Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 10/10/2018
+ms.date: 10/12/2018
 ---
 
 # How Windows Information Protection protects files with a sensitivity label 
@@ -76,7 +76,9 @@ The PDF file doesn't need any work context beyond the sensitivity label.
 - Windows 10, version 1809
 - [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection
 - [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in the Office 365 Security & Compliance Center
-- [WIP policy](create-wip-policy-using-intune-azure.md) needs to be applied to endpoint devices.
+- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md).
+
+
 
 
 

windows/security/threat-protection/TOC.md

@@ -465,6 +465,7 @@
 ##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
 ##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
 ###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+###### [How to list XML elements in <EventData>](auditing/how-to-list-xml-elements-in-eventdata.md)
 
 ###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
 ####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)

windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md

@@ -0,0 +1,84 @@
+---
+title: How to get a list of XML elements in <EventData> (Windows 10)
+description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML elements that can appear in <EventData>.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: tedhardyMSFT
+ms.date: 10/12/2018
+---
+
+# How to get a list of XML elements in <EventData>
+
+**Applies to**
+-   Windows 10
+
+Since the Security log uses a manifest, you can get all of the event schema from the workstation.
+
+Run the following from an elevated PowerShell prompt:
+
+```powershell
+$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
+```
+
+The .events property is a collection of all of the events listed in the manifest on the local machine.
+
+For each event, there is a .Template property for the XML template used for the event properties (if there are any).
+
+For example:
+
+```powershell
+PS C:\WINDOWS\system32> $SecEvents.events[100]
+
+
+Id          : 4734
+Version     : 0
+LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
+Level       : System.Diagnostics.Eventing.Reader.EventLevel
+Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
+Task        : System.Diagnostics.Eventing.Reader.EventTask
+Keywords    : {}
+Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
+                <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="TargetSid" inType="win:SID" outType="xs:string"/>
+                <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
+                <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
+                <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
+              </template>
+
+Description : A security-enabled local group was deleted.
+
+              Subject:
+                Security ID:            %4
+                Account Name:           %5
+                Account Domain:         %6
+                Logon ID:               %7
+
+              Group:
+                Security ID:            %3
+                Group Name:             %1
+                Group Domain:           %2
+
+              Additional Information:
+                Privileges:             %8
+
+
+
+PS C:\WINDOWS\system32> $SecEvents.events[100].Template
+<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
+  <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
+  <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
+  <data name="TargetSid" inType="win:SID" outType="xs:string"/>
+  <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
+  <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
+  <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
+  <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
+  <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
+</template>
+
+```