" operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> [Note] -> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the "create process" operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on." - -**Target Subject** \[Version 2\]**:** - -> [Note] -> This event includes the principal of the process creator, but this is not always sufficient if the target context is different from the creator context. In that situation, the subject specified in the process termination event does not match the subject in the process creation event even though both events refer to the same process ID. Therefore, in addition to including the creator of the process, we will also include the target principal when the creator and target do not share the same logon. - -- **Security ID** \[Type = SID\] \[Version 2\]**:** SID of target account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> [Note] -> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\] \[Version 2\]**:** the name of the target account. - -- **Account Domain** \[Type = UnicodeString\] \[Version 2\]**:** target account's domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY". - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". - -- **Logon ID** \[Type = HexInt64\] \[Version 2\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on." - -**Process Information:** - -- **New Process ID** \[Type = Pointer\]: hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4688 -2 -0 -13312 -0 -0x8020000000000000 -- 2814 -- - Security -WIN-GG82ULGC9GO.contoso.local -- - S-1-5-18 - WIN-GG82ULGC9GO$ - CONTOSO - 0x3e7 - 0x2bc - C:\\Windows\\System32\\rundll32.exe - %%1938 - 0xe74 - - S-1-5-21-1377283216-344919071-3415362939-1104 - dadmin - CONTOSO - 0x4a5af0 - C:\\Windows\\explorer.exe - S-1-16-8192 - -
-
-> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
-
-- **Token Elevation Type** \[Type = UnicodeString\]**:**
-
- - **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC is disabled by default), service account, or local system account.
-
- - **%%1937:** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
-
- - **%%1938:** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
-
-- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](/windows/win32/secauthz/mandatory-integrity-control) which was assigned to the new process. Can have one of the following values:
-
-| SID | RID | RID label | Meaning |
-|--------------|------------|----------------------------------------------|------------------------|
-| S-1-16-0 | 0x00000000 | SECURITY\_MANDATORY\_UNTRUSTED\_RID | Untrusted. |
-| S-1-16-4096 | 0x00001000 | SECURITY\_MANDATORY\_LOW\_RID | Low integrity. |
-| S-1-16-8192 | 0x00002000 | SECURITY\_MANDATORY\_MEDIUM\_RID | Medium integrity. |
-| S-1-16-8448 | 0x00002100 | SECURITY\_MANDATORY\_MEDIUM\_PLUS\_RID | Medium high integrity. |
-| S-1-16-12288 | 0X00003000 | SECURITY\_MANDATORY\_HIGH\_RID | High integrity. |
-| S-1-16-16384 | 0x00004000 | SECURITY\_MANDATORY\_SYSTEM\_RID | System integrity. |
-| S-1-16-20480 | 0x00005000 | SECURITY\_MANDATORY\_PROTECTED\_PROCESS\_RID | Protected process. |
-
-- **Creator Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-> You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
-
-- **Creator Process Name** \[Version 2\] \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable "Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" group policy to include command line in process creation events:
-
- 
-
- By default **Process Command Line** field is empty.
-
-## Security Monitoring Recommendations
-
-For 4688(S): A new process has been created.
-
-| **Type of monitoring required** | **Recommendation** |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used. | -| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an "allowlist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allowlist. | -| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. | -| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** for names that don't comply with naming conventions. | - -- If you have a pre-defined "**New** **Process Name**" or **"Creator Process Name**" for the process reported in this event, monitor all events with "**New** **Process Name**" or **"Creator Process Name**" not equal to your defined value. - -- You can monitor to see if "**New** **Process Name**" or **"Creator Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - -- If you have a pre-defined list of restricted substrings or words in process names (for example "**mimikatz**" or "**cain.exe**"), check for these substrings in "**New** **Process Name**" or **"Creator Process Name**." - -- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**. - -- Monitor for **Token Elevation Type** with value **%%1936** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. - -- Monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges. - -- You can also monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. - -- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event. diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md deleted file mode 100644 index fdda28bf9a..0000000000 --- a/windows/security/threat-protection/auditing/event-4689.md +++ /dev/null @@ -1,120 +0,0 @@ ---- -title: 4689(S) A process has exited. -description: Describes security event 4689(S) A process has exited. This event is generates when a process exits. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4689(S): A process has exited. - - -
-
-***Subcategory:*** [Audit Process Termination](audit-process-termination.md)
-
-***Event Description:***
-
-This event generates every time a process has exited.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “terminate process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “terminate process” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the ended/terminated process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4689 -0 -0 -13313 -0 -0x8020000000000000 -- 187030 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x31365 - 0x0 - 0xfb0 - C:\\Windows\\System32\\notepad.exe - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md)(S): A new process has been created” **New Process ID** on this computer.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the executable name of the exited/terminated process.
-
-- **Exit Status** \[Type = HexInt32\]**:** hexadecimal exit code of exited/terminated process. This exit code is unique for every application, check application documentation for more details. The exit code value for a process reflects the specific convention implemented by the application developer for that process.
-
-## Security Monitoring Recommendations
-
-For 4689(S): A process has exited.
-
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
-
-- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
-- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
-- If you have a critical processes list for the computer, with the requirement that these processes must always run and not stop, you can monitor **Process Name** field in [4689](event-4689.md) events for these process names.
-
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
deleted file mode 100644
index 7bb3a0ee1c..0000000000
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: 4690(S) An attempt was made to duplicate a handle to an object.
-description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4690(S): An attempt was made to duplicate a handle to an object.
-
-
-
-
-***Subcategory:*** [Audit Handle Manipulation](audit-handle-manipulation.md)
-
-***Event Description:***
-
-This event generates if an attempt was made to duplicate a handle to an object.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to duplicate a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to duplicate a handle to an object. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Source Handle Information:** - -- **Source Handle ID** \[Type = Pointer\]: hexadecimal value of a handle which was duplicated. This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories. - -- **Source Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Source Handle ID** before it was duplicated. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4690 -0 -0 -12807 -0 -0x8020000000000000 -- 338632 -- - Security -DC01.contoso.local -- - S-1-5-18 - DC01$ - CONTOSO - 0x3e7 - 0x438 - 0x674 - 0xd9c - 0x4 - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-**New Handle Information:**
-
-- **Target Handle ID** \[Type = Pointer\]: hexadecimal value of the new handle (the copy of **Source Handle ID**). This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
-
-- **Target Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Target Handle ID**. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
-
-## Security Monitoring Recommendations
-
-For 4690(S): An attempt was made to duplicate a handle to an object.
-
-- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
-
-- This event can be used to track all actions or operations related to a specific object handle.
-
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
deleted file mode 100644
index 3d757a2f5d..0000000000
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ /dev/null
@@ -1,135 +0,0 @@
----
-title: 4691(S) Indirect access to an object was requested.
-description: Describes security event 4691(S) Indirect access to an object was requested.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4691(S): Indirect access to an object was requested.
-
-
-
-
-***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event indicates that indirect access to an object was requested.
-
-These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access request actions.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested an access to the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested an access to the object. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Object**: - -- **Object Type** \[Type = UnicodeString\]: The type of an object for which access was requested. - - The following table contains the list of the most common **Object Types**: - -| Directory | Event | Timer | Device | -|-------------------------|--------------|----------------------|--------------| -| Mutant | Type | File | Token | -| Thread | Section | WindowStation | DebugObject | -| FilterCommunicationPort | EventPair | Driver | IoCompletion | -| Controller | SymbolicLink | WmiGuid | Process | -| Profile | Desktop | KeyedEvent | Adapter | -| Key | WaitablePort | Callback | Semaphore | -| Job | Port | FilterConnectionPort | ALPC Port | - -- **Object Name** \[Type = UnicodeString\]: full path and name of the object for which access was requested. - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4691 -0 -0 -12804 -0 -0x8020000000000000 -- 344382 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x36509 - ALPC Port - \\Sessions\\2\\Windows\\DwmApiPort - %%4464 - 0x1 - 0xe60 - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-**Access Request Information:**
-
-- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use 
-
-***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
-
-***Event Description:***
-
-This event generates every time that a backup is attempted for the [DPAPI](/previous-versions/ms995355(v=msdn.10)) Master Key.
-
-When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
-
-Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
-
-This event also generates every time a new DPAPI Master Key is generated, for example.
-
-This event generates on domain controllers, member servers, and workstations.
-
-Failure event generates when a Master Key backup operation fails for some reason.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested backup operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Here are some examples of formats: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Key Information:** - -- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID. - -- **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty. - -- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field, you will see unique Recovery key ID that was used for Master key backup operation. - - For Failure events, this field is typically empty. - -**Status Information:** - -- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events, this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A: - -> \[Net helpmsg 58 illustration](..images/net-helpmsg-58.png) - -## Security Monitoring Recommendations - -For 4692(S, F): Backup of data protection master key was attempted. - -- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md deleted file mode 100644 index 68957da33e..0000000000 --- a/windows/security/threat-protection/auditing/event-4693.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: 4693(S, F) Recovery of data protection master key was attempted. -description: Describes security event 4693(S, F) Recovery of data protection master key was attempted. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4693(S, F): Recovery of data protection master key was attempted. - - -- --- 4692 -0 -0 -13314 -0 -0x8020000000000000 -- 176964 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-500 - ladmin - CONTOSO - 0x30c08 - 16cfaea0-dbe3-4d92-9523-d494edb546bc - - 806a0350-aeb1-4c56-91f9-ef16cf759291 - 0x0 - -
-
-***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md)
-
-***Event Description:***
-
-This event generates every time that recovery is attempted for a [DPAPI](/previous-versions/ms995355(v=msdn.10)) Master Key.
-
-While unprotecting data, if DPAPI can't use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
-
-This event generates on domain controllers, member servers, and workstations.
-
-Failure event generates when a Master Key restore operation fails for some reason.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “recover” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “recover” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Key Information:** - -- **Key Identifier** \[Type = UnicodeString\]**:** unique identifier of a master key which was recovered. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID. - -- **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to recover your Master Key. For domain joined machines, it’s typically a name of a domain controller. - -> **Note** In this event Recovery Server field contains information from Recovery Reason field. - -- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field you'll see unique Recovery key ID which was used for Master key recovery operation. This parameter might not be captured in the event, and in that case will be empty. - -- **Recovery Reason** \[Type = HexInt32\]: hexadecimal code of recovery reason. - -> **Note** In this event Recovery Reason field contains information from Recovery Server field. - -**Status Information:** - -- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code. For Success events this field is typically “**0x380000**”. - -## Security Monitoring Recommendations - -For 4693(S, F): Recovery of data protection master key was attempted. - -- This event is typically an informational event and it's difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting. - -- For domain joined computers, **Recovery Reason** should typically be a domain controller DNS name. - -> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md deleted file mode 100644 index e26a1ff60f..0000000000 --- a/windows/security/threat-protection/auditing/event-4694.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: 4694(S, F) Protection of auditable protected data was attempted. -description: Describes security event 4694(S, F) Protection of auditable protected data was attempted. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4694(S, F): Protection of auditable protected data was attempted. - - -This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. - -There is no example of this event in this document. - -***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md) - -***Event Schema:*** - -*Protection of auditable protected data was attempted.* - -*Subject:* - -> *Security ID:%1* -> -> *Account Name:%2* -> -> *Account Domain:%3* -> -> *Logon ID:%4* - -*Protected Data:* - -> *Data Description:%6* -> -> *Key Identifier:%5* -> -> *Protected Data Flags:%7* -> -> *Protection Algorithms:%8* - -*Status Information:* - -> *Status Code:%9* - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -- There is no recommendation for this event in this document. - -- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md deleted file mode 100644 index a19d09bf9b..0000000000 --- a/windows/security/threat-protection/auditing/event-4695.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: 4695(S, F) Unprotection of auditable protected data was attempted. -description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4695(S, F): Unprotection of auditable protected data was attempted. - - -This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. - -There is no example of this event in this document. - -***Subcategory:*** [Audit DPAPI Activity](audit-dpapi-activity.md) - -***Event Schema:*** - -*Unprotection of auditable protected data was attempted.* - -*Subject:* - -> *Security ID:%1* -> -> *Account Name:%2* -> -> *Account Domain:%3* -> -> *Logon ID:%4* - -*Protected Data:* - -> *Data Description:%6* -> -> *Key Identifier:%5* -> -> *Protected Data Flags:%7* -> -> *Protection Algorithms:%8* - -*Status Information:* - -> *Status Code:%9* - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -- There is no recommendation for this event in this document. - -- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md deleted file mode 100644 index 570606c8de..0000000000 --- a/windows/security/threat-protection/auditing/event-4696.md +++ /dev/null @@ -1,164 +0,0 @@ ---- -title: 4696(S) A primary token was assigned to process. -description: Describes security event 4696(S) A primary token was assigned to process. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4696(S): A primary token was assigned to process. - - -- --- 4693 -0 -0 -13314 -0 -0x8020000000000000 -- 175809 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x30d7c - 0445c766-75f0-4de7-82ad-d9d97aad59f6 - 0x5c005c - DC01.contoso.local - - 0x380000 - -
-
-***Subcategory:*** [Audit Process Creation](audit-process-creation.md)
-
-***Event Description:***
-
-This event generates every time a process runs using the non-current access token, for example, UAC elevated token, RUN AS different user actions, scheduled task with defined user, services, and so on.
-
-***IMPORTANT*:** this event is deprecated starting from Windows 7 and Windows 2008 R2.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** this event is deprecated starting from Windows 7 and Windows 2008 R2. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “assign token to process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “assign token to process” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which started the new process with the new security token. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4696 -0 -0 -13312 -0 -0x8020000000000000 -- 561 -- - Security -Win2008.contoso.local -- - S-1-5-18 - WIN2008$ - CONTOSO - 0x3e7 - S-1-5-18 - dadmin - CONTOSO - 0x1c8c5 - 0xf40 - C:\\Windows\\System32\\WerFault.exe - 0x698 - C:\\Windows\\System32\\svchost.exe - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]: full path and the name of the executable for the process which ran the new process with new security token.
-
-**Target Process:**
-
-- **Target Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the new process with new security token. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
-> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Target Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
-
-**New Token Information:**
-
-- **Security ID** \[Type = SID\]**:** SID of account through which the security token will be assigned to the new process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
-
-> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
-
-- **Account Name** \[Type = UnicodeString\]**:** the name of the account through which the security token will be assigned to the new process.
-
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
-
- - Domain NETBIOS name example: CONTOSO
-
- - Lowercase full domain name: contoso.local
-
- - Uppercase full domain name: CONTOSO.LOCAL
-
- - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
-
- - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-
-- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
-
-## Security Monitoring Recommendations
-
-For 4696(S): A primary token was assigned to process.
-
-| **Type of monitoring required** | **Recommendation** |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allowlist. | -| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. | -| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Subject\\Security ID”** or **“New Token Information\\Security ID”** for names that don’t comply with naming conventions. | - -- If you have a pre-defined “**Process Name**” or “**Target Process Name**” for the process reported in this event, monitor all events with “**Process Name**” or “**Target Process Name**” not equal to your defined value. - -- You can monitor to see if “**Process Name**” or “**Target Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - -- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**” or “**Target Process Name**”. - -- It can be uncommon if process runs using local account. - diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md deleted file mode 100644 index 01e5df45ef..0000000000 --- a/windows/security/threat-protection/auditing/event-4697.md +++ /dev/null @@ -1,156 +0,0 @@ ---- -title: 4697(S) A service was installed in the system. -description: Describes security event 4697(S) A service was installed in the system. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4697(S): A service was installed in the system. - - -
-
-***Subcategory:*** [Audit Security System Extension](audit-security-system-extension.md)
-
-***Event Description:***
-
-This event generates when new service was installed in the system.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2016, Windows 10. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that was used to install the service. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was used to install the service. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Service Information:** - -- **Service Name** \[Type = UnicodeString\]: the name of installed service. - -- --- 4697 -0 -0 -12289 -0 -0x8020000000000000 -- 2778 -- - Security -WIN-GG82ULGC9GO.contoso.local -- - S-1-5-18 - WIN-GG82ULGC9GO$ - CONTOSO - 0x3e7 - AppHostSvc - %windir%\\system32\\svchost.exe -k apphost - 0x20 - 2 - localSystem - -
-
-- **Service File Name** \[Type = UnicodeString\]: This is the fully rooted path to the file that the Service Control Manager will execute to start the service. If command-line parameters are specified as part of the image path, those are logged.
-
- Note that this is the path to the file when the service is created. If the path is changed afterwards, the change is not logged. This would have to be tracked via Process Create events.
-
-- **Service Type** \[Type = HexInt32\]: Indicates the [type](/dotnet/api/system.serviceprocess.servicetype?cs-lang=csharp&cs-save-lang=1#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following:
-
-| Value | Service Type | Description |
-|-------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x1 | Kernel Driver | A Kernel device driver such as a hard disk or other low-level hardware device driver. |
-| 0x2 | File System Driver | A file system driver, which is also a Kernel device driver. |
-| 0x8 | Recognizer Driver | A file system driver used during startup to determine the file systems present on the system. |
-| 0x10 | Win32 Own Process | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). |
-| 0x20 | Win32 Share Process | A Win32 service that can share a process with other Win32 services.
(see:
(see:
-
-***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time a new scheduled task is created.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` ->[!NOTE] -> Windows 10 Versions 1903 and above augments the event with these additional properties: -> Event Version 1. -> ***Event XML:*** ->``` -> 5066549580796854 -> 3932 -> 5304 -> 0 -> DESKTOP-Name - - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “create scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create scheduled task” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Task Information**: - -- **Task Name** \[Type = UnicodeString\]**:** new scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node: - -- --- 4698 -0 -0 -12804 -0 -0x8020000000000000 -- 344740 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x364eb - \\Microsoft\\StartListener - -2015-09-22T19:03:06.9258653 CONTOSO\\dadmin LeastPrivilege CONTOSO\\dadmin InteractiveToken IgnoreNew true true true false false true false true true false false false P3D 7 C:\\Documents\\listener.exe 
-
-- **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f).”
-
-## Security Monitoring Recommendations
-
-For 4698(S): A scheduled task was created.
-
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- We recommend monitoring all scheduled task creation events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
-
-- Monitor for new tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
-
-- In the new task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
deleted file mode 100644
index ea206aba73..0000000000
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ /dev/null
@@ -1,121 +0,0 @@
----
-title: 4699(S) A scheduled task was deleted.
-description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4699(S): A scheduled task was deleted.
-
-
-
-
-***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time a scheduled task was deleted.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` ->[!NOTE] -> Windows 10 Versions 1903 and above augments the event with these additional properties: -> Event Version 1. -> ***Event XML:*** ->``` -> 5066549580796854 -> 3932 -> 5304 -> 0 -> DESKTOP-Name - - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete scheduled task” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Task Information**: - -- **Task Name** \[Type = UnicodeString\]**:** deleted scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node: - -- --- 4699 -0 -0 -12804 -0 -0x8020000000000000 -- 344827 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x364eb - \\Microsoft\\My - -2015-08-25T13:56:10.5315552 CONTOSO\\dadmin LeastPrivilege CONTOSO\\dadmin Password IgnoreNew false true false false false true false true true false false false PT0S 7 C:\\Windows\\notepad.exe
-
-- **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the deleted task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
-
-## Security Monitoring Recommendations
-
-For 4699(S): A scheduled task was deleted.
-
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- We recommend monitoring all scheduled task deletion events, especially on critical computers or devices. Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions. However, this event does not often happen.
-
-- Monitor for deleted tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node. Deletion of such tasks can be a sign of malicious activity.
-
-- If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for [4699](event-4699.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
deleted file mode 100644
index aae8e027d4..0000000000
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: 4700(S) A scheduled task was enabled.
-description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4700(S): A scheduled task was enabled.
-
-
-
-
-***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time a scheduled task is enabled.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` ->[!NOTE] -> Windows 10 Versions 1903 and above augments the event with these additional properties: -> Event Version 1. -> ***Event XML:*** ->``` -> 5066549580796854 -> 3932 -> 5304 -> 0 -> DESKTOP-Name - - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable scheduled task” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Task Information**: - -- **Task Name** \[Type = UnicodeString\]**:** enabled scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node: - -- --- 4700 -0 -0 -12804 -0 -0x8020000000000000 -- 344861 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x364eb - \\Microsoft\\StartListener - -2015-09-22T19:03:06.9258653 CONTOSO\\dadmin LeastPrivilege CONTOSO\\dadmin InteractiveToken IgnoreNew true true true false false true false true true false false false P3D 7 C:\\Documents\\listener.exe
-
-- **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the enabled task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
-
-## Security Monitoring Recommendations
-
-For 4700(S): A scheduled task was enabled.
-
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled, monitor for [4700](event-4700.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
deleted file mode 100644
index f47c7a3379..0000000000
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: 4701(S) A scheduled task was disabled.
-description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4701(S): A scheduled task was disabled.
-
-
-
-
-***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time a scheduled task is disabled.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` ->[!NOTE] -> Windows 10 Versions 1903 and above augments the event with these additional properties: -> Event Version 1. -> ***Event XML:*** ->``` -> 5066549580796854 -> 3932 -> 5304 -> 0 -> DESKTOP-Name - - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable scheduled task” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Task Information**: - -- **Task Name** \[Type = UnicodeString\]**:** disabled scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node: - -- --- 4701 -0 -0 -12804 -0 -0x8020000000000000 -- 344860 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x364eb - \\Microsoft\\StartListener - -2015-09-22T19:03:06.9258653 CONTOSO\\dadmin LeastPrivilege CONTOSO\\dadmin InteractiveToken IgnoreNew true true true false false true false true false false false false P3D 7 C:\\Documents\\listener.exe
-
-- **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the disabled task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
-
-## Security Monitoring Recommendations
-
-For 4701(S): A scheduled task was disabled.
-
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for [4701](event-4701.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
deleted file mode 100644
index 4bb86d53b2..0000000000
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: 4702(S) A scheduled task was updated.
-description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4702(S): A scheduled task was updated.
-
-
-
-
-***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
-
-***Event Description:***
-
-This event generates every time scheduled task was updated/changed.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` ->[!NOTE] -> Windows 10 Versions 1903 and above augments the event with these additional properties: -> Event Version 1. -> ***Event XML:*** ->``` -> 5066549580796854 -> 3932 -> 5304 -> 0 -> DESKTOP-Name - - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “change/update scheduled task” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change/update scheduled task” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Task Information**: - -- **Task Name** \[Type = UnicodeString\]**:** updated/changed scheduled task name. The format of this value is “\\task\_path\\task\_name”, where task\_path is a path in Microsoft **Task Scheduler** tree starting from “**Task Scheduler Library**” node: - -- --- 4702 -0 -0 -12804 -0 -0x8020000000000000 -- 344863 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x364eb - \\Microsoft\\StartListener - -2015-09-22T19:03:06.9258653 CONTOSO\\dadmin HighestAvailable CONTOSO\\dadmin InteractiveToken IgnoreNew true true true false false true false true true false false false P3D 7 C:\\Documents\\listener.exe
-
-- **Task New Content** \[Type = UnicodeString\]: the new [XML](/previous-versions/aa286548(v=msdn.10)) for the updated task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
-
-## Security Monitoring Recommendations
-
-For 4702(S): A scheduled task was updated.
-
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
-- Monitor for updated scheduled tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
-
-- In the updated scheduled task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
deleted file mode 100644
index 0abe8a8e60..0000000000
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ /dev/null
@@ -1,198 +0,0 @@
----
-title: 4703(S) A user right was adjusted.
-description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4703(S): A user right was adjusted.
-
-
-
-
-***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates when [token privileges](/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-Token privileges provide the ability to take certain system-level actions that you only need to do at particular moments. For example, anybody can restart a computer, but the operating system doesn’t enable that privilege by default. Instead, the privilege is enabled when you click **Shutdown**. You can check the current state of the user’s token privileges using the **whoami /priv** command:
-
-
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2016, Windows 10. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “enable” or “disable” operation for **Target Account** privileges. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “enable” or “disable” operation for **Target Account** privileges. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Target Account:** - -- **Security ID** \[Type = SID\]**:** SID of account for which privileges were enabled or disabled. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which privileges were enabled or disabled. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Process Information:** - -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that enabled or disabled token privileges. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - -- --- 4703 -0 -0 -13570 -0 -0x8020000000000000 -- 5245 -- - Security -WIN-GG82ULGC9GO.contoso.local -- - S-1-5-18 - WIN-GG82ULGC9GO$ - CONTOSO - 0x3e7 - S-1-5-18 - WIN-GG82ULGC9GO$ - CONTOSO - 0x3e7 - C:\\Windows\\System32\\svchost.exe - 0x270 - SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege - - - -
-
- If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
-
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
-
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
-
-
-
-- **Enabled Privileges** \[Type = UnicodeString\]**:** the list of enabled user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights:
-
-| Privilege Name | User Right Group Policy Name | Description |
-|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | -| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | -| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | -| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | -| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | -| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | -| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | -| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | -| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | -| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | -| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. | - -**Disabled Privileges** \[Type = UnicodeString\]**:** the list of disabled user rights. See possible values in the table above. - -## Security Monitoring Recommendations - -For 4703(S): A user right was adjusted. - -As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703. - -Otherwise, see the recommendations in the following table. - -| **Type of monitoring required** | **Recommendation** | -|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. | -| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | -| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | -| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. | -| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md deleted file mode 100644 index 9d80b0b5ba..0000000000 --- a/windows/security/threat-protection/auditing/event-4704.md +++ /dev/null @@ -1,156 +0,0 @@ ---- -title: 4704(S) A user right was assigned. -description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4704(S): A user right was assigned. - - -
-
-***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates every time local user right policy is changed and user right was assigned to an account.
-
-You will see unique event for every user.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that made a change to local user right policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local user right policy. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Target Account:** - -- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -**New Right:** - -- **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights: - -| Privilege Name | User Right Group Policy Name | Description | -|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.- --- 4704 -0 -0 -13570 -0 -0x8020000000000000 -- 1049866 -- - Security -DC01.contoso.local -- - S-1-5-18 - DC01$ - CONTOSO - 0x3e7 - S-1-5-21-3457937927-2839227994-823803824-1104 - SeAuditPrivilege SeIncreaseWorkingSetPrivilege - -
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | -| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | -| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | -| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | -| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | -| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | -| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | -| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | -| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | -| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | -| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. | - - -## Security Monitoring Recommendations - -For 4704(S): A user right was assigned. - -| **Type of monitoring required** | **Recommendation** | -|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. | -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. | -| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | -| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | -| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. | -| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the “**New Right\\User Right**” to your list of user rights, to see whether the right should be assigned to **“Target Account\\Account Name**.” Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, your list of restricted rights might say that only administrative accounts should have **SeAuditPrivilege**. As another example, your list might say that no accounts should have **SeTcbPrivilege** or **SeDebugPrivilege**. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md deleted file mode 100644 index aa5fedab07..0000000000 --- a/windows/security/threat-protection/auditing/event-4705.md +++ /dev/null @@ -1,155 +0,0 @@ ---- -title: 4705(S) A user right was removed. -description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4705(S): A user right was removed. - - -
-
-***Subcategory:*** [Audit Authorization Policy Change](audit-authorization-policy-change.md)
-
-***Event Description:***
-
-This event generates every time local user right policy is changed and user right was removed from an account.
-
-You will see unique event for every user.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that made a change to local user right policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to local user right policy. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Target Account:** - -- **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -**Removed Right:** - -- **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights: - -| Privilege Name | User Right Group Policy Name | Description | -|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.- --- 4705 -0 -0 -13570 -0 -0x8020000000000000 -- 1049867 -- - Security -DC01.contoso.local -- - S-1-5-18 - DC01$ - CONTOSO - 0x3e7 - S-1-5-21-3457937927-2839227994-823803824-1104 - SeTimeZonePrivilege - -
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE | -| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object.
This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. | -| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | -| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.
With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process.
With this privilege, the user can change the maximum memory that can be consumed by a process. | -| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory.
With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.
This privilege is valid only on domain controllers. | -| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process.
With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. | -| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. | -| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
WRITE\_DAC
WRITE\_OWNER
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_WRITE
FILE\_ADD\_FILE
FILE\_ADD\_SUBDIRECTORY
DELETE
With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
A user with this privilege can also view and clear the security log. | -| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. | -| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system.
With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| SeSystemtimePrivilege | Change the system time | Required to modify the system time.
With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | -| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. | - -## Security Monitoring Recommendations - -For 4705(S): A user right was removed. - -| **Type of monitoring required** | **Recommendation** | -|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Actions typically performed by the SYSTEM account**: This event and certain other events should be monitored to see if they are triggered by any account other than SYSTEM. | Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM. | -| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | -| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | -| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. | -| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to an “allowlist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allowlist.
If you have specific user rights policies, for example, an allowlist of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | -| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.
For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.
As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. | -| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | -| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. | -| **User rights that should be restricted**: You might have a list of user rights that you want to monitor. | Monitor this event and compare the **“Removed Right”** to your list of restricted rights.
Monitor this event to discover the removal of a right that should never have been granted (for example, SeTcbPrivilege), so that you can investigate further. | -| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md deleted file mode 100644 index d379640fbc..0000000000 --- a/windows/security/threat-protection/auditing/event-4706.md +++ /dev/null @@ -1,149 +0,0 @@ ---- -title: 4706(S) A new trust was created to a domain. -description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4706(S): A new trust was created to a domain. - - -
-
-***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when a new trust was created to a domain.
-
-This event is generated only on domain controllers.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** Active Directory domain controller. - -***Minimum OS Version:*** Windows Server 2008. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “create domain trust” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create domain trust” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Trusted Domain:** - -- **Domain Name** \[Type = UnicodeString\]**:** the name of new trusted domain. - -- **Domain ID** \[Type = SID\]**:** SID of new trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -**Trust Information:** - -- **Trust Type** \[Type = UInt32\]**:** the type of new trust. The following table contains possible values for this field: - -| Value | Attribute Value | Description | -|-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 1 | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000. | -| 2 | TRUST\_TYPE\_UPLEVEL | The domain controller of the trusted domain is a computer running Windows 2000 or later. | -| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). | -| 4 | TRUST\_TYPE\_DCE | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows. | - -- **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. The following table contains possible values for this field: - -| Value | Attribute Value | Description | -|-------|---------------------------------|-------------------------------------------------------------------------------------------------------------| -| 0 | TRUST\_DIRECTION\_DISABLED | The trust relationship exists, but it has been disabled. | -| 1 | TRUST\_DIRECTION\_INBOUND | The trusted domain trusts the primary domain to perform operations such as name lookups and authentication. | -| 2 | TRUST\_DIRECTION\_OUTBOUND | The primary domain trusts the trusted domain to perform operations such as name lookups and authentication. | -| 3 | TRUST\_DIRECTION\_BIDIRECTIONAL | Both domains trust one another for operations such as name lookups and authentication. | - -- **Trust Attributes** \[Type = UInt32\]**:** the decimal value of attributes for new trust. You need convert decimal value to hexadecimal and find it in the table below. The following table contains possible values for this field: - -| Value | Attribute Value | Description | -|-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | -| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | -| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section [4.1.2.2](/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) between the root domains of two [forests](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.- --- 4706 -0 -0 -13569 -0 -0x8020000000000000 -- 1049759 -- - Security -DC01.contoso.local -- - corp.contoso.local - S-1-5-21-2226861337-2836268956-2433141405 - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x3e99d6 - 2 - 3 - 32 - %%1796 - -
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section [3.3.5.7.5](/openspecs/windows_protocols/ms-kile/bac4dc69-352d-416c-a9f4-730b81ababb3) and [\[MS-APDS\]](/openspecs/windows_protocols/ms-apds/dd444344-fd7e-430e-b313-7e95ab9c338e) section [3.1.5](/openspecs/windows_protocols/ms-apds/f47e40e1-b9ca-47e2-b139-15a1e96b0e72).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](/openspecs/windows_protocols/ms-ada3/d4b436de-0ba2-44e3-975c-9f4d8aa51885) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](/openspecs/windows_protocols/ms-adts/c964fca9-c50e-426a-9173-5bf3cb720e2e).
Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | - -- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](/previous-versions/windows/it-pro/windows-server-2003/cc772633(v=ws.10)) state for the new trust: - - - Enabled - - - Disabled - -## Security Monitoring Recommendations - -For 4706(S): A new trust was created to a domain. - -- Any changes related to Active Directory domain trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md deleted file mode 100644 index a7d7e7fab3..0000000000 --- a/windows/security/threat-protection/auditing/event-4707.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -title: 4707(S) A trust to a domain was removed. -description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4707(S): A trust to a domain was removed. - - -
-
-***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when a domain trust was removed.
-
-This event is generated only on domain controllers.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** Active Directory domain controller. - -***Minimum OS Version:*** Windows Server 2008. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “remove domain trust” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “remove domain trust” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Domain Information:** - -- **Domain Name** \[Type = UnicodeString\]**:** the name of removed trusted domain. - -- **Domain ID** \[Type = SID\]**:** SID of removed trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -## Security Monitoring Recommendations - -For 4707(S): A trust to a domain was removed. - -- Any changes related to Active Directory domain trusts (especially trust removal) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. - diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md deleted file mode 100644 index f83c8df8ce..0000000000 --- a/windows/security/threat-protection/auditing/event-4713.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: 4713(S) Kerberos policy was changed. -description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4713(S): Kerberos policy was changed. - - -- --- 4707 -0 -0 -13569 -0 -0x8020000000000000 -- 1049754 -- - Security -DC01.contoso.local -- - FABRIKAM - S-1-5-21-2226861337-2836268956-2433141405 - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x3e99d6 - -
-
-***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when [Kerberos](/windows/win32/secauthn/microsoft-kerberos) policy was changed.
-
-This event is generated only on domain controllers.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** Active Directory domain controller. - -***Minimum OS Version:*** Windows Server 2008. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that made a change to Kerberos policy. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made a change to Kerberos policy. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Changes Made** \[Type = UnicodeString\]**:** '--' means no changes, otherwise each change is shown as: Parameter\_Name: new\_value (old\_value). Here is a list of possible parameter names: - -| Parameter Name | Description | -|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| KerProxy | 1. Maximum tolerance for computer clock synchronization.- --- 4713 -0 -0 -13569 -0 -0x8020000000000000 -- 1049772 -- - Security -DC01.contoso.local -- - S-1-5-18 - DC01$ - CONTOSO - 0x3e7 - KerMaxT: 0x10c388d000 (0x861c46800); KerMaxR: 0x19254d38000 (0xc92a69c000); - -
To convert the **KerProxy** to minutes you need to:
Convert the value to decimal value.
Divide value by 600000000. | -| KerMaxR | 1. Maximum lifetime for user ticket renewal.
To convert the **KerProxy** to days you need to:
Convert the value to decimal value.
Divide value by 864000000000. | -| KerMaxT | 1. Maximum lifetime for user ticket.
To convert the **KerMaxT** to hours you need to:
Convert the value to decimal value.
Divide value by 36000000000. | -| KerMinT | 1. Maximum lifetime for service ticket.
To convert the **KerMinT** to minutes you need to:
Convert the value to decimal value.
Divide value by 600000000. | -| KerOpts | - Enforce user logon restrictions:
0x80 – Enabled
0x0 - Disabled | - -This event shows changes in “Kerberos policy”. Here is location of Kerberos policies in Group Policy management console: - -
-
-## Security Monitoring Recommendations
-
-For 4713(S): Kerberos policy was changed.
-
-- Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
deleted file mode 100644
index 13f82a2f64..0000000000
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: 4714(S) Encrypted data recovery policy was changed.
-description: Describes security event 4714(S) Encrypted data recovery policy was changed.
-ms.pagetype: security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: low
-author: vinaypamnani-msft
-ms.date: 09/07/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: reference
----
-
-# 4714(S): Encrypted data recovery policy was changed.
-
-
-
-
-***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-
-***Event Description:***
-
-This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](/previous-versions/tn-archive/cc700811(v=technet.10))) has changed.
-
-This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](/previous-versions/windows/it-pro/windows-server-2003/cc778208(v=ws.10)) was changed for the computer or device.
-
-In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](/openspecs/windows_protocols/ms-gpef/34fd0504-84fc-4ad9-97ac-ee74b84419ac) registry value is changed during a Group Policy update.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -## Security Monitoring Recommendations - -For 4714(S): Encrypted data recovery policy was changed. - -- We recommend monitoring this event and if the change was not planned, investigate the reason for the change. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md deleted file mode 100644 index b92a998c6d..0000000000 --- a/windows/security/threat-protection/auditing/event-4715.md +++ /dev/null @@ -1,216 +0,0 @@ ---- -title: 4715(S) The audit policy (SACL) on an object was changed. -description: Describes security event 4715(S) The audit policy (SACL) on an object was changed. -ms.pagetype: security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: low -author: vinaypamnani-msft -ms.date: 09/07/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: reference ---- - -# 4715(S): The audit policy (SACL) on an object was changed. - - -- --- 4714 -0 -0 -13573 -0 -0x8020000000000000 -- 1080883 -- - Security -DC01.contoso.local -- - -13 -SubjectUserSid -- 
-
-***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
-
-***Event Description:***
-
-This event generates every time local audit policy security descriptor changes.
-
-This event is always logged regardless of the "Audit Policy Change" sub-category setting.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- -``` - -***Required Server Roles:*** None. - -***Minimum OS Version:*** Windows Server 2008, Windows Vista. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “change local audit policy security descriptor (SACL)” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change local audit policy security descriptor (SACL)” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Audit Policy Change:** - -- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the audit policy. - -- **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy. - -> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. -> -> Example: -> -> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) -> -> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. -> See the list of possible values in the table below: - -| Value | Description | Value | Description | -|-------|--------------------------------------|-------|---------------------------------| -| "AO" | Account operators | "PA" | Group Policy administrators | -| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user | -| "AN" | Anonymous logon | "LA" | Local administrator | -| "AU" | Authenticated users | "LG" | Local guest | -| "BA" | Built-in administrators | "LS" | Local service account | -| "BG" | Built-in guests | "SY" | Local system | -| "BO" | Backup operators | "NU" | Network logon user | -| "BU" | Built-in users | "NO" | Network configuration operators | -| "CA" | Certificate server administrators | "NS" | Network service account | -| "CG" | Creator group | "PO" | Printer operators | -| "CO" | Creator owner | "PS" | Personal self | -| "DA" | Domain administrators | "PU" | Power users | -| "DC" | Domain computers | "RS" | RAS servers group | -| "DD" | Domain controllers | "RD" | Terminal server users | -| "DG" | Domain guests | "RE" | Replicator | -| "DU" | Domain users | "RC" | Restricted code | -| "EA" | Enterprise administrators | "SA" | Schema administrators | -| "ED" | Enterprise domain controllers | "SO" | Server operators | -| "WD" | Everyone | "SU" | Service logon user | - -- *G*: = Primary Group. -- *D*: = DACL Entries. -- *S*: = SACL Entries. - -*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid) - -Example: D:(A;;FA;;;WD) - -- entry\_type: - -“D” - DACL - -“S” - SACL - -- inheritance\_flags: - -"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. - -"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. - -"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. - -- ace\_type: - -"A" - ACCESS ALLOWED - -"D" - ACCESS DENIED - -"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s). - -"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s). - -"AU" - SYSTEM AUDIT - -"A" - SYSTEM ALARM - -"OU" - OBJECT SYSTEM AUDIT - -"OL" - OBJECT SYSTEM ALARM - -- ace\_flags: - -"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. - -"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. - -"NP" - NO PROPAGATE: only immediate children inherit this ace. - -"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance. - -"ID" - ACE IS INHERITED - -"SA" - SUCCESSFUL ACCESS AUDIT - -"FA" - FAILED ACCESS AUDIT -- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. - -| Value | Description | Value | Description | -|----------------------------|---------------------------------|----------------------|--------------------------| -| Generic access rights | Directory service access rights | -| "GA" | GENERIC ALL | "RC" | Read Permissions | -| "GR" | GENERIC READ | "SD" | Delete | -| "GW" | GENERIC WRITE | "WD" | Modify Permissions | -| "GX" | GENERIC EXECUTE | "WO" | Modify Owner | -| File access rights | "RP" | Read All Properties | -| "FA" | FILE ALL ACCESS | "WP" | Write All Properties | -| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects | -| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects | -| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents | -| Registry key access rights | "SW" | All Validated Writes | -| "KA" | "LO" | "LO" | List Object | -| "K" | KEY READ | "DT" | Delete Subtree | -| "KW" | KEY WRITE | "CR" | All Extended Rights | -| "KX" | KEY EXECUTE | | | - -- object\_guid: N/A -- inherit\_object\_guid: N/A -- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. - -For more information about SDDL syntax, see these articles:- --- 4715 -0 -0 -13568 -0 -0x8020000000000000 -- 1049425 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x11ae30 - D:(A;;DCSWRPDTRC;;;BA)(D;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL - D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL - -
-
-***Subcategory:*** [Audit Authentication Policy Change](audit-authentication-policy-change.md)
-
-***Event Description:***
-
-This event generates when the trust was modified.
-
-This event is generated only on domain controllers.
-
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
-
- -***Event XML:*** -``` ---- - -``` - -***Required Server Roles:*** Active Directory domain controller. - -***Minimum OS Version:*** Windows Server 2008. - -***Event Versions:*** 0. - -***Field Descriptions:*** - -**Subject:** - -- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify domain trust settings” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -> **Note** A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - -- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify domain trust settings” operation. - -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: - - - Domain NETBIOS name example: CONTOSO - - - Lowercase full domain name: contoso.local - - - Uppercase full domain name: CONTOSO.LOCAL - - - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - - - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - -- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” - -**Trusted Domain:** - -- **Domain Name** \[Type = UnicodeString\]**:** the name of changed trusted domain. If this attribute was not changed, then it will have “**-**“ value. - -- **Domain ID** \[Type = SID\]**:** SID of changed trusted domain. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - -**New Trust Information:** - -- **Trust Type** \[Type = UInt32\]**:** the type of new trust. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field: - -| Value | Attribute Value | Description | -|-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 1 | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000. | -| 2 | TRUST\_TYPE\_UPLEVEL | The domain controller of the trusted domain is a computer running Windows 2000 or later. | -| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). | -| 4 | TRUST\_TYPE\_DCE | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows. | - -- **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field: - -| Value | Attribute Value | Description | -|-------|---------------------------------|-------------------------------------------------------------------------------------------------------------| -| 0 | TRUST\_DIRECTION\_DISABLED | The trust relationship exists, but it has been disabled. | -| 1 | TRUST\_DIRECTION\_INBOUND | The trusted domain trusts the primary domain to perform operations such as name lookups and authentication. | -| 2 | TRUST\_DIRECTION\_OUTBOUND | The primary domain trusts the trusted domain to perform operations such as name lookups and authentication. | -| 3 | TRUST\_DIRECTION\_BIDIRECTIONAL | Both domains trust one another for operations such as name lookups and authentication. | - -- **Trust Attributes** \[Type = UInt32\]**:** the decimal value of attributes for new trust. You need convert decimal value to hexadecimal and find it in the table below. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field: - -| Value | Attribute Value | Description | -|-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | -| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | -| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section [4.1.2.2](/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) between the root domains of two [forests](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.- --- 4716 -0 -0 -13569 -0 -0x8020000000000000 -- 1049763 -- - Security -DC01.contoso.local -- - S-1-5-21-3457937927-2839227994-823803824-1104 - dadmin - CONTOSO - 0x138eb0 - - - S-1-5-21-2226861337-2836268956-2433141405 - 2 - 3 - 32 - - - -
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section [3.3.5.7.5](/openspecs/windows_protocols/ms-kile/bac4dc69-352d-416c-a9f4-730b81ababb3) and [\[MS-APDS\]](/openspecs/windows_protocols/ms-apds/dd444344-fd7e-430e-b313-7e95ab9c338e) section [3.1.5](/openspecs/windows_protocols/ms-apds/f47e40e1-b9ca-47e2-b139-15a1e96b0e72).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](/openspecs/windows_protocols/ms-ada3/d4b436de-0ba2-44e3-975c-9f4d8aa51885) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](/openspecs/windows_protocols/ms-adts/c964fca9-c50e-426a-9173-5bf3cb720e2e).
Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | - -- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](/previous-versions/windows/it-pro/windows-server-2003/cc772633(v=ws.10)) state for the new trust: - - - Enabled - - - Disabled - - If this attribute was not changed, then it will have “**-**“ value or its old value. - -## Security Monitoring Recommendations - -For 4716(S): Trusted domain information was modified. - -- Any changes in Active Directory domain trust settings must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change. - -## Anonymous Logon account - -If the account reported in the event is **Anonymous Logon**, it means the password is changed by system automatic password reset. For example: - -``` -Log Name: Security -Source: Microsoft-Windows-Security-Auditing -Date:
For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). | + +## Related articles + +- [Windows Enterprise Subscription Activation](windows-subscription-activation.md). +- [Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan). +- [Compare Windows editions](https://www.microsoft.com/windows/business/windows-10-pro-vs-windows-11-pro). +- [Windows for business](https://www.microsoft.com/windows/business). diff --git a/windows/deployment/windows-subscription-activation.md b/windows/deployment/windows-subscription-activation.md new file mode 100644 index 0000000000..9c15d279f1 --- /dev/null +++ b/windows/deployment/windows-subscription-activation.md @@ -0,0 +1,216 @@ +--- +title: Windows subscription activation +description: Learn how to dynamically enable Windows Enterprise or Education subscriptions. +ms.service: windows-client +ms.subservice: itpro-fundamentals +ms.localizationpriority: medium +author: frankroj +ms.author: frankroj +manager: aaroncz +ms.collection: + - highpri + - tier2 +ms.topic: conceptual +ms.date: 02/13/2024 +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 +--- + +# Windows subscription activation + +The subscription activation feature enables a "step-up" from Windows Pro edition to Enterprise edition or from Windows Pro Education edition to Education edition. This feature can be used with a subscription to Windows Enterprise E3 or E5 licenses. + +> [!TIP] +> +> Windows Pro Education is analogous to Windows Pro, while Windows Education is analogous to Windows Enterprise. In other words, Windows Education is a step-up from Windows Pro Education, similar to how Windows Enterprise is a step-up from Windows Pro. + +The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later: + +- Standing up on-premises key management services such as KMS or MAK based activation. +- Entering Generic Volume License Keys (GVLKs). +- Rebooting client devices. + +For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). + +> [!NOTE] +> +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**: +> +> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). +> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications). +> +> Although the app ID is the same in both instances, the name of the cloud app depends on the tenant. +> +> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). + +## Subscription activation for Enterprise + +Windows Enterprise E3 and E5 are available as online services via subscription. Windows Enterprise can be deployed in an organization without keys and reboots. + +- Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise. +- Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions. + +Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis). + +> [!NOTE] +> +> Subscription activation is available for qualifying devices running currently supported versions of Windows. Subscription activation can't be used to upgrade to a newer version of Windows. + +## Subscription activation for Education + +Subscription activation for Education works the same as the Enterprise edition. However, in order to use subscription activation for Education, the device must have Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section. + +## Inherited activation + +Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows virtual machine (VM) using a Windows host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM. + +To support inherited activation, both the host computer and the VM must be running a currently supported version of Windows. The hypervisor platform must also be Windows Hyper-V. + +## Requirements + +### Windows Enterprise requirements + +> [!NOTE] +> +> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). + +> [!IMPORTANT] +> +> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). + +For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), the following requirements must be met: + +- A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded. +- Microsoft Entra available for identity management. +- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported. + +For Microsoft customers that don't have EA or MPSA, Windows Enterprise E3/E5 or A3/A5 licenses can be obtained through a cloud solution provider (CSP). Identity management and device requirements are the same when using CSP to manage licenses. For more information about getting Windows Enterprise E3 through a CSP, see [Windows Enterprise E3 in CSP](windows-enterprise-e3-overview.md). + +### Windows Education requirements + +- A supported version of Windows Pro Education installed on the devices to be upgraded. +- A device with a Windows Pro Education digital license. This information can be confirmed under **Settings > System > Activation** or under **Settings > Update & Security > Activation**. +- The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription. +- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported. + +> [!IMPORTANT] +> +> If Windows Pro is converted to Windows Pro Education, then subscription activation doesn't work. The device needs to be reimaged to Windows Pro Education for subscription activation to work. Alternatively, reimage the device directly to Windows Education. + +## Benefits + +With Windows Enterprise or Education editions, an organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features. + +To compare Windows editions and review pricing, see the following sites: + +- [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro) +- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing) + +Benefits of moving to Windows as an online service include: + +- Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. There's a systematic way to assign licenses to end users and groups in an organization. + +- User sign-in triggers a silent edition upgrade, with no reboot required. + +- Support for mobile worker and "Bring Your Own Device" (BYOD) or "Choose Your Own Device" (CYOD) activation. This support transitions away from on-premises KMS and MAK keys. + +- Compliance support via license assignment. + +- Licenses can be updated to different users dynamically, which allows optimization of the licensing investment against changing needs. + +## How it works + +The device is Microsoft Entra joined, for example from **Settings** > **Accounts** > **Access work or school**. + +Windows Enterprise is assigned to a user, for example through the Microsoft 365 admin center. When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise, or from Pro Education to Education. Once the edition is stepped up, Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows Pro or Windows Pro Education edition, once the current subscription validity expires. + +> [!NOTE] +> +> - Devices running a supported version of Windows Pro can get Windows Enterprise general availability channel on up to five devices for each user covered by the license. This limit also applies when stepping up from Windows Pro Education to Windows Education. This benefit doesn't include the long term servicing channel. +> +> - A Windows Pro device only steps up to Windows Enterprise edition when a **Windows Enterprise** license is assigned from the Microsoft 365 admin center. +> +> - A Windows Pro Education device only steps up to Windows Education edition a **Windows Enterprise** license is assigned from the Microsoft 365 admin center. + +### Scenarios + +#### Scenario #1 + +A supported version of Windows is being used. A Windows Enterprise E3 or E5 subscription is purchased, or there's an existing E3 or E5 subscription but Windows Enterprise isn't yet deployed. + +All of the Windows Pro devices step-up to Windows Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows Enterprise migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition. + +#### Scenario #2 + +Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows are being used. Microsoft Entra synchronization is configured. The steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) are followed to get a $0 SKU and a new Windows Enterprise E3 or E5 license in Microsoft Entra ID. The license is then assigned to all of the Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device automatically steps up from Windows Pro to Windows Enterprise or from Windows Pro Education to Windows Education. + +#### Earlier versions of Windows + +If devices are running Windows 7 or Windows 8.1, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to a currently supported Windows 10 Enterprise edition. This path is supported, and completes the move in one step. However, versions of Windows newer than Windows 10 don't support upgrading from Windows 7 or Windows 8.1. For versions of Windows newer than Windows 10, an upgrade to Windows 10 would first be required, followed by upgrading to the version of Windows Enterprise newer than Windows 10. In this scenario, a wipe-and-load might be more practical. + +### Licenses + +The following policies apply to acquisition and renewal of licenses on devices: + +- Upgraded devices attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license. + +- If a device is disconnected from the internet, until its current subscription expires Windows reverts to Pro or Pro Education. As soon as the device is connected to the internet again, the license automatically renew. + +- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the computer where the user hasn't signed in for the longest time reverts to Pro or Pro Education. + +- If a device meets the requirements and a licensed user signs in on that device, the device is upgraded. + +Licenses can be reallocated from one user to another user, allowing optimization of the licensing investment against changing needs. + +With a Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal). + +### Existing Enterprise deployments + +With currently supported version of Windows, subscription activation automatically pulls the firmware-embedded Windows activation key and activates the underlying Pro license. The license then steps up to Enterprise using subscription activation. This behavior automatically migrates devices from KMS or MAK activated Enterprise to subscription activated Enterprise. + +Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows. + +> [!CAUTION] +> +> Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE). + +If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console: + +```powershell +$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } } +``` + +### Obtaining a Microsoft Entra ID license + +If an organization has an Enterprise Agreement (EA) or Software Assurance (SA): + +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, licenses are assigned to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). + +- The license administrator can assign licenses to Microsoft Entra users with the same process used for Microsoft 365 Apps. + +- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. + +If an organization has a Microsoft Products & Services Agreement (MPSA): + +- New customers are automatically emailed the details of the service. Take steps to process the instructions. + +- Existing MPSA customers receive service activation emails that allow their customer administrator to assign users to the service. + +- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 are enabled for both the traditional key-based and new subscriptions activation method. + +### Deploying licenses + +For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). + +## Virtual Desktop Access (VDA) + +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH). + +Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). + +## Related sites + +- Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/entra/identity/devices/hybrid-join-plan). +- [Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11). +- [Windows for business](https://www.microsoft.com/windows/business). diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index d107b517cb..f7971d2b46 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -45,7 +45,7 @@ "ms.service": "windows-client", "ms.subservice": "itpro-fundamentals", "feedback_system": "Standard", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-hub", @@ -64,7 +64,8 @@ "beccarobins", "Stacyrch140", "v-stsavell", - "American-Dipper" + "American-Dipper", + "shdyas" ] }, "fileMetadata": {}, @@ -72,4 +73,4 @@ "dest": "windows-hub", "markdownEngineName": "markdig" } -} +} \ No newline at end of file diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 7f47903935..45e5e07ca5 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -40,11 +40,11 @@ "ms.service": "windows-client", "ms.subservice": "itpro-privacy", "feedback_system": "Standard", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.privacy", - "folder_relative_path_in_docset": "./" + "folder_relative_path_in_docset": "./" } }, "titleSuffix": "Windows Privacy", @@ -59,13 +59,16 @@ "beccarobins", "Stacyrch140", "v-stsavell", - "American-Dipper" + "American-Dipper", + "shdyas" ] }, - "searchScope": ["Windows 10"] + "searchScope": [ + "Windows 10" + ] }, - "fileMetadata": {}, - "template": [], - "dest": "privacy", - "markdownEngineName": "markdig" -} + "fileMetadata": {}, + "template": [], + "dest": "privacy", + "markdownEngineName": "markdig" +} \ No newline at end of file diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 62c1b9f07b..a502927d7f 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -46,7 +46,7 @@ "ms.localizationpriority": "medium", "manager": "aaroncz", "feedback_system": "Standard", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.security", @@ -68,14 +68,15 @@ "beccarobins", "Stacyrch140", "v-stsavell", - "American-Dipper" + "American-Dipper", + "shdyas" ], "searchScope": [ "Windows 10" ] }, "fileMetadata": { - "author":{ + "author": { "application-security//**/*.md": "vinaypamnani-msft", "application-security//**/*.yml": "vinaypamnani-msft", "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974", @@ -93,7 +94,7 @@ "operating-system-security/network-security/**/*.md": "paolomatarazzo", "operating-system-security/network-security/**/*.yml": "paolomatarazzo" }, - "ms.author":{ + "ms.author": { "application-security//**/*.md": "vinpa", "application-security//**/*.yml": "vinpa", "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther", @@ -218,7 +219,7 @@ "identity-protection/virtual-smart-cards/*.md": "ardenw", "operating-system-security/network-security/windows-firewall/*.md": "nganguly", "operating-system-security/network-security/vpn/*.md": "pesmith", - "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda", + "operating-system-security/data-protection/personal-data-encryption/*.md": "rhonnegowda", "operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck" }, "ms.collection": { @@ -234,4 +235,4 @@ "dest": "security", "markdownEngineName": "markdig" } -} +} \ No newline at end of file diff --git a/windows/security/hardware-security/images/pluton/pluton-firmware-load.png b/windows/security/hardware-security/images/pluton/pluton-firmware-load.png index 28dee91260..127acf2a05 100644 Binary files a/windows/security/hardware-security/images/pluton/pluton-firmware-load.png and b/windows/security/hardware-security/images/pluton/pluton-firmware-load.png differ diff --git a/windows/security/hardware-security/images/pluton/pluton-security-architecture.png b/windows/security/hardware-security/images/pluton/pluton-security-architecture.png index adab20b080..c83763e6eb 100644 Binary files a/windows/security/hardware-security/images/pluton/pluton-security-architecture.png and b/windows/security/hardware-security/images/pluton/pluton-security-architecture.png differ diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md index 4a94896198..eb190c2bac 100644 --- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md +++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md @@ -2,20 +2,20 @@ title: Microsoft Pluton security processor description: Learn more about Microsoft Pluton security processor ms.topic: conceptual -ms.date: 07/31/2023 +ms.date: 02/19/2024 --- # Microsoft Pluton security processor -Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. +Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2. ## What is Microsoft Pluton? -Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker has installed malware or has complete physical possession of the PC. +Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker installs malware or has complete physical possession of the PC. -Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module as well as deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md). +Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) and deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for other Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md). Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/). @@ -28,17 +28,17 @@ Pluton Security subsystem consists of the following layers: | | Description | |--|--| | **Hardware** | Pluton Security Processor is a secure element tightly integrated into the SoC subsystem. It provides a trusted execution environment while delivering cryptographic services required for protecting sensitive resources and critical items like keys, data, etc. | -| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For additional information, see [Firmware load flow](#firmware-load-flow) | +| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For more information, see [Firmware load flow](#firmware-load-flow) | | **Software** | Operating system drivers and applications available to an end user to allow seamless usage of the hardware capabilities provided by the Pluton security subsystem. | ## Firmware load flow -When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware is not available, Windows uses the firmware that was loaded during the hardware initialization. The diagram below illustrates this process: +When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware isn't available, Windows uses the firmware that was loaded during the hardware initialization. This diagram illustrates this process:  [!INCLUDE [microsoft-pluton](../../../../includes/licensing/microsoft-pluton.md)] -## Related topics +## Related articles [Microsoft Pluton as TPM](pluton-as-tpm.md) diff --git a/windows/security/hardware-security/pluton/pluton-as-tpm.md b/windows/security/hardware-security/pluton/pluton-as-tpm.md index 152bac55bc..9ef333a6f3 100644 --- a/windows/security/hardware-security/pluton/pluton-as-tpm.md +++ b/windows/security/hardware-security/pluton/pluton-as-tpm.md @@ -2,16 +2,16 @@ title: Microsoft Pluton as Trusted Platform Module (TPM 2.0) description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0) ms.topic: conceptual -ms.date: 07/31/2023 +ms.date: 02/19/2024 --- # Microsoft Pluton as Trusted Platform Module Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard. -As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material. +As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installs malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution can't access key material. -Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for them to apply these updates. +Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from various sources, which can make it difficult for them to apply these updates. To learn more about the TPM related scenarios that benefit from Pluton, see [TPM and Windows Features](/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features). @@ -25,7 +25,7 @@ Pluton is integrated within the SoC subsystem, and provides a flexible, updatabl Devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device. -UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM. +UEFI setup options differ from product to product. Visit the product website and check for guidance to enable Pluton as TPM. > [!WARNING] > If BitLocker is enabled, We recommend disabling BitLocker before changing the TPM configuration to prevent lockouts. After changing TPM configuration, re-enable BitLocker which will then bind the BitLocker keys with the Pluton TPM. Alternatively, save the BitLocker recovery key onto a USB drive. @@ -35,6 +35,6 @@ UEFI setup options differ from product to product, visit the product website and > [!TIP] > On most Lenovo devices, entering the UEFI options requires pressing Enter key at startup followed by pressing F1. In the UEFI Setup menu, select Security option, then on the Security page, select Security Chip option, to see the TPM configuration options. Under the drop-down list for Security Chip selection, select **MSFT Pluton** and click F10 to Save and Exit. -## Related topics +## Related articles [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor) diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md index 6d581f8f55..b4d14a1882 100644 --- a/windows/security/identity-protection/hello-for-business/configure.md +++ b/windows/security/identity-protection/hello-for-business/configure.md @@ -87,7 +87,7 @@ To check the Windows Hello for Business policy settings applied at enrollment ti ## Policy conflicts from multiple policy sources -Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business. If you mix GPO and CSP policy settings, the CSP settings are ignored until all group policy settings are cleared. +Windows Hello for Business can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Hello for Business, as it can lead to unexpected results. If you mix GPO and CSP policy settings, the conflicting CSP settings aren't applied until the group policy settings are cleared. > [!IMPORTANT] > The [*MDMWinsOverGP*](/windows/client-management/mdm/policy-csp-controlpolicyconflict#mdmwinsovergp) policy setting doesn't apply to Windows Hello for Business. MDMWinsOverGP only applies to policies in the *Policy CSP*, while the Windows Hello for Business policies are in the *PassportForWork CSP*. diff --git a/windows/security/introduction.md b/windows/security/introduction.md index dd2492a6b9..887774184b 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -12,6 +12,7 @@ content_well_notification: author: paolomatarazzo appliesto: - ✅ Windows 11 +ai-usage: ai-assisted --- # Introduction to Windows security diff --git a/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md b/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md new file mode 100644 index 0000000000..275f7adfa9 --- /dev/null +++ b/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md @@ -0,0 +1,222 @@ +--- +title: Windows Firewall dynamic keywords +description: Learn about Windows Firewall dynamic keywords and how to configure it using Windows PowerShell. +ms.topic: how-to +ms.date: 01/16/2024 +--- + +# Windows Firewall dynamic keywords + +> [!IMPORTANT] +>This article describes features or settings that are in preview. The content is subject to change and may have dependencies on other features or services in preview. + +Windows Firewall includes a functionality called *dynamic keywords*, which simplifies the configuration and management of Windows Firewall. + +With dynamic keywords, you can define a set of IP address ranges, fully qualified domain names (FQDNs), and **autoresolution** options, to which one or more Firewall rules can refer. + +## Configure dynamic keywords + +To configure dynamic keywords, you can use: + +- [Firewall CSP][CSP-1], which can be used with a Mobile Device Management (MDM) solution like Microsoft Intune +- Windows PowerShell + +> [!TIP] +> Microsoft Intune offers a simplified management experience called *reusable settings groups*. For more information, see [Add reusable settings groups to profiles for Firewall rules][MEM-1]. + +This article describes how to configure dynamic keywords using Windows PowerShell. + +## Dynamic keywords and Fully Qualified Domain Names (FQDN) + +Dynamic keywords can be configured by defining a set of IP address ranges or FQDNs. Here are important things to consider when using FQDNs: + +- FQDN support is for reducing the overhead of managing IP rules where IP addresses are dynamic and change frequently +- FQDNs aren't a replacement for IP addresses in all scenarios. IP addresses should be used when possible, for security and performance reasons + - FQDN rules can affect performance on the endpoint, caused by DNS latency and other factors + - FQDN isn't a secure DNS service. The FQDN resolution uses the default DNS configuration of the endpoint +- An FQDN rule requires a DNS query to happen for that FQDN to be resolved to an IP address. Traffic to IP addresses must generate a DNS query for FQDN rules + - Limitations include: websites accessed via proxy, secure DNS services, certain VPN tunnel configurations, cached IPs on the endpoint +- While Partially Qualified Domain Names (PQDNs) are allowed, FQDNs are preferred. Wildcards `*` are supported for hosts, for example `*.contoso.com` + +Two examples of FQDN rules are: + +- Block all outbound and inbound by default and allow specific outbound traffic +- Block all inbound by default and block some specific outbound traffic + +> [!NOTE] +> Inbound FQDN rules aren't natively supported. However, it's possible to use *pre-hydration* scripts to generate inbound IP entries for the rules. + +> [!CAUTION] +> The default configuration of *Blocked for Outbound* rules can be considered for certain highly secure environments. However, the *Inbound* rule configuration should never be changed in a way that allows traffic by default. + +In high security environments, an inventory of all apps should be maintained. Records should include whether an app requires network connectivity. Administrators should create new rules specific to each app that needs network connectivity, and push those rules centrally, using a device management solution. + +### Functions and known limitations + +The Windows Firewall FQDN feature uses the Network Protection external callout driver, to inspect DNS responses where the DNS query matches FQDN rules. Some important functions and limitations of the feature are: + +- The Network Protection component doesn't periodically execute DNS queries. It requires an application to execute a DNS query +- Windows Firewall flushes all stored resolved IP addresses on device restart +- Network protection doesn't synchronously inspect the DNS response, as it doesn't hold the UDP packet during inspection. The result is a potential condition where an application, after receiving the DNS response, attempts to connect, but gets blocked if it's faster than the firewall rule update + - Generally, applications have retry logic for an initial failed connection and as a result the issue is transparent to the end user + - On occasion a component might not have retry logic on initial connection fail. Which is solved in two ways: + - The user can hit *refresh* in the application they're using, and it should connect successfully + - Administrators can use the *prehydration* scripts tactfully, where this condition is occurring in their environment + +### FQDN Feature requirements + +The following are requirements for the FQDN feature: + +- Microsoft Defender Antivirus must be turned on and running platform version `4.18.2209.7` or later. + - To verify, open [Windows Security](windowsdefender://) and select **Settings** > **About** +- Network Protection must be in *block* or *audit* mode. For more information, see [Check if network protection is enabled][M365-1]. +- DNS over HTTPS (DoH) must be disabled. To configure your preferred browser, you can use the following settings: + - [Microsoft Edge][EDGE-1] + - [Chrome][HTTP-1] + - [Firefox][HTTP-2] +- The device's default DNS resolution settings apply. This feature doesn't provide DNS security or functionality changes + > [!TIP] + > You can also download the ADMX file from there, follow the directions, and configure it via gpedit.msc for local testing. + +## Manage dynamic keywords with Windows PowerShell + +This section provides some examples how to manage dynamic keywords using Windows PowerShell. A few important things to consider when using dynamic keywords are: + +- All dynamic keyword objects must have a unique identifier (GUID) to represent them +- A firewall rule can use dynamic keywords instead of explicitly defining IP addresses for its conditions +- A firewall rule can use both dynamic keywords and statically defined address ranges +- A dynamic keyword object can be reused across multiple firewall rules +- If a firewall rule doesn't have any configured remote addresses, then the rule isn't enforced. For example, if a rule is configured with only `AutoResolve` objects that aren't yet resolved +- If a rule uses multiple dynamic keywords, then the rule is enforced for all addresses that are *currently* resolved. The rule is enforced even if there are unresolved objects. When a dynamic keyword address is updated, all associated rule objects have their remote addresses updated +- Windows doesn't enforce any dependencies between a rule and a dynamic keyword address, and either object can be created first. A rule can reference dynamic keyword IDs that don't yet exist, in which case the rule isn't enforced +- You can delete a dynamic keyword address, even if it's in use by a firewall rule + +### Allow Outbound + +Here's an example script to allow an FQDN from PowerShell. Replace the `$fqdn` variable value with the FQDN you wish to block (line #1): + +```PowerShell +$fqdn = 'contoso.com' +$id = '{' + (new-guid).ToString() + '}' +New-NetFirewallDynamicKeywordAddress -id $id -Keyword $fqdn -AutoResolve $true +New-NetFirewallRule -DisplayName "allow $fqdn" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id +``` + +Dynamic keyword addresses can be created with the `AutoResolve` parameter set to `$true` or `$false`. If `AutoResolve` is set to `$true`, then Windows attempts to resolve the keyword to an IP address. + +### Block Outbound + +Here's an example script to block an FQDN from PowerShell. Replace the `$fqdn` variable value with the FQDN you wish to block (line #1): + +```PowerShell +$fqdn = 'contoso.com' +$id = '{' + (new-guid).ToString() + '}' +New-NetFirewallDynamicKeywordAddress -id $id -Keyword $fqdn -AutoResolve $true +New-NetFirewallRule -DisplayName "block $fqdn" -Action Block -Direction Outbound -RemoteDynamicKeywordAddresses $id +``` + +### Display Auto resolve rules and associated resolved IP addresses + +This example shows how to display all dynamic keyword addresses that have the `AutoResolve` parameter set to `$true` and the associated resolved IP addresses. + +```PowerShell +Get-NetFirewallDynamicKeywordAddress -AllAutoResolve +``` + +> [!NOTE] +> IP addresses will not populate until DNS query is observed. + +### Hydrate FQDN rules + +The following sample scripts read the current Windows Firewall configuration, extract FQDN-based rules, and perform DNS resolution on each domain. The result is that the IP addresses for those rules get "prehydrated." + +```PowerShell +Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |` +ForEach-Object { + if(!$_.Keyword.Contains("*")) { + Write-Host "Getting" $_.Keyword + resolve-dnsname -Name $_.Keyword -DNSOnly | out-null + } +} +``` + +A similar script can be used to perform DNS resolution using `nslookup.exe`: + +```PowerShell +Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |` +ForEach-Object { + if(!$_.Keyword.Contains("*")) { + Write-Host "Getting" $_.Keyword + nslookup $_.Keyword + } +} +``` + +If using `nslookup.exe`, you must create an outbound firewall rule when using the *block all outbound* posture. Here's the command to create the outbound rule for `nslookup.exe`: + +```PowerShell +$appName = 'nslookup' +$appPath = 'C:\Windows\System32\nslookup.exe' +New-NetFirewallRule -DisplayName "allow $appName" -Program $appPath -Action Allow -Direction Outbound -Protocol UDP -RemotePort 53 +``` + +### Block all outbound and allow some FQDNs + +In the next example, a list of applications is parsed for FQDN evaluation. The FQDNs listed in the scripts were observed when inspecting traffic on the first launch of Microsoft Edge. + +> [!IMPORTANT] +> This is not a complete list nor a recommendation. It's an example of how an application should be evaluated to ensure proper connectivity and function. + +To learn more about Microsoft Edge requirements for Internet connectivity, see [allowlist for Microsoft Edge endpoints][EDGE-4]. + +```PowerShell +$domains = @( + '*.microsoft.com', + '*.msftconnecttest.com', + 'assets.msn.com', + 'client.wns.windows.com', + 'config.edge.skype.com', + 'ctldl.windowsupdate.com', + 'dns.msftncsi.com', + 'login.live.com', + 'ntp.msn.com' +) + +foreach ($domain in $domains) { + $id = '{' + (New-Guid).ToString() + '}' + New-NetFirewallDynamicKeywordAddress -Id $id -Keyword $domain -AutoResolve $true + New-NetFirewallRule -DisplayName "allow $domain" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id +} +``` + +For more information about the PowerShell cmdlets used to manage dynamic keywords, see: + +- [Get-NetFirewallDynamicKeywordAddress][PS-1] +- [New-NetFirewallDynamicKeywordAddress][PS-2] +- [Remove-NetFirewallDynamicKeywordAddress][PS-3] +- [Update-NetFirewallDynamicKeywordAddress][PS-4] + +For information about the API structure, see [Firewall dynamic keywords][WIN-1]. + + + +[CSP-1]: /windows/client-management/mdm/firewall-csp + +[EDGE-1]: /deployedge/microsoft-edge-policies#control-the-mode-of-dns-over-https +[EDGE-2]: /deployedge/microsoft-edge-policies#builtindnsclientenabled +[EDGE-3]: /deployedge/configure-microsoft-edge +[EDGE-4]: /deployedge/microsoft-edge-security-endpoints + +[HTTP-1]: https://chromeenterprise.google/policies?policy=DnsOverHttpsMode +[HTTP-2]: https://support.mozilla.org/kb/firefox-dns-over-https + +[M365-1]: /microsoft-365/security/defender-endpoint/enable-network-protection#check-if-network-protection-is-enabled + +[MEM-1]: /mem/intune/protect/endpoint-security-firewall-policy#add-reusable-settings-groups-to-profiles-for-firewall-rules + +[PS-1]: /powershell/module/netsecurity/get-netfirewalldynamickeywordaddress +[PS-2]: /powershell/module/netsecurity/new-netfirewalldynamickeywordaddress +[PS-3]: /powershell/module/netsecurity/remove-netfirewalldynamickeywordaddress +[PS-4]: /powershell/module/netsecurity/update-netfirewalldynamickeywordaddress + +[WIN-1]: /windows/win32/ics/firewall-dynamic-keywords diff --git a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml index b566dce388..f856de3ef6 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml @@ -13,6 +13,8 @@ items: href: configure.md - name: Configure with command line tools href: configure-with-command-line.md + - name: Dynamic keywords + href: dynamic-keywords.md - name: Hyper-V firewall href: hyper-v-firewall.md - name: Troubleshoot diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 29ae7131f5..38921c5358 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -47,6 +47,10 @@ Enhanced Phishing Protection can be configured via Microsoft Intune, Group Polic | Notify Password Reuse | This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | Ring 2 | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| | Broad | Ring 3 | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| @@ -123,17 +123,17 @@ The Windows Autopatch deployment ring calculation occurs during the device reg ## Software update-based to service-based deployment ring mapping -There’s a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don’t yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge. +There's a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don't yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge. | If moving a device to | The device also moves to | | ----- | ----- | -| Windows Autopatch – Test | Modern Workplace Devices-Windows Autopatch-Test | -| Windows Autopatch – Ring1 | Modern Workplace Devices-Windows Autopatch-First | -| Windows Autopatch – Ring2 | Modern Workplace Devices-Windows Autopatch-Fast | -| Windows Autopatch – Ring3 | Modern Workplace Devices-Windows Autopatch-Broad | -| Windows Autopatch – Last | Modern Workplace Devices-Windows Autopatch-Broad | +| Windows Autopatch - Test | Modern Workplace Devices-Windows Autopatch-Test | +| Windows Autopatch - Ring1 | Modern Workplace Devices-Windows Autopatch-First | +| Windows Autopatch - Ring2 | Modern Workplace Devices-Windows Autopatch-Fast | +| Windows Autopatch - Ring3 | Modern Workplace Devices-Windows Autopatch-Broad | +| Windows Autopatch - Last | Modern Workplace Devices-Windows Autopatch-Broad | -If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, ``. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**. +If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, ` `. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**. ## Moving devices in between deployment rings @@ -162,7 +162,7 @@ If you don't see the Ring assigned by column change to **Pending** in St ## Automated deployment ring remediation functions -Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or - An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process. @@ -171,8 +171,8 @@ There are two automated deployment ring remediation functions: | Function | Description | | ----- | ----- | -| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test and Windows Autopatch – Last** rings). | -| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. | +| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test and Windows Autopatch - Last** rings). | +| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. | > [!IMPORTANT] -> Windows Autopatch automated deployment ring functions don’t assign or remove devices to or from the following deployment rings: However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.
| Autopatch groups automatically resolve this conflict on your behalf.In this example, devices that belong to the deployment rings as part of the “Marketing” Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.
| +| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called "Marketing".However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.
| Autopatch groups automatically resolve this conflict on your behalf.In this example, devices that belong to the deployment rings as part of the "Marketing" Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.
| #### Custom to Custom Autopatch group device conflict | Conflict scenario | Conflict resolution | | ----- | ----- | -| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You’re required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.
| +| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You're required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.
| #### Device conflict prior to device registration -When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups’ deployment rings, are registered with the service. +When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups' deployment rings, are registered with the service. | Conflict scenario | Conflict resolution | | ----- | ----- | -| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don’t have device membership overlaps.
| +| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.Devices will fail to register with the service and will be sent to the **Not registered** tab. You're required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don't have device membership overlaps.
| #### Device conflict post device registration diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md index 54267b0f17..2e2ab90f1a 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -17,7 +17,7 @@ ms.collection: # Windows Autopatch groups overview -As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions. +As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they're challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions. ## What are Windows Autopatch groups? @@ -56,7 +56,7 @@ There are a few key concepts to be familiar with before using Autopatch groups. > [!NOTE] > The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. -The Default Autopatch group uses Windows Autopatch’s default update management process recommendation. The Default Autopatch group contains: +The Default Autopatch group uses Windows Autopatch's default update management process recommendation. The Default Autopatch group contains: - A set of **[five deployment rings](#default-deployment-ring-composition)** - A default update deployment cadence for both [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md) and [feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md). @@ -64,21 +64,21 @@ The Default Autopatch group uses Windows Autopatch’s default update management The Default Autopatch group is intended to serve organizations that are looking to: - Enroll into the service -- Align to Windows Autopatch’s default update management process without requiring more customizations. +- Align to Windows Autopatch's default update management process without requiring more customizations. -The Default Autopatch group **can’t** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it. +The Default Autopatch group **can't** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it. #### Default deployment ring composition By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Microsoft Entra ID assigned groups, are used: -- Windows Autopatch – Test -- Windows Autopatch – Ring1 -- Windows Autopatch – Ring2 -- Windows Autopatch – Ring3 -- Windows Autopatch – Last +- Windows Autopatch - Test +- Windows Autopatch - Ring1 +- Windows Autopatch - Ring2 +- Windows Autopatch - Ring3 +- Windows Autopatch - Last -**Windows Autopatch – Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch – Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types. +**Windows Autopatch - Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch - Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types. > [!TIP] > For more information about the differences between **Assigned** and **Dynamic** deployment ring distribution types, see [about deployment rings](#about-deployment-rings). Only deployment rings that are placed in between the **Test** and the **Last** deployment rings can be used with the **Dynamic** deployment ring distributions. @@ -86,7 +86,7 @@ By default, the following [software update-based deployment rings](#software-bas > [!CAUTION] > These and other Microsoft Entra ID assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly. -The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization’s general population to mitigate disruptions to your organization’s critical businesses. +The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization's general population to mitigate disruptions to your organization's critical businesses. #### Default update deployment cadences @@ -144,7 +144,7 @@ Both the **Test** and **Last** deployment rings are default deployment rings tha If you only keep Test and Last deployment rings in your Default Autopatch group, or you don't add more deployment rings when creating a Custom Autopatch group, the Test deployment ring can be used as the pilot deployment ring and Last can be used as the production deployment ring. > [!IMPORTANT] -> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn’t required, consider managing these devices outside Windows Autopatch. +> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn't required, consider managing these devices outside Windows Autopatch. > [!TIP] > Both the **Test** and **Last** deployment rings only support one single Microsoft Entra group assignment at a time. If you need to assign more than one Microsoft Entra group, you can nest the other Microsoft Entra groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Microsoft Entra group nesting is supported. @@ -168,7 +168,7 @@ The following are the Microsoft Entra ID assigned groups that represent the serv - Modern Workplace Devices-Windows Autopatch-Broad > [!CAUTION] -> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
+> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
##### Software-based deployment rings @@ -177,16 +177,16 @@ The software-based deployment ring set is exclusively used with software update The following are the Microsoft Entra ID assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed: - Windows Autopatch - Test -- Windows Autopatch – Ring1 -- Windows Autopatch – Ring2 -- Windows Autopatch – Ring3 -- Windows Autopatch – Last +- Windows Autopatch - Ring1 +- Windows Autopatch - Ring2 +- Windows Autopatch - Ring3 +- Windows Autopatch - Last > [!IMPORTANT] > Additional Microsoft Entra ID assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group. > [!CAUTION] -> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
+> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
### About device registration @@ -203,7 +203,7 @@ The following are three common uses for using Autopatch groups. | Scenario | Solution | | ----- | ----- | -| You’re working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don’t have extra time to spend setting up and managing several Autopatch groups.Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s precommunicated to your end-users.
| If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.The Default Autopatch group is preconfigured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.
The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.
| +| You're working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don't have extra time to spend setting up and managing several Autopatch groups.Your organization currently operates its update management by using five deployment rings, but there's an opportunity to have flexible deployment cadences if it's precommunicated to your end-users.
| If you don't have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.The Default Autopatch group is preconfigured and doesn't require extra configurations when registering devices with the Windows Autopatch service.
The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.
| :::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png"::: @@ -211,7 +211,7 @@ The following are three common uses for using Autopatch groups. | Scenario | Solution | | ----- | ----- | -| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.The following is a visual representation of a gradual rollout for Contoso’s Finance department.
| +| You're working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.The following is a visual representation of a gradual rollout for Contoso's Finance department.
| :::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png"::: @@ -222,7 +222,7 @@ The following are three common uses for using Autopatch groups. | Scenario | Solution | | ----- | ----- | -| You’re working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn’t experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.
| +| You're working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn't experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.
| :::image type="content" source="../media/autopatch-groups-contoso-chicago-example.png" alt-text="Contoso Chicago example" lightbox="../media/autopatch-groups-contoso-chicago-example.png"::: diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index df6c726ade..e48ce95422 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -18,7 +18,7 @@ ms.collection: # Post-device registration readiness checks (public preview) > [!IMPORTANT] -> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a “Preview” basis. You can test and use these features in production environments and scenarios, and provide feedback. +> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios, and provide feedback. One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle. @@ -41,7 +41,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios: | ----- | ----- | |Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.
| +| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.
| ## Additional resources diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 4c94d150e3..27c2f9f084 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices -description: This article details how to register devices in Autopatch -ms.date: 07/25/2023 +description: This article details how to register devices in Autopatch. +ms.date: 02/15/2024 ms.service: windows-client ms.subservice: itpro-updates ms.topic: how-to @@ -33,7 +33,7 @@ Windows Autopatch can take over software update management control of devices th When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service. -If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group. +If devices aren't registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group. For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method. @@ -83,7 +83,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set - Devices must have Serial Number, Model and Manufacturer. > [!NOTE] -> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. +> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. > [!IMPORTANT] > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. @@ -178,7 +178,7 @@ The service supports: - Personal persistent virtual machines -The following Azure Virtual Desktop features aren’t supported: +The following Azure Virtual Desktop features aren't supported: - Multi-session hosts - Pooled non persistent virtual machines diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md index dbc576651d..b8373cff62 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -47,7 +47,7 @@ Windows Autopatch assigns alerts to either Microsoft Action or Customer Action. ## Alert resolutions -Alert resolutions are provided through the Windows Update service and provide the reason why an update didn’t perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md). +Alert resolutions are provided through the Windows Update service and provide the reason why an update didn't perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md). | Alert message | Description | Windows Autopatch recommendation(s) | | ----- | ----- | ----- | @@ -85,11 +85,11 @@ Alert resolutions are provided through the Windows Update service and provide th | `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is usually false, and the update probably succeeded. | The Windows Update Service has reported the update you're trying to install isn't available.No action is required.
If the update is still available, retry the installation.
| -| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don’t** retry the installation until the impact is understood.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
| +| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
| | `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service has reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.For more information about safeguards, see [Windows 10/11 release information for the affected version(s)](/windows/release-health/release-information).
| | `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service has reported Windows was unexpectedly restarted during the update process.No action is necessary the update should retry when windows is available.
If the alert persists, ensure the device remains on during Windows installation.
| | `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service has reported that the version of Windows wasn't intended.Confirm whether the device is on the intended version.
| -| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.For more information, see [Windows boot issues – troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).
| +| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.For more information, see [Windows boot issues - troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).
| | `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service has reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. | | `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, to repair these components. Then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.
| | `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges to repair these components. Then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.
| diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md index d9c2ce3ef0..159e11b310 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md @@ -23,7 +23,7 @@ You can create custom releases for Windows feature update deployments in Windows Before you start managing custom Windows feature update releases, consider the following: -- If you’re planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure: +- If you're planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure: - The Default Autopatch group has all deployment rings and deployment cadences you need. - You have created all your Custom Autopatch groups prior to creating custom releases. - Review [Windows feature update prerequisites](/mem/intune/protect/windows-10-feature-updates#prerequisites). @@ -42,7 +42,7 @@ The following table explains the auto-populating assignment of your deployments | Phase 3 | Ring2 | Ring2 | | Phase 4 | Last | Ring3 | -If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won’t be reflected unless you create a new custom release. +If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won't be reflected unless you create a new custom release. If you wish to change the auto-populating assignment of your deployment rings to release phases, you can do so by adding, removing, or editing the auto-populated phases. @@ -50,7 +50,7 @@ If you wish to change the auto-populating assignment of your deployment rings to The goal completion date of a phase is calculated using the following formula: -`+ ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).` +` + ( - 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).` This formula is only applicable for **Deadline-driven** not for Scheduled-driven deployment cadences. For more information, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md). @@ -102,7 +102,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo | Phase status | Definition | | ----- | ----- | -| Scheduled | The phase is scheduled but hasn’t reached its first deployment date yet. The Windows feature update policy hasn’t been created for the respective phase yet. | +| Scheduled | The phase is scheduled but hasn't reached its first deployment date yet. The Windows feature update policy hasn't been created for the respective phase yet. | | Active | The first deployment date has been reached. The Windows feature update policy has been created for the respective phase. | | Inactive | All Autopatch groups within the phase were re-assigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. | | Paused | Phase is paused. You must resume the phase. | @@ -112,7 +112,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo Windows Autopatch creates one Windows feature update policy per phase using the following naming convention: -`Windows Autopatch – DSS policy – – Phase ` +`Windows Autopatch - DSS policy - - Phase ` These policies can be viewed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). @@ -120,11 +120,11 @@ The following table is an example of the Windows feature update policies that we | Policy name | Feature update version | Rollout options | First deployment date| Final deployment date availability | Day between groups | Support end date | | ----- | ----- | ----- | ----- | ----- | ----- | ----- | -| Windows Autopatch - DSS Policy - My feature update release – Phase 1 | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 11, 2024 | -| Windows Autopatch - DSS Policy - My feature update release – Phase 2 | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 11, 2024 | -| Windows Autopatch - DSS Policy - My feature update release – Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 11, 2024 | -| Windows Autopatch - DSS Policy - My feature update release – Phase 4 | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 11, 2024 | -| Windows Autopatch - DSS Policy - My feature update release – Phase 5 | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 11, 2024 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 1 | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 11, 2024 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 2 | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 11, 2024 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 11, 2024 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 4 | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 11, 2024 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 5 | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 11, 2024 | ## Create a custom release @@ -142,11 +142,11 @@ The following table is an example of the Windows feature update policies that we 4. Select **Next**. 1. In the **Autopatch groups** page, choose one or more existing Autopatch groups you want to include in the custom release, then select Next. 1. You can't choose Autopatch groups that are already part of an existing custom release. Select **Autopatch groups assigned to other releases** to review existing assignments. -1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once you’re ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned. -1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can’t guarantee that the release will start at the current day given the UTC variance across the globe. +1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once you're ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned. +1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can't guarantee that the release will start at the current day given the UTC variance across the globe. 1. The **Goal completion date** only applies to the [Deadline-driven deployment cadence type](../operate/windows-autopatch-groups-windows-update.md#deadline-driven). The Deadline-drive deployment cadence type can be specified when you configure the Windows Updates settings during the Autopatch group creation/editing flow. - 2. Additionally, the formula for the goal completion date is ` + ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`. -1. In the **Review + create** page, review all settings. Once you’re ready, select **Create**. + 2. Additionally, the formula for the goal completion date is ` + ( - 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`. +1. In the **Review + create** page, review all settings. Once you're ready, select **Create**. > [!NOTE] > Custom releases can't be deleted from the Windows feature updates release management blade. The custom release record serves as a historical record for auditing purposes when needed. @@ -209,10 +209,10 @@ The following table is an example of the Windows feature update policies that we ## Roll back a release > [!CAUTION] -> Do **not** use Microsoft Intune’s end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md). +> Do **not** use Microsoft Intune's end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md). -Windows Autopatch **doesn’t** support the rollback of Windows feature updates through its end-user experience flows. +Windows Autopatch **doesn't** support the rollback of Windows feature updates through its end-user experience flows. ## Contact support -If you’re experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md). +If you're experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md index 16d8fd88e2..b6e42c0987 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md @@ -47,7 +47,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s ## Windows feature updates -You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. +You're in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. The Window feature update release management experience makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md index 5349c59fc1..f0300bdd0c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md @@ -17,7 +17,7 @@ ms.collection: # Windows feature updates overview -Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. +Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization's IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. Windows feature updates consist of: @@ -28,11 +28,11 @@ Windows Autopatch makes it easier and less expensive for you to keep your Window ## Service level objective -Windows Autopatch’s service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you. +Windows Autopatch's service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you. ## Device eligibility criteria -Windows Autopatch’s device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune’s device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites). +Windows Autopatch's device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune's device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites). > [!IMPORTANT] > Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. @@ -40,7 +40,7 @@ Windows Autopatch’s device eligibility criteria for Windows feature updates al ## Key benefits - Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. -- You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. +- You're in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. - Combined with custom releases, Autopatch Groups gives your organization great control and flexibility to help you plan your gradual rollout in a way that works for your organization. - Simplified end-user experience with rich controls for gradual rollouts, deployment cadence and speed. - No need to manually modify the default Windows feature update policies (default release) to be on the Windows OS version your organization is currently ready for. @@ -59,7 +59,7 @@ Windows Autopatch’s device eligibility criteria for Windows feature updates al ### Default release -Windows Autopatch’s default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). +Windows Autopatch's default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). > [!TIP] > Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release). @@ -82,17 +82,17 @@ If your tenant is enrolled with Windows Autopatch, you can see the following def | Policy name | Phase mapping | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | -| Windows Autopatch – DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 11, 2024 | -| Windows Autopatch – DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 11, 2024 | -| Windows Autopatch – DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 11, 2024 | -| Windows Autopatch – DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 11, 2024 | +| Windows Autopatch - DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 11, 2024 | +| Windows Autopatch - DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 11, 2024 | +| Windows Autopatch - DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 11, 2024 | +| Windows Autopatch - DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 11, 2024 | > [!NOTE] > Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). ### Global release -Windows Autopatch’s global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). +Windows Autopatch's global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). There are two scenarios that the Global release is used: @@ -110,7 +110,7 @@ See the following table on how Windows Autopatch configures the values for its g | Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | | ----- | ----- | ----- | ----- | ----- | ----- | ----- | -| Windows Autopatch – Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024 | +| Windows Autopatch - Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024 | > [!NOTE] > Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). @@ -118,7 +118,7 @@ See the following table on how Windows Autopatch configures the values for its g ### Differences between the default and global Windows feature update policies > [!IMPORTANT] -> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group’s deployment rings behind the scenes. +> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group's deployment rings behind the scenes. The differences in between the global and the default Windows feature update policy values are: @@ -138,7 +138,7 @@ For more information on how to create a custom release, see [Manage Windows feat ### About Windows Update rings policies -Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy – – `. +Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy - - `. The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases: @@ -151,7 +151,7 @@ The following table details the default Windows Update rings policy values that | Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes | > [!IMPORTANT] -> When you create a custom Windows feature update release, new Windows feature update policies are:
Phases:
See the following visual for a representation of Phases with custom releases. | +| You're working as the IT admin at Contoso Ltd., and you need to gradually rollout of Windows 11's latest version to several business units across your organization. | Custom Windows feature update releases deliver OS upgrades horizontally, through phases, to one or more Autopatch groups.
Phases:
See the following visual for a representation of Phases with custom releases. | :::image type="content" source="../media/autopatch-groups-manage-feature-release-case-1.png" alt-text="Manage Windows feature update release use case one" lightbox="../media/autopatch-groups-manage-feature-release-case-1.png"::: @@ -167,6 +167,6 @@ The following table details the default Windows Update rings policy values that | Scenario | Solution | | ----- | ----- | -| You’re working as the IT admin at Contoso Ltd. and your organization isn’t ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.
| Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
See the following visual for a representation of default releases.
| +| You're working as the IT admin at Contoso Ltd. and your organization isn't ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.
| Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
See the following visual for a representation of default releases.
| :::image type="content" source="../media/autopatch-groups-manage-feature-release-case-2.png" alt-text="Manage Windows feature update release use case two" lightbox="../media/autopatch-groups-manage-feature-release-case-2.png"::: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md index cabe4dfaea..eb73ee5af6 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md @@ -39,7 +39,7 @@ The following information is available in the Summary dashboard: | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | -| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | ## Report options diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md index 27917abdec..fdacc1576c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md @@ -38,7 +38,7 @@ The Windows quality report types are organized into the following focus areas: The Windows feature update reports monitor the health and activity of your deployments and help you understand if your devices are maintaining update compliance targets. -If update deployments aren’t successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue. +If update deployments aren't successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue. The Windows feature update report types are organized into the following focus areas: @@ -82,7 +82,7 @@ Up to date devices are devices that meet all of the following prerequisites: - Have applied the current monthly cumulative updates > [!NOTE] -> [Up to Date devices](#up-to-date-devices) will remain with the **In Progress** status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the device’s status will change to [Not up to Date](#not-up-to-date-devices). +> [Up to Date devices](#up-to-date-devices) will remain with the **In Progress** status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the device's status will change to [Not up to Date](#not-up-to-date-devices). #### Up to Date sub statuses @@ -93,7 +93,7 @@ Up to date devices are devices that meet all of the following prerequisites: ### Not up to Date devices -Not Up to Date means a device isn’t up to date when the: +Not Up to Date means a device isn't up to date when the: - Quality or feature update is out of date, or the device is on the previous update. - Device is more than 21 days overdue from the last release. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md index 2403081fce..46c4c92def 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md @@ -27,14 +27,14 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s | [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, users can schedule restarts or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | | [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | -For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md). +For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Group's deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md). > [!IMPORTANT] > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). ## Service level objective -Windows Autopatch aims to keep at least 95% of [Up to Date devices](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column “% with the latest quality update” displayed in release management and reporting. +Windows Autopatch aims to keep at least 95% of [Up to Date devices](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column "% with the latest quality update" displayed in release management and reporting. ### Service level objective calculation @@ -68,7 +68,7 @@ The service level objective for each of these states is calculated as: > [!IMPORTANT] > This feature is in **public preview**. It's being actively developed, and might not be complete. -You can import your organization’s existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization’s Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization’s existing update rings. +You can import your organization's existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization's Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization's existing update rings. Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-device-registration-overview.md#detailed-device-registration-workflow-diagram). @@ -76,7 +76,7 @@ Imported rings automatically register all targeted devices into Windows Autopatc > Devices which are registered as part of an imported ring, might take up to 72 hours after the devices have received the latest version of the policy, to be reflected in Windows Autopatch devices blade and reporting. For more information about reporting, see [Windows quality and feature update reports overview](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md). > [!NOTE] -> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch’s ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md). +> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch's ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md). ### Import Update rings for Windows 10 and later diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md index fc6a2b0933..9f3cb93c97 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md @@ -38,7 +38,7 @@ The following information is available in the Summary dashboard: | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | -| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | ## Report options diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md index dbabf6b2b8..8afa348a89 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md @@ -56,7 +56,7 @@ However, if an update has already started for a particular deployment ring, Wind #### Scheduled install > [!NOTE] ->If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). +>If you select the Schedule install cadence type, the devices in that ring won't be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified. @@ -118,5 +118,5 @@ For more information, see [Windows Update settings you can manage with Intune up 1. Turn off all notifications included restart warnings 1. Select **Save** once you select the preferred setting. 7. Repeat the same process to customize each of the rings. Once done, select **Next**. -8. In **Review + apply**, you’ll be able to review the selected settings for each of the rings. +8. In **Review + apply**, you'll be able to review the selected settings for each of the rings. 9. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 8c743e5ba1..0b6c9d7421 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -58,7 +58,7 @@ The type of banner that appears depends on the severity of the action. Currently | Action type | Severity | Description | | ----- | ----- | ----- | | Maintain tenant access | Critical | Required licenses have expired. The licenses include:To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)
| -| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can’t manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.Reasons for tenant access issues:
Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.
For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).
| +| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.Reasons for tenant access issues:
Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.
For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).
| ### Inactive status @@ -76,5 +76,5 @@ To be taken out of the **inactive** status, you must [resolve any critical actio | Impact area | Description | | ----- | ----- | -| Management | Windows Autopatch isn’t able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).
| +| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).
| | Device updates | Changes to Windows Autopatch policies aren't pushed to your devices. The existing configurations on these devices remain unchanged, and they continue receiving updates. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md index 2e4074f881..9c38e97260 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md @@ -20,7 +20,7 @@ ms.collection: You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment. > [!TIP] -> Windows Autopatch's driver and firmware update management is based on [Intune’s driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates. +> Windows Autopatch's driver and firmware update management is based on [Intune's driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates. ## Automatic and Self-managed modes @@ -29,7 +29,7 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro | Modes | Description | | ----- | -----| | Automatic | We recommend using **Automatic** mode.Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.
| -| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.Self-managed mode turns off Windows Autopatch’s automatic driver deployment. Instead, the Administrator controls the driver deployment.
The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.
The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.
| +| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.Self-managed mode turns off Windows Autopatch's automatic driver deployment. Instead, the Administrator controls the driver deployment.
The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.
The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.
| ## Set driver and firmware updates to Automatic or Self-managed mode @@ -46,16 +46,16 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Devices** > **Driver updates for Windows 10 and later**. -1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch – Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch – Driver Update Policy [Test]**. +1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch - Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch - Driver Update Policy [Test]**. The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad deployment rings. The policy settings are defined in the following table: | Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays | | ----- | ----- | ----- | ----- | ----- | -| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` | -| `CreateDriverUpdatePolicy`| Windows Autopatch – Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` | -| `CreateDriverUpdatePolicy` |Windows Autopatch – Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` | -| `CreateDriverUpdatePolicy` | Windows Autopatch – Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` | +| `CreateDriverUpdatePolicy` | Windows Autopatch - Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` | +| `CreateDriverUpdatePolicy`| Windows Autopatch - Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` | +| `CreateDriverUpdatePolicy` |Windows Autopatch - Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` | +| `CreateDriverUpdatePolicy` | Windows Autopatch - Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` | ## Feedback and support diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 0808604bb9..f0c70e6586 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -97,10 +97,10 @@ For organizations seeking greater control, you can allow or block Microsoft 365 2. Navigate to the **Devices** > **Release Management** > **Release settings**. 3. Go to the **Microsoft 365 apps updates** section. By default, the **Allow/Block** toggle is set to **Allow**. 4. Turn off the **Allow** toggle to opt out of Microsoft 365 App update policies. You'll see the notification: *Update in process. This setting will be unavailable until the update is complete.* -5. Once the update is complete, you’ll receive the notification: *This setting is updated.* +5. Once the update is complete, you'll receive the notification: *This setting is updated.* > [!NOTE] -> If the notification: *This setting couldn’t be updated. Please try again or submit a support request.* appears, use the following steps:
Credential Guard has the following features: