fixing merge conflict

2025-05-13 22:07:22 +00:00 · 2016-06-02 16:23:12 -07:00 · 2016-06-02 16:23:12 -07:00 · b05f4f23ee
commit b05f4f23ee
parent 98d7e73292 930370b564
725 changed files with 38409 additions and 1919 deletions
--- a/devices/surface-hub/images/room-control-wiring-diagram.png
+++ b/devices/surface-hub/images/room-control-wiring-diagram.png
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@ -13,14 +13,9 @@ Room control systems can be used with your Microsoft Surface Hub.
 Using a room control system with your Surface Hub involves connecting room control hardware to the Surface Hub, usually through the RJ11 serial port on the bottom of the Surface Hub.
-## Debugging
+## Terminal settings
-
+To connect to a room control system control panel, you don't need to configure any terminal settings on the Surface Hub. If you want to connect a PC or laptop to your Surface Hub and send serial commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY. 
 You can use the info in this section for debugging scenarios. You shouldn't need it for a typical installation.
 ### Terminal settings
 To connect to a room control system control panel, you don't need to connect to the Surface Hub, or to configure any terminal settings. For debugging purposes, if you want to connect a PC or laptop to your Surface Hub and send commands from the Surface Hub, you can use a terminal emulator program like Tera Term or PuTTY. These are the terminal settings you'll need:
 <table>
 <colgroup>
@ -54,20 +49,24 @@ To connect to a room control system control panel, you don't need to connect to
 <td align="left"><p>Flow control</p></td>
 <td align="left"><p>none</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Line feed</p></td>
 <td align="left"><p>every carriage return</p></td>
 </tr>
 </tbody>
 </table>
-### Wiring diagram
+## Wiring diagram
-You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method.
+You can use a standard RJ-11 (6P6C) connector to connect the Surface Hub serial port to a room control system. This is the recommended method. You can also use an RJ-11 4-conductor cable, but we do not recommend this method.
-You can also use an RJ-11 4-conductor cable, but we do not recommend this method. You'll need to convert pin numbers to make sure it's wired correctly. The following diagram shows how to convert the pin numbers.
+This diagram shows the correct pinout used for an RJ-11 (6P6C) to DB9 cable.
-![image showing the wiring diagram. ](images/roomcontrolwiring.png)
+![image showing the wiring diagram.](images/room-control-wiring-diagram.png)
-### Command sets
+## Command sets
 Room control systems use common meeting-room scenarios for commands. Commands originate from the room control system, and are communicated over a serial connection to a Surface Hub. Commands are ASCII based, and the Surface Hub will acknowledge when state changes occur.
@ -106,7 +105,7 @@ The following command modifiers are available. Commands terminate with a new lin
-### Power
+## Power
 Surface Hub can be in one of these power states.
@ -157,9 +156,72 @@ Surface Hub can be in one of these power states.
 </tbody>
 </table>
- 
+In Replacement PC mode, the power states are only Ready and Off and only change the display. The management port can't be used to power on the replacement PC. 
-### Brightness
+<table>
 <colgroup>
 <col width="33%" />
 <col width="33%" />
 <col width="33%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">State</th>
 <th align="left">Energy Star state</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>0</p></td>
 <td align="left"><p>S5</p></td>
 <td align="left"><p>Off</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5</p></td>
 <td align="left"><p>50</p></td>
 <td align="left"><p>Ready</p></td>
 </tr>
 </tbody>
 </table>
 For a control device, anything other than 5 / Ready should be considered off. Each PowerOn command results in two state changes and reponses. 
 <table>
 <colgroup>
 <col width="33%" />
 <col width="33%" />
 <col width="33%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Command</th>
 <th align="left">State change</th>
 <th align="left">Response</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>PowerOn</p></td>
 <td align="left"><p>Device turns on (display + PC).</p><p>PC service notifies SMC that the PC is ready.</p></td>
 <td align="left"><p>Power=0</p><p>Power=5</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>PowerOff</p></td>
 <td align="left"><p>Device transitions to ambient state (PC on, display dim).</p></td>
 <td align="left"><p>Power=0</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Power?</p></td>
 <td align="left"><p>SMC reports the last-known power state.</p></td>
 <td align="left"><p>Power=<#></p></td>
 </tr>
 </tbody>
 </table>
 ## Brightness
 The current brightness level is a range from 0 to 100.
@ -191,18 +253,10 @@ Changes to brightness levels can be sent by a room control system, or other syst
 <p>PC service notifies SMC of new brightness level.</p></td>
 <td align="left"><p>Brightness = 50</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Brightness?</p></td>
 <td align="left"><p>SMC sends a message over the control channel to request brightness.</p>
 <p>PC service notifies SMC of new brightness level.</p></td>
 <td align="left"><p>Brightness = 50</p></td>
 </tr>
 </tbody>
-</table>
+</table> 
- 
+## Volume
 ### Volume
 The current volume level is a range from 0 to 100.
@ -234,47 +288,14 @@ Changes to volume levels can be sent by a room control system, or other system.
 <p>PC service notifies SMC of new volume level.</p></td>
 <td align="left"><p>Volume = 50</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Volume?</p></td>
 <td align="left"><p>SMC sends a message over the control channel to request volume.</p>
 <p>PC service notifies SMC of new volume level.</p></td>
 <td align="left"><p>Volume = 50</p></td>
 </tr>
 </tbody>
 </table>
-### Mute for audio and microphone
+## Mute for audio
-Audio and microphone can be muted.
+Audio can be muted.
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">State</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>0</p></td>
 <td align="left"><p>Source is not muted.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>1</p></td>
 <td align="left"><p>Source is muted.</p></td>
 </tr>
 </tbody>
 </table>
 Changes to microphone or audio can be sent by a room control system, or other system.
 <table>
 <colgroup>
@ -294,32 +315,14 @@ Changes to microphone or audio can be sent by a room control system, or other sy
 <td align="left"><p>AudioMute+</p></td>
 <td align="left"><p>SMC sends the audio mute command.</p>
 <p>PC service notifies SMC that audio is muted.</p></td>
-<td align="left"><p>AudioMute=&lt;#&gt;</p></td>
+<td align="left"><p>none</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>MicMute+</p></td>
 <td align="left"><p>SMC sends the microphone mute command.</p>
 <p>PC service notifies SMC that microphone is muted.</p></td>
 <td align="left"><p>MicMute=&lt;#&gt;</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>AudioMute?</p></td>
 <td align="left"><p>SMC queries PC service for the current audio state.</p>
 <p>PC service notifies SMC that audio is muted.</p></td>
 <td align="left"><p>AudioMute=&lt;#&gt;</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>MicMute?</p></td>
 <td align="left"><p>SMC queries PC service for the current microphone state.</p>
 <p>PC service notifies SMC that the microphone is muted.</p></td>
 <td align="left"><p>MicMute=&lt;#&gt;</p></td>
 </tr>
 </tbody>
 </table>
-### Video source
+## Video source
 Several display sources can be used.
@ -351,10 +354,6 @@ Several display sources can be used.
 <td align="left"><p>3</p></td>
 <td align="left"><p>VGA</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>4</p></td>
 <td align="left"><p>Wireless</p></td>
 </tr>
 </tbody>
 </table>
@ -377,7 +376,7 @@ Changes to display source can be sent by a room control system, or other system.
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Source=&lt;#&gt;</p></td>
+<td align="left"><p>Source=#</p></td>
 <td align="left"><p>SMC changes to the desired source.</p>
 <p>PC service notifies SMC that the display source has switched.</p></td>
 <td align="left"><p>Source=&lt;#&gt;</p></td>
@ -389,7 +388,7 @@ Changes to display source can be sent by a room control system, or other system.
 <td align="left"><p>Source=&lt;#&gt;</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Source+</p></td>
+<td align="left"><p>Source-</p></td>
 <td align="left"><p>SMC cycles to the previous active input source.</p>
 <p>PC service notifies SMC of the current input source.</p></td>
 <td align="left"><p>Source=&lt;#&gt;</p></td>
@ -403,101 +402,7 @@ Changes to display source can be sent by a room control system, or other system.
 </tbody>
 </table>
- 
+## Errors
 ### Starting apps
 Surface Hub keyboard supports starting apps with special keys. Room control systems can invoke those keys through the management port. There is no expected response for these commands.
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">State</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>0</p></td>
 <td align="left"><p>Start large-screen experience (LSX)</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>1</p></td>
 <td align="left"><p>Start LSX custom app 1</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>2</p></td>
 <td align="left"><p>Start LSX custom app 2</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>3</p></td>
 <td align="left"><p>Start LSX custom app 3</p></td>
 </tr>
 </tbody>
 </table>
 Changes to display source can be sent by a room control system, or other system.
 <table>
 <colgroup>
 <col width="33%" />
 <col width="33%" />
 <col width="33%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Command</th>
 <th align="left">State change</th>
 <th align="left">Response</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>AppKey=&lt;#&gt;</p></td>
 <td align="left"><p>Send a command to</p>
 <p>PC service notifies SMC that the display source has switched.</p></td>
 <td align="left"><p>Source=&lt;#&gt;</p></td>
 </tr>
 </tbody>
 </table>
 ### I'm done
 People will be able to start the I'm done feature on a Surface Hub from a room control system. I'm done removes any work that was displayed on the Surface Hub before ending the meeting. No information or files are saved on Surface Hub.
 <table>
 <colgroup>
 <col width="33%" />
 <col width="33%" />
 <col width="33%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Command</th>
 <th align="left">State change</th>
 <th align="left">Response</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>I'm done</p></td>
 <td align="left"><p>Start I'm done activity on Surface Hub.</p></td>
 <td align="left"><p>none</p></td>
 </tr>
 </tbody>
 </table>
 ### Errors
 Errors are returned following the format in this table.
--- a/education/windows/index.md
+++ b/education/windows/index.md
@ -25,4 +25,4 @@ author: jdeckerMS
 ## Related topics
 - [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index)
- [Try it out: virtual labs for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356)
+- [Try it out: virtual labs and how-to videos for Windows 10 Education](https://technet.microsoft.com/en-us/windows/dn610356)
--- a/windows/deploy/TOC.md
+++ b/windows/deploy/TOC.md
@ -34,6 +34,7 @@
 ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 ## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 ## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
 ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
 ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
 ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
 ## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
--- a/windows/deploy/change-history-for-deploy-windows-10.md
+++ b/windows/deploy/change-history-for-deploy-windows-10.md
@ -11,6 +11,16 @@ author: greg-lindsay
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 ## June 2016
 | New or changed topic | Description |
 |----------------------|-------------|
 | [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
 ## May 2016
 | New or changed topic | Description |
 |----------------------|-------------|
 | [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) | New |
 ## December 2015
 | New or changed topic | Description |
 |----------------------|-------------|
--- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md
@ -0,0 +1,168 @@
 ---
 title: Configure a PXE server to load Windows PE (Windows 10)
 description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. 
 keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ---
 # Configure a PXE server to load Windows PE
 **Applies to**
 -   Windows 10
 ## Summary
 This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network.
 ## Prerequisites
 - A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://www.microsoft.com/en-us/download/details.aspx?id=39982) (Windows ADK) installed.
 - A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required.
 - A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download.
 - A file server: A server hosting a network file share.
 All four of the roles specified above can be hosted on the same computer or each can be on a separate computer.
 ## Step 1: Copy Windows PE source files
 1. On the deployment computer, click **Start**, and type **deployment**.
 2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools.
 3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **&lt;architecture&gt;** can be **x86**, **amd64**, or **arm** and **&lt;destination&gt;** is a path to a local directory. If the directory does not already exist, it will be created.
    ```
    copype.cmd <architecture> <destination>
    ```
    For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory:
    ```
    copype.cmd amd64 C:\winpe_amd64
    ```
    The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created:
    ```
    C:\winpe\_amd64
    C:\winpe\_amd64\fwfiles
    C:\winpe\_amd64\media
    C:\winpe\_amd64\mount
    ```
 4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example.
    ```
    Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
    ```
 5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\PXE-1\TFTPRoot:
    ```
    net use y: \\PXE-1\TFTPRoot
    y:
    md boot
    ```
 6. Copy the PXE boot files from the mounted directory to the \Boot folder. For example:
    ```
    copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\boot
    ```
 7.  Copy the boot.sdi file to the PXE/TFTP server.
    ```
    copy C:\winpe_amd64\media\boot\boot.sdi y:\boot
    ```
 8.  Copy the bootable Windows PE image (boot.wim) to the \Boot folder.
    ```
    copy C:\winpe_amd64\media\sources\boot.wim y:\boot
    ```
 ## Step 2: Configure boot settings and copy the BCD file
 1.  Create a BCD store using bcdedit.exe:
    ```
    bcdedit /createstore c:\BCD
    ```
 2.  Configure RAMDISK settings:
    ```
    bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice partition=C:
    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \winpe_amd64\media\boot\boot.sdi
    ```
 3.  Create a new boot application entry for the Windows PE image:
    ```
    bcdedit /store c:\BCD /set {GUID1} device ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} 
    bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe 
    bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[c:]\winpe_amd64\media\sources\boot.wim,{ramdiskoptions} 
    bcdedit /store c:\BCD /set {GUID1} systemroot \windows
    bcdedit /store c:\BCD /set {GUID1} detecthal Yes
    bcdedit /store c:\BCD /set {GUID1} winpe Yes
    ```
 4.  Configure BOOTMGR settings:
    ```
    bcdedit /store c:\BCD /set {bootmgr} timeout 30 
    bcdedit /store c:\BCD -displayorder {GUID1} -addlast
    ```
 5.  Copy the BCD file to your TFTP server:
    ```
    copy c:\BCD \\PXE-1\TFTPRoot\Boot
    ```
 Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store &lt;BCD file location&gt; /enum all. See the following example. Note: Your GUID will be different than the one shown below.
 ```
 C:\>bcdedit /store C:\BCD /enum all
 Windows Boot Manager
 --------------------
 identifier              {bootmgr}
 description             boot manager
 displayorder            {a4f89c62-2142-11e6-80b6-00155da04110}
 timeout                 30
 Windows Boot Loader
 -------------------
 identifier              {a4f89c62-2142-11e6-80b6-00155da04110}
 device                  ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
 description             winpe boot image
 osdevice                ramdisk=[boot]\boot\boot.wim,{ramdiskoptions}
 systemroot              \Windows
 detecthal               Yes
 winpe                   Yes
 Setup Ramdisk Options
 ---------------------
 identifier              {ramdiskoptions}
 description             ramdisk options
 ramdisksdidevice        boot
 ramdisksdipath          \boot\boot.sdi
 ```
 ## PXE boot process summary
 The following summarizes the PXE client boot process.
 1.  A client is directed by DHCP options 066 and 067 to download boot\\wdsnbp.com from the TFTP server.
 2.  Wdsnbp.com validates the DHCP/PXE response packet and then the client downloads boot\\pxeboot.com.
 3.  Pxeboot.com requires the client to press the F12 key to initiate a PXE boot.
 4.  The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
 5.  Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present.
 6.  Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image.
 7.  Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE.
 8.  The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. Using these tools together with a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system.
 See Also 
 ---------
 #### Concepts
 [Windows PE Walkthroughs](https://technet.microsoft.com/en-us/library/cc748899.aspx)
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@ -20,6 +20,7 @@ Learn about deploying Windows 10 for IT professionals.
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
 |[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |
 |[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
 |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
 |[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md) |Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. |
--- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md
+++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md
@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: mdt
-author: greg-lindsay
+author: Jamiejdt
 ---
 # Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management (MDM)
@ -55,7 +55,7 @@ SyncML xmlns="SYNCML:SYNCML1.1">
      <CmdID>250</CmdID>
      <Item>
        <Target>
-          <LocURI>./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/ EnterpriseUpgrade</LocURI>
+          <LocURI>./Vendor/MSFT/Registry/HKLM/SOFTWARE/Microsoft/Provisioning/OMADM/EnterpriseUpgrade</LocURI>
        </Target>
        <Meta>
          <Format xmlns=”syncml:metinf”>chr</Format>
@ -91,7 +91,7 @@ Note: The availability of Windows 10 Mobile as an update for existing Windows Ph
 ### How to blacklist the Upgrade Advisor app <a id="howto-blacklist"></a>
-Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows Phone Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL:
+Some enterprises may want to block their users from installing the Windows 10 Mobile Upgrade Advisor app. With Windows Phone 8.1, you can allow or deny individual apps by adding specific app publishers or the app globally unique identifier (GUID) from the Window Phone Store to an allow or deny XML list. The GUID for a particular application can be found in the URL for the app in the phone store. For example, the GUID to the Windows 10 Mobile Upgrade Adviser (fbe47e4f-7769-4103-910e-dca8c43e0b07) is displayed in the following URL:
 http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07
--- a/windows/index.md
+++ b/windows/index.md
@ -2,7 +2,7 @@
 title: Windows 10 and Windows 10 Mobile (Windows 10)
 description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
 ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
-ms.prod: W10
+ms.prod: w10
 author: brianlic-msft
 ---
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@ -163,63 +163,326 @@
 ###### [Monitor claim types](monitor-claim-types.md)
 ##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 ###### [Audit Credential Validation](audit-credential-validation.md)
-###### [Audit Kerberos Authentication Service ](audit-kerberos-authentication-service.md)
+####### [Event 4774 S: An account was mapped for logon.](event-4774.md)
 ####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
 ####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
 ####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)
 ###### [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
 ####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](event-4768.md)
 ####### [Event 4771 F: Kerberos pre-authentication failed.](event-4771.md)
 ####### [Event 4772 F: A Kerberos authentication ticket request failed.](event-4772.md)
 ###### [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
-###### [Audit Other Account Logon Events ](audit-other-account-logon-events.md)
+####### [Event 4769 S, F: A Kerberos service ticket was requested.](event-4769.md)
 ####### [Event 4770 S: A Kerberos service ticket was renewed.](event-4770.md)
 ####### [Event 4773 F: A Kerberos service ticket request failed.](event-4773.md)
 ###### [Audit Other Account Logon Events](audit-other-account-logon-events.md)
 ###### [Audit Application Group Management](audit-application-group-management.md)
 ###### [Audit Computer Account Management](audit-computer-account-management.md)
 ####### [Event 4741 S: A computer account was created.](event-4741.md)
 ####### [Event 4742 S: A computer account was changed.](event-4742.md)
 ####### [Event 4743 S: A computer account was deleted.](event-4743.md)
 ###### [Audit Distribution Group Management](audit-distribution-group-management.md)
 ####### [Event 4749 S: A security-disabled global group was created.](event-4749.md)
 ####### [Event 4750 S: A security-disabled global group was changed.](event-4750.md)
 ####### [Event 4751 S: A member was added to a security-disabled global group.](event-4751.md)
 ####### [Event 4752 S: A member was removed from a security-disabled global group.](event-4752.md)
 ####### [Event 4753 S: A security-disabled global group was deleted.](event-4753.md)
 ###### [Audit Other Account Management Events](audit-other-account-management-events.md)
 ####### [Event 4782 S: The password hash an account was accessed.](event-4782.md)
 ####### [Event 4793 S: The Password Policy Checking API was called.](event-4793.md)
 ###### [Audit Security Group Management](audit-security-group-management.md)
 ####### [Event 4731 S: A security-enabled local group was created.](event-4731.md)
 ####### [Event 4732 S: A member was added to a security-enabled local group.](event-4732.md)
 ####### [Event 4733 S: A member was removed from a security-enabled local group.](event-4733.md)
 ####### [Event 4734 S: A security-enabled local group was deleted.](event-4734.md)
 ####### [Event 4735 S: A security-enabled local group was changed.](event-4735.md)
 ####### [Event 4764 S: A group’s type was changed.](event-4764.md)
 ####### [Event 4799 S: A security-enabled local group membership was enumerated.](event-4799.md)
 ###### [Audit User Account Management](audit-user-account-management.md)
 ####### [Event 4720 S: A user account was created.](event-4720.md)
 ####### [Event 4722 S: A user account was enabled.](event-4722.md)
 ####### [Event 4723 S, F: An attempt was made to change an account's password.](event-4723.md)
 ####### [Event 4724 S, F: An attempt was made to reset an account's password.](event-4724.md)
 ####### [Event 4725 S: A user account was disabled.](event-4725.md)
 ####### [Event 4726 S: A user account was deleted.](event-4726.md)
 ####### [Event 4738 S: A user account was changed.](event-4738.md)
 ####### [Event 4740 S: A user account was locked out.](event-4740.md)
 ####### [Event 4765 S: SID History was added to an account.](event-4765.md)
 ####### [Event 4766 F: An attempt to add SID History to an account failed.](event-4766.md)
 ####### [Event 4767 S: A user account was unlocked.](event-4767.md)
 ####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](event-4780.md)
 ####### [Event 4781 S: The name of an account was changed.](event-4781.md)
 ####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](event-4794.md)
 ####### [Event 4798 S: A user's local group membership was enumerated.](event-4798.md)
 ####### [Event 5376 S: Credential Manager credentials were backed up.](event-5376.md)
 ####### [Event 5377 S: Credential Manager credentials were restored from a backup.](event-5377.md)
 ###### [Audit DPAPI Activity](audit-dpapi-activity.md)
 ####### [Event 4692 S, F: Backup of data protection master key was attempted.](event-4692.md)
 ####### [Event 4693 S, F: Recovery of data protection master key was attempted.](event-4693.md)
 ####### [Event 4694 S, F: Protection of auditable protected data was attempted.](event-4694.md)
 ####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](event-4695.md)
 ###### [Audit PNP Activity](audit-pnp-activity.md)
 ####### [Event 6416 S: A new external device was recognized by the System.](event-6416.md)
 ####### [Event 6419 S: A request was made to disable a device.](event-6419.md)
 ####### [Event 6420 S: A device was disabled.](event-6420.md)
 ####### [Event 6421 S: A request was made to enable a device.](event-6421.md)
 ####### [Event 6422 S: A device was enabled.](event-6422.md)
 ####### [Event 6423 S: The installation of this device is forbidden by system policy.](event-6423.md)
 ####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](event-6424.md)
 ###### [Audit Process Creation](audit-process-creation.md)
-###### [Audit Process Termination ](audit-process-termination.md)
+####### [Event 4688 S: A new process has been created.](event-4688.md)
 ####### [Event 4696 S: A primary token was assigned to process.](event-4696.md)
 ###### [Audit Process Termination](audit-process-termination.md)
 ####### [Event 4689 S: A process has exited.](event-4689.md)
 ###### [Audit RPC Events](audit-rpc-events.md)
 ####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](event-5712.md)
 ###### [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
 ####### [Event 4928 S, F: An Active Directory replica source naming context was established.](event-4928.md)
 ####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](event-4929.md)
 ####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](event-4930.md)
 ####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](event-4931.md)
 ####### [Event 4934 S: Attributes of an Active Directory object were replicated.](event-4934.md)
 ####### [Event 4935 F: Replication failure begins.](event-4935.md)
 ####### [Event 4936 S: Replication failure ends.](event-4936.md)
 ####### [Event 4937 S: A lingering object was removed from a replica.](event-4937.md)
 ###### [Audit Directory Service Access](audit-directory-service-access.md)
 ####### [Event 4662 S, F: An operation was performed on an object.](event-4662.md)
 ####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
 ###### [Audit Directory Service Changes](audit-directory-service-changes.md)
 ####### [Event 5136 S: A directory service object was modified.](event-5136.md)
 ####### [Event 5137 S: A directory service object was created.](event-5137.md)
 ####### [Event 5138 S: A directory service object was undeleted.](event-5138.md)
 ####### [Event 5139 S: A directory service object was moved.](event-5139.md)
 ####### [Event 5141 S: A directory service object was deleted.](event-5141.md)
 ###### [Audit Directory Service Replication](audit-directory-service-replication.md)
-###### [Audit Account Lockout ](audit-account-lockout.md)
+####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](event-4932.md)
 ####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](event-4933.md)
 ###### [Audit Account Lockout](audit-account-lockout.md)
 ####### [Event 4625 F: An account failed to log on.](event-4625.md)
 ###### [Audit User/Device Claims](audit-user-device-claims.md)
 ####### [Event 4626 S: User/Device claims information.](event-4626.md)
 ###### [Audit Group Membership](audit-group-membership.md)
 ####### [Event 4627 S: Group membership information.](event-4627.md)
 ###### [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
 ###### [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
 ###### [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
 ###### [Audit Logoff](audit-logoff.md)
 ####### [Event 4634 S: An account was logged off.](event-4634.md)
 ####### [Event 4647 S: User initiated logoff.](event-4647.md)
 ###### [Audit Logon](audit-logon.md)
 ####### [Event 4624 S: An account was successfully logged on.](event-4624.md)
 ####### [Event 4625 F: An account failed to log on.](event-4625.md)
 ####### [Event 4648 S: A logon was attempted using explicit credentials.](event-4648.md)
 ####### [Event 4675 S: SIDs were filtered.](event-4675.md)
 ###### [Audit Network Policy Server](audit-network-policy-server.md)
 ###### [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
 ####### [Event 4649 S: A replay attack was detected.](event-4649.md)
 ####### [Event 4778 S: A session was reconnected to a Window Station.](event-4778.md)
 ####### [Event 4779 S: A session was disconnected from a Window Station.](event-4779.md)
 ####### [Event 4800 S: The workstation was locked.](event-4800.md)
 ####### [Event 4801 S: The workstation was unlocked.](event-4801.md)
 ####### [Event 4802 S: The screen saver was invoked.](event-4802.md)
 ####### [Event 4803 S: The screen saver was dismissed.](event-4803.md)
 ####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](event-5378.md)
 ####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](event-5632.md)
 ####### [Event 5633 S, F: A request was made to authenticate to a wired network.](event-5633.md)
 ###### [Audit Special Logon](audit-special-logon.md)
 ####### [Event 4964 S: Special groups have been assigned to a new logon.](event-4964.md)
 ####### [Event 4672 S: Special privileges assigned to new logon.](event-4672.md)
 ###### [Audit Application Generated](audit-application-generated.md)
 ###### [Audit Certification Services](audit-certification-services.md)
-###### [Audit Detailed File Share ](audit-detailed-file-share.md)
+###### [Audit Detailed File Share](audit-detailed-file-share.md)
 ####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](event-5145.md)
 ###### [Audit File Share](audit-file-share.md)
 ####### [Event 5140 S, F: A network share object was accessed.](event-5140.md)
 ####### [Event 5142 S: A network share object was added.](event-5142.md)
 ####### [Event 5143 S: A network share object was modified.](event-5143.md)
 ####### [Event 5144 S: A network share object was deleted.](event-5144.md)
 ####### [Event 5168 F: SPN check for SMB/SMB2 failed.](event-5168.md)
 ###### [Audit File System](audit-file-system.md)
 ####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
 ####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
 ####### [Event 4660 S: An object was deleted.](event-4660.md)
 ####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
 ####### [Event 4664 S: An attempt was made to create a hard link.](event-4664.md)
 ####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
 ####### [Event 5051: A file was virtualized.](event-5051.md)
 ####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
 ###### [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
-###### [Audit Filtering Platform Packet Drop ](audit-filtering-platform-packet-drop.md)
+####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](event-5031.md)
 ####### [Event 5150: The Windows Filtering Platform blocked a packet.](event-5150.md)
 ####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5151.md)
 ####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](event-5154.md)
 ####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](event-5155.md)
 ####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](event-5156.md)
 ####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](event-5157.md)
 ####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](event-5158.md)
 ####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](event-5159.md)
 ###### [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
 ####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](event-5152.md)
 ####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5153.md)
 ###### [Audit Handle Manipulation](audit-handle-manipulation.md)
-###### [Audit Kernel Object ](audit-kernel-object.md)
+####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](event-4690.md)
 ###### [Audit Kernel Object](audit-kernel-object.md)
 ####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
 ####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
 ####### [Event 4660 S: An object was deleted.](event-4660.md)
 ####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
 ###### [Audit Other Object Access Events](audit-other-object-access-events.md)
 ####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](event-4671.md)
 ####### [Event 4691 S: Indirect access to an object was requested.](event-4691.md)
 ####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](event-5148.md)
 ####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](event-5149.md)
 ####### [Event 4698 S: A scheduled task was created.](event-4698.md)
 ####### [Event 4699 S: A scheduled task was deleted.](event-4699.md)
 ####### [Event 4700 S: A scheduled task was enabled.](event-4700.md)
 ####### [Event 4701 S: A scheduled task was disabled.](event-4701.md)
 ####### [Event 4702 S: A scheduled task was updated.](event-4702.md)
 ####### [Event 5888 S: An object in the COM+ Catalog was modified.](event-5888.md)
 ####### [Event 5889 S: An object was deleted from the COM+ Catalog.](event-5889.md)
 ####### [Event 5890 S: An object was added to the COM+ Catalog.](event-5890.md)
 ###### [Audit Registry](audit-registry.md)
 ####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
 ####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
 ####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
 ####### [Event 4660 S: An object was deleted.](event-4660.md)
 ####### [Event 4657 S: A registry value was modified.](event-4657.md)
 ####### [Event 5039: A registry key was virtualized.](event-5039.md)
 ####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
 ###### [Audit Removable Storage](audit-removable-storage.md)
-###### [Audit SAM ](audit-sam.md)
+###### [Audit SAM](audit-sam.md)
 ####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
 ###### [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
 ####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](event-4818.md)
 ###### [Audit Audit Policy Change](audit-audit-policy-change.md)
 ####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
 ####### [Event 4715 S: The audit policy, SACL, on an object was changed.](event-4715.md)
 ####### [Event 4719 S: System audit policy was changed.](event-4719.md)
 ####### [Event 4817 S: Auditing settings on object were changed.](event-4817.md)
 ####### [Event 4902 S: The Per-user audit policy table was created.](event-4902.md)
 ####### [Event 4906 S: The CrashOnAuditFail value has changed.](event-4906.md)
 ####### [Event 4907 S: Auditing settings on object were changed.](event-4907.md)
 ####### [Event 4908 S: Special Groups Logon table modified.](event-4908.md)
 ####### [Event 4912 S: Per User Audit Policy was changed.](event-4912.md)
 ####### [Event 4904 S: An attempt was made to register a security event source.](event-4904.md)
 ####### [Event 4905 S: An attempt was made to unregister a security event source.](event-4905.md)
 ###### [Audit Authentication Policy Change](audit-authentication-policy-change.md)
 ####### [Event 4706 S: A new trust was created to a domain.](event-4706.md)
 ####### [Event 4707 S: A trust to a domain was removed.](event-4707.md)
 ####### [Event 4716 S: Trusted domain information was modified.](event-4716.md)
 ####### [Event 4713 S: Kerberos policy was changed.](event-4713.md)
 ####### [Event 4717 S: System security access was granted to an account.](event-4717.md)
 ####### [Event 4718 S: System security access was removed from an account.](event-4718.md)
 ####### [Event 4739 S: Domain Policy was changed.](event-4739.md)
 ####### [Event 4864 S: A namespace collision was detected.](event-4864.md)
 ####### [Event 4865 S: A trusted forest information entry was added.](event-4865.md)
 ####### [Event 4866 S: A trusted forest information entry was removed.](event-4866.md)
 ####### [Event 4867 S: A trusted forest information entry was modified.](event-4867.md)
 ###### [Audit Authorization Policy Change](audit-authorization-policy-change.md)
 ####### [Event 4703 S: A user right was adjusted.](event-4703.md)
 ####### [Event 4704 S: A user right was assigned.](event-4704.md)
 ####### [Event 4705 S: A user right was removed.](event-4705.md)
 ####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
 ####### [Event 4911 S: Resource attributes of the object were changed.](event-4911.md)
 ####### [Event 4913 S: Central Access Policy on the object was changed.](event-4913.md)
 ###### [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
 ###### [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
 ####### [Event 4944 S: The following policy was active when the Windows Firewall started.](event-4944.md)
 ####### [Event 4945 S: A rule was listed when the Windows Firewall started.](event-4945.md)
 ####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](event-4946.md)
 ####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](event-4947.md)
 ####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](event-4948.md)
 ####### [Event 4949 S: Windows Firewall settings were restored to the default values.](event-4949.md)
 ####### [Event 4950 S: A Windows Firewall setting has changed.](event-4950.md)
 ####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](event-4951.md)
 ####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](event-4952.md)
 ####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](event-4953.md)
 ####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](event-4954.md)
 ####### [Event 4956 S: Windows Firewall has changed the active profile.](event-4956.md)
 ####### [Event 4957 F: Windows Firewall did not apply the following rule.](event-4957.md)
 ####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](event-4958.md)
 ###### [Audit Other Policy Change Events](audit-other-policy-change-events.md)
-###### [Audit Sensitive Privilege Use ](audit-sensitive-privilege-use.md)
+####### [Event 4714 S: Encrypted data recovery policy was changed.](event-4714.md)
-###### [Audit Non-Sensitive Privilege Use ](audit-non-sensitive-privilege-use.md)
+####### [Event 4819 S: Central Access Policies on the machine have been changed.](event-4819.md)
-###### [Audit Other Privilege Use Events ](audit-other-privilege-use-events.md)
+####### [Event 4826 S: Boot Configuration Data loaded.](event-4826.md)
 ####### [Event 4909: The local policy settings for the TBS were changed.](event-4909.md)
 ####### [Event 4910: The group policy settings for the TBS were changed.](event-4910.md)
 ####### [Event 5063 S, F: A cryptographic provider operation was attempted.](event-5063.md)
 ####### [Event 5064 S, F: A cryptographic context operation was attempted.](event-5064.md)
 ####### [Event 5065 S, F: A cryptographic context modification was attempted.](event-5065.md)
 ####### [Event 5066 S, F: A cryptographic function operation was attempted.](event-5066.md)
 ####### [Event 5067 S, F: A cryptographic function modification was attempted.](event-5067.md)
 ####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](event-5068.md)
 ####### [Event 5069 S, F: A cryptographic function property operation was attempted.](event-5069.md)
 ####### [Event 5070 S, F: A cryptographic function property modification was attempted.](event-5070.md)
 ####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](event-5447.md)
 ####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](event-6144.md)
 ####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](event-6145.md)
 ###### [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
 ####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
 ####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
 ####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
 ###### [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
 ####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
 ####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
 ####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
 ###### [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
 ####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
 ###### [Audit IPsec Driver](audit-ipsec-driver.md)
 ###### [Audit Other System Events](audit-other-system-events.md)
 ####### [Event 5024 S: The Windows Firewall Service has started successfully.](event-5024.md)
 ####### [Event 5025 S: The Windows Firewall Service has been stopped.](event-5025.md)
 ####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](event-5027.md)
 ####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](event-5028.md)
 ####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](event-5029.md)
 ####### [Event 5030 F: The Windows Firewall Service failed to start.](event-5030.md)
 ####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](event-5032.md)
 ####### [Event 5033 S: The Windows Firewall Driver has started successfully.](event-5033.md)
 ####### [Event 5034 S: The Windows Firewall Driver was stopped.](event-5034.md)
 ####### [Event 5035 F: The Windows Firewall Driver failed to start.](event-5035.md)
 ####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](event-5037.md)
 ####### [Event 5058 S, F: Key file operation.](event-5058.md)
 ####### [Event 5059 S, F: Key migration operation.](event-5059.md)
 ####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](event-6400.md)
 ####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](event-6401.md)
 ####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](event-6402.md)
 ####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](event-6403.md)
 ####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](event-6404.md)
 ####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](event-6405.md)
 ####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](event-6406.md)
 ####### [Event 6407: 1%.](event-6407.md)
 ####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](event-6408.md)
 ####### [Event 6409: BranchCache: A service connection point object could not be parsed.](event-6409.md)
 ###### [Audit Security State Change](audit-security-state-change.md)
 ####### [Event 4608 S: Windows is starting up.](event-4608.md)
 ####### [Event 4616 S: The system time was changed.](event-4616.md)
 ####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](event-4621.md)
 ###### [Audit Security System Extension](audit-security-system-extension.md)
 ####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](event-4610.md)
 ####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](event-4611.md)
 ####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](event-4614.md)
 ####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](event-4622.md)
 ####### [Event 4697 S: A service was installed in the system.](event-4697.md)
 ###### [Audit System Integrity](audit-system-integrity.md)
 ####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](event-4612.md)
 ####### [Event 4615 S: Invalid use of LPC port.](event-4615.md)
 ####### [Event 4618 S: A monitored security event pattern has occurred.](event-4618.md)
 ####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](event-4816.md)
 ####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](event-5038.md)
 ####### [Event 5056 S: A cryptographic self-test was performed.](event-5056.md)
 ####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](event-5062.md)
 ####### [Event 5057 F: A cryptographic primitive operation failed.](event-5057.md)
 ####### [Event 5060 F: Verification operation failed.](event-5060.md)
 ####### [Event 5061 S, F: Cryptographic operation.](event-5061.md)
 ####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](event-6281.md)
 ####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](event-6410.md)
 ###### [Other Events](other-events.md)
 ####### [Event 1100 S: The event logging service has shut down.](event-1100.md)
 ####### [Event 1102 S: The audit log was cleared.](event-1102.md)
 ####### [Event 1104 S: The security log is now full.](event-1104.md)
 ####### [Event 1105 S: Event log automatic backup.](event-1105.md)
 ####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](event-1108.md)
 ###### [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
 ###### [Registry (Global Object Access Auditing) ](registry-global-object-access-auditing.md)
 ###### [File System (Global Object Access Auditing) ](file-system-global-object-access-auditing.md)
 ### [Security policy settings](security-policy-settings.md)
@ -429,6 +692,115 @@
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
 #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
 #### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
 #### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
 #### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md)
 ##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
 ##### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
 ###### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
 ###### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
 ###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
 ###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-devices.md)
 ##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
 ###### [Basic Firewall Policy Design](basic-firewall-policy-design.md)
 ###### [Domain Isolation Policy Design](domain-isolation-policy-design.md)
 ###### [Server Isolation Policy Design](server-isolation-policy-design.md)
 ###### [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
 ##### [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
 ###### [Firewall Policy Design Example](firewall-policy-design-example.md)
 ###### [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
 ###### [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
 ###### [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
 ##### [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
 ###### [Gathering the Information You Need](gathering-the-information-you-need.md)
 ####### [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
 ####### [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
 ####### [Gathering Information about Your Computers](gathering-information-about-your-devices.md)
 ####### [Gathering Other Relevant Information](gathering-other-relevant-information.md)
 ###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
 ##### [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
 ###### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
 ###### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
 ####### [Exemption List](exemption-list.md)
 ####### [Isolated Domain](isolated-domain.md)
 ####### [Boundary Zone](boundary-zone.md)
 ####### [Encryption Zone](encryption-zone.md)
 ###### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
 ###### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
 ###### [Documenting the Zones](documenting-the-zones.md)
 ###### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
 ####### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
 ####### [Planning Network Access Groups](planning-network-access-groups.md)
 ####### [Planning the GPOs](planning-the-gpos.md)
 ######## [Firewall GPOs](firewall-gpos.md)
 ######### [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
 ######## [Isolated Domain GPOs](isolated-domain-gpos.md)
 ######### [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
 ######### [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
 ######## [Boundary Zone GPOs](boundary-zone-gpos.md)
 ######### [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
 ######## [Encryption Zone GPOs](encryption-zone-gpos.md)
 ######### [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
 ######## [Server Isolation GPOs](server-isolation-gpos.md)
 ####### [Planning GPO Deployment](planning-gpo-deployment.md)
 ##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
 #### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
 ##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md)
 ##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
 ##### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
 ##### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
 ###### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
 ###### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
 ###### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
 ##### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
 ###### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
 ###### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
 ###### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
 ###### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
 ##### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
 ###### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
 ###### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
 ##### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
 ##### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
 ###### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
 ###### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
 ###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
 ###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
 ###### [Configure Authentication Methods](configure-authentication-methods.md)
 ###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
 ###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
 ###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
 ###### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
 ###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
 ###### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
 ###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
 ###### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
 ###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
 ###### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
 ###### [Create a Group Policy Object](create-a-group-policy-object.md)
 ###### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
 ###### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
 ###### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
 ###### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
 ###### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
 ###### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
 ###### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
 ###### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
 ###### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
 ###### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
 ###### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
 ###### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
 ###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
 ###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
 ###### [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
 ###### [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
 ###### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
 ###### [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
 ###### [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
 ###### [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
 ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
 ## [Enterprise security guides](windows-10-enterprise-security-guides.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 ### [Device Guard deployment guide](device-guard-deployment-guide.md)
--- a/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
@ -0,0 +1,83 @@
 ---
 title: Add Production Devices to the Membership Group for a Zone (Windows 10)
 description: Add Production Devices to the Membership Group for a Zone
 ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Add Production Devices to the Membership Group for a Zone
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
 **Caution**  
 For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode.
 The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
 Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
 In this topic:
 -   [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
 -   [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
 -   [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
 ## To add domain devices to the GPO membership group
 1.  Open Active Directory Users and Computers.
 2.  In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
 3.  In the details pane, double-click the GPO membership group to which you want to add computers.
 4.  Select the **Members** tab, and then click **Add**.
 5.  Type **Domain Computers** in the text box, and then click **OK**.
 6.  Click **OK** to close the group properties dialog box.
 After a computer is a member of the group, you can force a Group Policy refresh on the computer.
 ## To refresh Group Policy on a device
 From an elevated command prompt, type the following:
 ``` syntax
 gpupdate /target:computer /force
 ```
 After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
 ## To see which GPOs are applied to a device
 From an elevated command prompt, type the following:
 ``` syntax
 gpresult /r /scope:computer
 ```
--- a/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
@ -0,0 +1,77 @@
 ---
 title: Add Test Devices to the Membership Group for a Zone (Windows 10)
 description: Add Test Devices to the Membership Group for a Zone
 ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Add Test Devices to the Membership Group for a Zone
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
 Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
 In this topic:
 -   [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
 -   [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
 -   [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
 ## To add test devices to the GPO membership groups
 1.  Open Active Directory Users and Computers.
 2.  In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account.
 3.  In the details pane, double-click the GPO membership group to which you want to add devices.
 4.  Select the **Members** tab, and then click **Add**.
 5.  Type the name of the device in the text box, and then click **OK**.
 6.  Repeat steps 5 and 6 for each additional device account or group that you want to add.
 7.  Click **OK** to close the group properties dialog box.
 After a device is a member of the group, you can force a Group Policy refresh on the device.
 ## To refresh Group Policy on a device
 From a elevated command prompt, run the following:
 ``` syntax
 gpupdate /target:device /force
 ```
 After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
 ## To see which GPOs are applied to a device
 From an elevated command prompt, run the following:
 ``` syntax
 gpresult /r /scope:computer
 ```
--- a/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@ -0,0 +1,93 @@
 ---
 title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
 description: Appendix A Sample GPO Template Files for Settings Used in this Guide
 ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Appendix A: Sample GPO Template Files for Settings Used in this Guide
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
 To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there.
 To import an .xml file to GPMC, drag it and drop it on the **Registry** node under **Computer Configuration**, **Preferences**, **Windows Settings**. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
 The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
 >**Note:**  The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
 ``` syntax
 <?xml version="1.0" encoding="utf-8"?>
 <Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">
 <Registry
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
         name="Enable PMTU Discovery"
         status="EnablePMTUDiscovery"
         image="12"
         changed="2008-05-30 20:37:37"
         uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
         desc="&lt;b&gt;Enable PMTU Discovery&lt;/b&gt;&lt;p&gt;
            This setting configures whether computers can use PMTU
            discovery on the network.&lt;p&gt;
            &lt;b&gt;1&lt;/b&gt; --  Enable&lt;br&gt;
            &lt;b&gt;0&lt;/b&gt; --  Disable"
         bypassErrors="1">
   <Properties
         action="U"
         displayDecimal="1"
         default="0"
         hive="HKEY_LOCAL_MACHINE"
         key="System\CurrentControlSet\Services\TCPIP\Parameters"
         name="EnablePMTUDiscovery" type="REG_DWORD" value="00000001"/>
 </Registry>
 <Registry
         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
         name="IPsec Default Exemptions (Vista and W2K8)"
         status="NoDefaultExempt"
         image="12"
         changed="2008-05-30 20:33:32"
         uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
         desc="&lt;b&gt;IPsec Default Exemptions for Windows Server 2008
            and later&lt;/b&gt;&lt;p&gt;
            This setting determines which network traffic type is exempt
            from any IPsec authentication requirements.&lt;p&gt;
            &lt;b&gt;0&lt;/b&gt;: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP&lt;br&gt;
            &lt;b&gt;1&lt;/b&gt;: Exempts multicast, broadcast, ISAKMP&lt;br&gt;
            &lt;b&gt;2&lt;/b&gt;: Exempts RSVP, Kerberos, ISAKMP&lt;br&gt;
            &lt;b&gt;3&lt;/b&gt;: Exempts ISAKMP only"
         bypassErrors="1">
   <Properties
         action="U"
         displayDecimal="1"
         default="0"
         hive="HKEY_LOCAL_MACHINE"
         key="SYSTEM\CurrentControlSet\Services\PolicyAgent"
         name="NoDefaultExempt"
         type="REG_DWORD"
         value="00000003"/>
   <Filters>
      <FilterOs
         bool="AND" not="0"
         class="NT" version="VISTA"
         type="NE" edition="NE" sp="NE"/>
      <FilterOs
         bool="OR" not="0"
         class="NT" version="2K8"
         type="NE" edition="NE" sp="NE"/>
   </Filters>
 </Registry>
 </Collection>
 ```
--- a/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@ -0,0 +1,29 @@
 ---
 title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
 description: Appendix A, Security monitoring recommendations for many audit events
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh
 ---
 # Appendix A: Security monitoring recommendations for many audit events
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.
 | **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                              |
 |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts.                                                              |
 | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used.     |
 | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used.                                                          |
 | **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the whitelist of accounts.                                                                 |
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
 | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts.                                         |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.                                 |
 | **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                                        |
--- a/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
+++ b/windows/keep-secure/assign-security-group-filters-to-the-gpo.md
@ -0,0 +1,70 @@
 ---
 title: Assign Security Group Filters to the GPO (Windows 10)
 description: Assign Security Group Filters to the GPO
 ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Assign Security Group Filters to the GPO
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
 >**Important:**  This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.
 In this topic:
 -   [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo)
 -   [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo)
 ## To allow members of a group to apply a GPO
 Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
 1.  Open the Group Policy Management console.
 2.  In the navigation pane, find and then click the GPO that you want to modify.
 3.  In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**.
    >**Note:**  You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
 4.  Click **Add**.
 5.  In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
 ## To prevent members of a group from applying a GPO 
 Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
 1.  Open the Group Policy Management console.
 2.  In the navigation pane, find and then click the GPO that you want to modify.
 3.  In the details pane, click the **Delegation** tab.
 4.  Click **Advanced**.
 5.  Under the **Group or user names** list, click **Add**.
 6.  In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
 7.  Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**.
 8.  Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
 9.  The group appears in the list with **Custom** permissions.
--- a/windows/keep-secure/audit-account-lockout.md
+++ b/windows/keep-secure/audit-account-lockout.md
@ -2,35 +2,37 @@
 title: Audit Account Lockout (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
 ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Account Lockout
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Account Lockout**, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
+
 Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
 If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
 Account lockout events are essential for understanding user activity and detecting potential attacks.
-Event volume: Low
+**Event volume**: Low.
-Default setting: Success
+This subcategory failure logon attempts, when account was already locked out.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                          |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4625 | An account failed to log on. |
+| Domain Controller | No              | Yes             | No               | Yes              | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
- 
+| Member Server     | No              | Yes             | No               | Yes              | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
-## Related topics
+| Workstation       | No              | Yes             | No               | Yes              | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
 **Events List:**
 -   [4625](event-4625.md)(F): An account failed to log on.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-application-generated.md
+++ b/windows/keep-secure/audit-application-generated.md
@ -2,39 +2,37 @@
 title: Audit Application Generated (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
 ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Application Generated
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Application Generated**, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
-The following events can generate audit activity:
+Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx).
-   Creation, deletion, or initialization of an application client context
+Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
 -   Application operations
-Applications that are designed to use the Windows Auditing APIs can use this subcategory to log auditing events that are related to those APIs. The level, volume, relevance, and importance of these audit events depend on the application that generates them. The operating system logs the events as they are generated by the application.
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                   |
 |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
 | Member Server     | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
 | Workstation       | IF              | IF              | IF               | IF               | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
-Event volume: Depends on the installed app's use of the Windows Auditing APIs
+**Events List:**
-Default: Not configured
+## 4665: An attempt was made to create an application client context.
-| Event ID | Event message |
+## 4666: An application attempted an operation.
-| - | - |
+
-| 4665 | An attempt was made to create an application client context. |
+## 4667: An application client context was deleted.
-| 4666 | An application attempted an operation: | 
+
-| 4667 | An application client context was deleted. |
+## 4668: An application was initialized.
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-application-group-management.md
+++ b/windows/keep-secure/audit-application-group-management.md
@ -2,42 +2,49 @@
 title: Audit Application Group Management (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
 ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Application Group Management
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit Application Group Management**, which determines whether the operating system generates audit events when application group management tasks are performed.
-Application group management tasks include:
+Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions.
-   An application group is created, changed, or deleted.
+[Application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx).
 -   A member is added to or removed from an application group.
-Event volume: Low
+Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                |
 |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
 | Domain Controller | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
 | Member Server     | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
 | Workstation       | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
-| Event ID | Event message |
+## 4783(S): A basic application group was created.
-| - | - |
+
-| 4783 | A basic application group was created. |
+## 4784(S): A basic application group was changed.
-| 4784 | A basic application group was changed. |
+
-| 4785 | A member was added to a basic application group. |
+## 4785(S): A member was added to a basic application group.
-| 4786 | A member was removed from a basic application group. |
+
-| 4787 | A non-member was added to a basic application group. |
+## 4786(S): A member was removed from a basic application group.
-| 4788 | A non-member was removed from a basic application group. |
+
-| 4789 | A basic application group was deleted. |
+## 4787(S): A non-member was added to a basic application group.
-| 4790 | An LDAP query group was created. |
+
- 
+## 4788(S): A non-member was removed from a basic application group.
-## Related topics
+
 ## 4789(S): A basic application group was deleted.
 ## 4790(S): An LDAP query group was created.
 ## 4791(S): An LDAP query group was changed.
 ## 4792(S): An LDAP query group was deleted.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-audit-policy-change.md
+++ b/windows/keep-secure/audit-audit-policy-change.md
@ -2,54 +2,79 @@
 title: Audit Audit Policy Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
 ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Audit Policy Change
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Audit Policy Change**, which determines whether the operating system generates audit events when changes are made to audit policy.
+
 Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.
 **Event volume**: Low.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                      |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | No              | Yes              | No               | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | Yes             | No              | Yes              | No               | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | Yes             | No              | Yes              | No               | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 Changes to audit policy that are audited include:
-   Changing permissions and audit settings on the audit policy object (by using **auditpol /set /sd**).
+-   Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command).
-   Changing the system audit policy.
+
-   Registering and unregistering security event sources.
+-   Changing the system audit policy.
-   Changing per-user audit settings.
+
-   Changing the value of **CrashOnAuditFail**.
+-   Registering and unregistering security event sources.
-   Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key).
+
 -   Changing per-user audit settings.
 -   Changing the value of CrashOnAuditFail.
 -   Changing audit settings on an object (for example, modifying the system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) for a file or registry key).
 > **Note**&nbsp;&nbsp;[SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
    > **Note:**  SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
 -   Changing anything in the Special Groups list.
-> **Important:**  Changes to the audit policy are critical security events.
+The following events will be enabled with Success auditing in this subcategory:
 Event volume: Low
-Default: Success
+-   4902(S): The Per-user audit policy table was created.
-| Event ID | Event message |
+-   4907(S): Auditing settings on object were changed.
-| - | - |
+
-| 4715 | The audit policy (SACL) on an object was changed. | 
+-   4904(S): An attempt was made to register a security event source.
-| 4719 | System audit policy was changed. | 
+
-| 4817 | Auditing settings on an object were changed. <br> **Note: ** This event is logged only on computers running the supported versions of the Windows operating system. |
+-   4905(S): An attempt was made to unregister a security event source.
-| 4902 | The Per-user audit policy table was created. | 
+
-| 4904 | An attempt was made to register a security event source. | 
+All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
-| 4905 | An attempt was made to unregister a security event source. | 
+
-| 4906 | The CrashOnAuditFail value has changed. | 
+**Events List:**
-| 4907 | Auditing settings on object were changed. | 
+
-| 4908 | Special Groups Logon table modified. | 
+-   [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed.
-| 4912 | Per User Audit Policy was changed. | 
+
- 
+-   [4719](event-4719.md)(S): System audit policy was changed.
-## Related topics
+
 -   [4817](event-4817.md)(S): Auditing settings on object were changed.
 -   [4902](event-4902.md)(S): The Per-user audit policy table was created.
 -   [4906](event-4906.md)(S): The CrashOnAuditFail value has changed.
 -   [4907](event-4907.md)(S): Auditing settings on object were changed.
 -   [4908](event-4908.md)(S): Special Groups Logon table modified.
 -   [4912](event-4912.md)(S): Per User Audit Policy was changed.
 -   [4904](event-4904.md)(S): An attempt was made to register a security event source.
 -   [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-authentication-policy-change.md
+++ b/windows/keep-secure/audit-authentication-policy-change.md
@ -2,55 +2,75 @@
 title: Audit Authentication Policy Change (Windows 10)
 description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
 ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Authentication Policy Change
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes this Advanced Security Audit policy setting, **Audit Authentication Policy Change**, which determines whether the operating system generates audit events when changes are made to authentication policy.
+
 Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
 Changes made to authentication policy include:
 -   Creation, modification, and removal of forest and domain trusts.
 -   Changes to Kerberos policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
-    > **Note:**  The audit event is logged when the policy is applied, not when settings are modified by the administrator.
+-   Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy.
-     
+
-   When any of the following user rights is granted to a user or group:
+-   When any of the following user logon rights is granted to a user or group:
-    -   **Access this computer from the network**
+
-    -   **Allow logon locally**
+    -   Access this computer from the network
-    -   **Allow logon through Remote Desktop**
+
-    -   **Logon as a batch job**
+    -   Allow logon locally
-    -   **Logon as a service**
+
    -   Allow logon through Remote Desktop
    -   Logon as a batch job
    -   Logon as a service
 -   Namespace collision, such as when an added trust collides with an existing namespace name.
 This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
-Event volume: Low
+**Event volume**: Low.
-Default: Success
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                    |
 |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | No              | Yes              | No               | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | Yes             | No              | Yes              | No               | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                            |
 | Workstation       | Yes             | No              | Yes              | No               | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                              |
 **Events List:**
 -   [4670](event-4670.md)(S): Permissions on an object were changed
 -   [4706](event-4706.md)(S): A new trust was created to a domain.
 -   [4707](event-4707.md)(S): A trust to a domain was removed.
 -   [4716](event-4716.md)(S): Trusted domain information was modified.
 -   [4713](event-4713.md)(S): Kerberos policy was changed.
 -   [4717](event-4717.md)(S): System security access was granted to an account.
 -   [4718](event-4718.md)(S): System security access was removed from an account.
 -   [4739](event-4739.md)(S): Domain Policy was changed.
 -   [4864](event-4864.md)(S): A namespace collision was detected.
 -   [4865](event-4865.md)(S): A trusted forest information entry was added.
 -   [4866](event-4866.md)(S): A trusted forest information entry was removed.
 -   [4867](event-4867.md)(S): A trusted forest information entry was modified.
 | Event ID | Event message |
 | - | - |
 | 4713 | Kerberos policy was changed. | 
 | 4716 | Trusted domain information was modified. | 
 | 4717 | System security access was granted to an account. | 
 | 4718 | System security access was removed from an account. | 
 | 4739 | Domain Policy was changed. | 
 | 4864 | A namespace collision was detected. | 
 | 4865 | A trusted forest information entry was added. | 
 | 4866 | A trusted forest information entry was removed. | 
 | 4867 | A trusted forest information entry was modified. | 
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-authorization-policy-change.md
+++ b/windows/keep-secure/audit-authorization-policy-change.md
@ -2,39 +2,41 @@
 title: Audit Authorization Policy Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
 ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Authorization Policy Change
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Authorization Policy Change**, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
-Authorization policy changes that can be audited include:
+Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
-   Assigning or removing user rights (privileges) such as **SeCreateTokenPrivilege**, except for the system access rights that are audited by using the [Audit Authentication Policy Change](audit-authentication-policy-change.md) subcategory.
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-   Changing the Encrypting File System (EFS) policy.
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | No              | Yes              | No               | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | Yes             | No              | Yes              | No               | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | Yes             | No              | Yes              | No               | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-Event volume: Very high
+**Events List:**
-Default: Not configured
+-   [4703](event-4703.md)(S): A user right was adjusted.
-| Event ID | Event message |
+-   [4704](event-4704.md)(S): A user right was assigned.
-| - | - |
+
-| 4704 | A user right was assigned. | 
+-   [4705](event-4705.md)(S): A user right was removed.
-| 4705 | A user right was removed. | 
+
-| 4706 | A new trust was created to a domain. | 
+-   [4670](event-4670.md)(S): Permissions on an object were changed.
-| 4707 | A trust to a domain was removed. | 
+
-| 4714 | Encrypted data recovery policy was changed. | 
+-   [4911](event-4911.md)(S): Resource attributes of the object were changed.
- 
+
-## Related topics
+-   [4913](event-4913.md)(S): Central Access Policy on the object was changed.
 **Event volume**: Medium.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-central-access-policy-staging.md
+++ b/windows/keep-secure/audit-central-access-policy-staging.md
@ -2,30 +2,39 @@
 title: Audit Central Access Policy Staging (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy.
 ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Central Access Policy Staging
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Central Access Policy Staging**, which determines permissions on a Central Access Policy.
-Event volume: Medium
+Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object.
-Default: Not configured
+If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows:
-| Event ID | Event message |
+-   Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access.
-| - | - |
+
-| 4818 | Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy |
+-   Failure audits, when configured, record access attempts when:
- 
+
-## Related topics
+    -   The current central access policy does not grant access, but the proposed policy grants access.
    -   A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                     |
 |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | No              | IF               | No               | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | IF              | No              | IF               | No               | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | IF              | No              | IF               | No               | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 **Events List:**
 -   [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-certification-services.md
+++ b/windows/keep-secure/audit-certification-services.md
@ -1,77 +1,118 @@
 ---
 title: Audit Certification Services (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
+description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed.
 ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Certification Services
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Certification Services**, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
-Examples of AD CS operations include:
+Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
 Examples of AD CS operations include:
 -   AD CS starts, shuts down, is backed up, or is restored.
 -   AD CS starts, shuts down, is backed up, or is restored.
 -   Certificate revocation list (CRL)-related tasks are performed.
 -   Certificates are requested, issued, or revoked.
-   Certificate manager settings for AD CS are changed.
+
 -   Certificate manager settings for AD CS are changed.
 -   The configuration and properties of the certification authority (CA) are changed.
-   AD CS templates are modified.
+
 -   AD CS templates are modified.
 -   Certificates are imported.
 -   A CA certificate is published to Active Directory Domain Services.
 -   Security permissions for AD CS role services are modified.
 -   Keys are archived, imported, or retrieved.
 -   The OCSP Responder Service is started or stopped.
 Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
-Event volume: Low to medium on servers that host AD CS role services
+**Event volume: Low to medium on servers that provide AD CS role services.**
-Default: Not configured
+Role-specific subcategories are outside the scope of this document.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                        |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4868 | The certificate manager denied a pending certificate request. |
+| Domain Controller | IF              | IF              | IF               | IF               | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
-| 4869 | Certificate Services received a resubmitted certificate request. | 
+| Member Server     | IF              | IF              | IF               | IF               | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
-| 4870 | Certificate Services revoked a certificate. | 
+| Workstation       | No              | No              | No               | No               | [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS.                                                                         |
-| 4871 | Certificate Services received a request to publish the certificate revocation list (CRL). | 
+
-| 4872 | Certificate Services published the certificate revocation list (CRL). | 
+## 4868: The certificate manager denied a pending certificate request.
-| 4873 | A certificate request extension changed. | 
+
-| 4874 | One or more certificate request attributes changed. | 
+## 4869: Certificate Services received a resubmitted certificate request.
-| 4875 | Certificate Services received a request to shut down. | 
+
-| 4876 | Certificate Services backup started. | 
+## 4870: Certificate Services revoked a certificate.
-| 4877 | Certificate Services backup completed. | 
+
-| 4878 | Certificate Services restore started. | 
+## 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
-| 4879 | Certificate Services restore completed. | 
+
-| 4880 | Certificate Services started. | 
+## 4872: Certificate Services published the certificate revocation list (CRL).
-| 4881 | Certificate Services stopped. | 
+
-| 4882 | The security permissions for Certificate Services changed. | 
+## 4873: A certificate request extension changed.
-| 4883 | Certificate Services retrieved an archived key. | 
+
-| 4884 | Certificate Services imported a certificate into its database. | 
+## 4874: One or more certificate request attributes changed.
-| 4885 | The audit filter for Certificate Services changed. | 
+
-| 4886 | Certificate Services received a certificate request. | 
+## 4875: Certificate Services received a request to shut down.
-| 4887 | Certificate Services approved a certificate request and issued a certificate. | 
+
-| 4888 | Certificate Services denied a certificate request. | 
+## 4876: Certificate Services backup started.
-| 4889 | Certificate Services set the status of a certificate request to pending. | 
+
-| 4890 | The certificate manager settings for Certificate Services changed. | 
+## 4877: Certificate Services backup completed.
-| 4891 | A configuration entry changed in Certificate Services. | 
+
-| 4892 | A property of Certificate Services changed. | 
+## 4878: Certificate Services restore started.
-| 4893 | Certificate Services archived a key. | 
+
-| 4894 | Certificate Services imported and archived a key. | 
+## 4879: Certificate Services restore completed.
-| 4895 | Certificate Services published the CA certificate to Active Directory Domain Services. |
+
-| 4896 | One or more rows have been deleted from the certificate database. | 
+## 4880: Certificate Services started.
-| 4897 | Role separation enabled: | 
+
-| 4898 | Certificate Services loaded a template. | 
+## 4881: Certificate Services stopped.
- 
+
-## Related topics
+## 4882: The security permissions for Certificate Services changed.
 ## 4883: Certificate Services retrieved an archived key.
 ## 4884: Certificate Services imported a certificate into its database.
 ## 4885: The audit filter for Certificate Services changed.
 ## 4886: Certificate Services received a certificate request.
 ## 4887: Certificate Services approved a certificate request and issued a certificate.
 ## 4888: Certificate Services denied a certificate request.
 ## 4889: Certificate Services set the status of a certificate request to pending.
 ## 4890: The certificate manager settings for Certificate Services changed.
 ## 4891: A configuration entry changed in Certificate Services.
 ## 4892: A property of Certificate Services changed.
 ## 4893: Certificate Services archived a key.
 ## 4894: Certificate Services imported and archived a key.
 ## 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
 ## 4896: One or more rows have been deleted from the certificate database.
 ## 4897: Role separation enabled.
 ## 4898: Certificate Services loaded a template.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-computer-account-management.md
+++ b/windows/keep-secure/audit-computer-account-management.md
@ -2,34 +2,39 @@
 title: Audit Computer Account Management (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
 ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Computer Account Management
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Computer Account Management**, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
+
 Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
 This policy setting is useful for tracking account-related changes to computers that are members of a domain.
-Event volume: Low
+**Event volume**: Low on domain controllers.
-Default: Not configured
+This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4741 | A computer account was created. | 
+| Domain Controller | Yes             | No              | Yes              | No               | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.<br>Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| 4742 | A computer account was changed. | 
+| Member Server     | No              | No              | No               | No               | This subcategory generates events only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| 4743 | A computer account was deleted. | 
+| Workstation       | No              | No              | No               | No               | This subcategory generates events only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
- 
+
-## Related topics
+**Events List:**
 -   [4741](event-4741.md)(S): A computer account was created.
 -   [4742](event-4742.md)(S): A computer account was changed.
 -   [4743](event-4743.md)(S): A computer account was deleted.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-credential-validation.md
+++ b/windows/keep-secure/audit-credential-validation.md
@ -2,42 +2,51 @@
 title: Audit Credential Validation (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
 ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Credential Validation
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Credential Validation**, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
+
 Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
 These events occur on the computer that is authoritative for the credentials as follows:
 -   For domain accounts, the domain controller is authoritative.
 -   For local accounts, the local computer is authoritative.
-Event volume: High on domain controllers
+**Event volume**:
-Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they 
+-   High on domain controllers.
 may occur in conjunction with or on separate computers from Logon and Logoff events.
-Default: Not configured
+-   Low on member servers and workstations.
-| Event ID | Event message |
+Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
-| - | - |
+
-| 4774 | An account was mapped for logon. |
+The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
-| 4775 | An account could not be mapped for logon. |
+
-| 4776 | The domain controller attempted to validate the credentials for an account. |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| 4777 | The domain controller failed to validate the credentials for an account. |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
- 
+| Domain Controller | IF              | Yes             | Yes              | Yes              | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication. <br>IF – We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative.<br>We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. |
-## Related topics
+| Member Server     | Yes             | Yes             | Yes              | Yes              | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | Workstation       | Yes             | Yes             | Yes              | Yes              | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 **Events List:**
 -   [4774](event-4774.md)(S): An account was mapped for logon.
 -   [4775](event-4775.md)(F): An account could not be mapped for logon.
 -   [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account.
 -   [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-detailed-directory-service-replication.md
+++ b/windows/keep-secure/audit-detailed-directory-service-replication.md
@ -6,35 +6,43 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-author: brianlic-msft
+author: Mir0sh
 ---
 # Audit Detailed Directory Service Replication
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Detailed Directory Service Replication**, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
+
 Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
 This audit subcategory can be useful to diagnose replication issues.
-Event volume: These events can create a very high volume of event data.
+**Event volume**: These events can create a very high volume of event data on domain controllers.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                            |
 |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | No              | No              | IF               | IF               | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. |
 | Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                            |
 | Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                            |
-| Event ID | Event message |
+**Events List:**
-| - | - |
+
-| 4928 | An Active Directory replica source naming context was established. | 
+-   [4928](event-4928.md)(S, F): An Active Directory replica source naming context was established.
-| 4929 | An Active Directory replica source naming context was removed. | 
+
-| 4930 | An Active Directory replica source naming context was modified. | 
+-   [4929](event-4929.md)(S, F): An Active Directory replica source naming context was removed.
-| 4931 | An Active Directory replica destination naming context was modified. | 
+
-| 4934 | Attributes of an Active Directory object were replicated. | 
+-   [4930](event-4930.md)(S, F): An Active Directory replica source naming context was modified.
-| 4935 | Replication failure begins. | 
+
-| 4936 | Replication failure ends. | 
+-   [4931](event-4931.md)(S, F): An Active Directory replica destination naming context was modified.
-| 4937 | A lingering object was removed from a replica. | 
+
- 
+-   [4934](event-4934.md)(S): Attributes of an Active Directory object were replicated.
-## Related topics
+
 -   [4935](event-4935.md)(F): Replication failure begins.
 -   [4936](event-4936.md)(S): Replication failure ends.
 -   [4937](event-4937.md)(S): A lingering object was removed from a replica.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-detailed-file-share.md
+++ b/windows/keep-secure/audit-detailed-file-share.md
@ -2,33 +2,41 @@
 title: Audit Detailed File Share (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
 ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Detailed File Share
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Detailed File Share**, which allows you to audit attempts to access files and folders on a shared folder.
-The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
+Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
 > **Note:**  There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
 Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy
-Default: Not configured
+The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
-| Event ID | Event message |
+There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
-| - | - |
+
-| 5145 | A network share object was checked to see whether the client can be granted desired access. | 
+**Event volume**:
- 
+
-## Related topics
+-   High on file servers.
 -   High on domain controllers because of SYSVOL network access required by Group Policy.
 -   Low on member servers and workstations.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | No              | Yes             | No               | Yes              | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer.                                                                                                                                                                                                                                                                                                                                                                                              |
 | Member Server     | IF              | Yes             | IF               | Yes              | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
 | Workstation       | IF              | Yes             | IF               | Yes              | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer.                                                                                   |
 **Events List:**
 -   [5145](event-5145.md)(S, F): A network share object was checked to see whether client can be granted desired access.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-directory-service-access.md
+++ b/windows/keep-secure/audit-directory-service-access.md
@ -1,34 +1,36 @@
 ---
 title: Audit Directory Service Access (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed.
 ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Directory Service Access
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Access**, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
-These events are similar to the Directory Service Access events in previous versions of the Windows Server operating systems.
+Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
 > **Important:**  Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings.
 Event volume: High on servers running AD DS role services; none on client computers
-Default: Not configured
+**Event volume**: High on servers running AD DS role services.
-| Event ID | Event message |
+This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.
-| - | - |
+
-| 4662 | An operation was performed on an object. |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
- 
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-## Related topics
+| Domain Controller | No              | Yes             | No               | Yes              | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. |
 | Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 **Events List:**
 -   [4662](event-4662.md)(S, F): An operation was performed on an object.
 -   [4661](event-4661.md)(S, F): A handle to an object was requested.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-directory-service-changes.md
+++ b/windows/keep-secure/audit-directory-service-changes.md
@ -1,49 +1,48 @@
 ---
 title: Audit Directory Service Changes (Windows 10)
-description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
+description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS).
 ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Directory Service Changes
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Changes**, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
-The types of changes that are reported are:
+Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
-   Create
+Auditing of directory service objects can provide information about the old and new properties of the objects that were changed.
 -   Delete
 -   Modify
 -   Move
 -   Undelete
-Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.
+Audit events are generated only for objects with configured system access control lists ([SACLs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)), and only when they are accessed in a manner that matches their [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
-> **Important:**  Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
+This subcategory only logs events on domain controllers.
 This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track in order to understand the state of the network policy.
-Event volume: High on domain controllers; none on client computers
+**Event volume**: High on domain controllers.
-Default: Not configured
+This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 5136 | A directory service object was modified. | 
+| Domain Controller | Yes             | No              | Yes              | No               | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects. <br>This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| 5137 | A directory service object was created. | 
+| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 5138 | A directory service object was undeleted. | 
+| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 5139 | A directory service object was moved. | 
+
-| 5141 | A directory service object was deleted. | 
+**Events List:**
- 
+
-## Related topics
+-   [5136](event-5136.md)(S): A directory service object was modified.
 -   [5137](event-5137.md)(S): A directory service object was created.
 -   [5138](event-5138.md)(S): A directory service object was undeleted.
 -   [5139](event-5139.md)(S): A directory service object was moved.
 -   [5141](event-5141.md)(S): A directory service object was deleted.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-directory-service-replication.md
+++ b/windows/keep-secure/audit-directory-service-replication.md
@ -2,31 +2,33 @@
 title: Audit Directory Service Replication (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
 ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Directory Service Replication
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Replication**, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
-Event volume: Medium on domain controllers; none on client computers
+Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
-Default: Not configured
+**Event volume**: Medium on domain controllers.
-| Event ID | Event Message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                            |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4932 | Synchronization of a replica of an Active Directory naming context has begun. |
+| Domain Controller | No              | No              | IF               | IF               | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for Active Directory replication troubleshooting. |
-| 4933 | Synchronization of a replica of an Active Directory naming context has ended. | 
+| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                            |
- 
+| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                            |
-## Related topics
+
 **Events List:**
 -   [4932](event-4932.md)(S): Synchronization of a replica of an Active Directory naming context has begun.
 -   [4933](event-4933.md)(S, F): Synchronization of a replica of an Active Directory naming context has ended.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-distribution-group-management.md
+++ b/windows/keep-secure/audit-distribution-group-management.md
@ -2,51 +2,69 @@
 title: Audit Distribution Group Management (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks.
 ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Distribution Group Management
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Distribution Group Management**, which determines whether the operating system generates audit events for specific distribution-group management tasks.
-Tasks for distribution-group management that can be audited include:
+Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
-   A distribution group is created, changed, or deleted.
+This subcategory generates events only on domain controllers.
 -   A member is added to or removed from a distribution group.
-This subcategory to which this policy belongs is logged only on domain controllers.
+**Event volume**: Low on domain controllers.
 > **Note:**  Distribution groups cannot be used to manage access control permissions.
 Event volume: Low
-Default: Not configured
+This subcategory allows you to audit events generated by changes to distribution groups such as the following:
-| Event ID | Event message |
+-   Distribution group is created, changed, or deleted.
 | - | - |
 | 4744 | A security-disabled local group was created. | 
 | 4745 | A security-disabled local group was changed.  |
 | 4746 | A member was added to a security-disabled local group. | 
 | 4747 | A member was removed from a security-disabled local group. | 
 | 4748 | A security-disabled local group was deleted. | 
 | 4749 | A security-disabled global group was created. |
 | 4750 | A security-disabled global group was changed. |
 | 4751 | A member was added to a security-disabled global group. | 
 | 4752 | A member was removed from a security-disabled global group. | 
 | 4753 | A security-disabled global group was deleted. |
 | 4759 | A security-disabled universal group was created. | 
 | 4760 | A security-disabled universal group was changed.  |
 | 4761 | A member was added to a security-disabled universal group. | 
 | 4762 | A member was removed from a security-disabled universal group. | 
- ## Related topics
+-   Member is added or removed from a distribution group.
 If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A group’s type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | No              | IF               | No               | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | No              | No              | No               | No               | This subcategory generates events only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | Workstation       | No              | No              | No               | No               | This subcategory generates events only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 **Events List:**
 -   [4749](event-4749.md)(S): A security-disabled global group was created.
 -   [4750](event-4750.md)(S): A security-disabled global group was changed.
 -   [4751](event-4751.md)(S): A member was added to a security-disabled global group.
 -   [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
 -   [4753](event-4753.md)(S): A security-disabled global group was deleted.
 **4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-dpapi-activity.md
+++ b/windows/keep-secure/audit-dpapi-activity.md
@ -2,37 +2,37 @@
 title: Audit DPAPI Activity (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
 ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit DPAPI Activity
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit DPAPI Activity**, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
 DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see [Windows Data Protection](http://go.microsoft.com/fwlink/p/?linkid=121720) (http://go.microsoft.com/fwlink/p/?linkid=121720).
-Event volume: Low
+Audit [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx)).
-Default: Not configured
+**Event volume**: Low.
-If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                     |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
 | Member Server     | IF              | IF              | IF               | IF               | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
 | Workstation       | IF              | IF              | IF               | IF               | IF – Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. It’s mainly used for DPAPI troubleshooting. |
-| Event ID | Event message |
+**Events List:**
-| - | - |
+
-| 4692 | Backup of data protection master key was attempted. | 
+-   [4692](event-4692.md)(S, F): Backup of data protection master key was attempted.
-| 4693 | Recovery of data protection master key was attempted. | 
+
-| 4694 | Protection of auditable protected data was attempted. |
+-   [4693](event-4693.md)(S, F): Recovery of data protection master key was attempted.
-| 4695 | Unprotection of auditable protected data was attempted. | 
+
- 
+-   [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted.
-## Related resource
+
 -   [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted.
 - [Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-file-share.md
+++ b/windows/keep-secure/audit-file-share.md
@ -2,39 +2,49 @@
 title: Audit File Share (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
 ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit File Share
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File Share**, which determines whether the operating system generates audit events when a file share is accessed.
-Audit events are not generated when shares are created, deleted, or when share permissions change.
+Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks.
-> **Note:**  There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
+
- 
+There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
 Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.
-Event volume: High on a file server or domain controller (due to SYSVOL access by client computers for policy processing)
+**Event volume**:
-Default: Not configured
+-   High on file servers.
-| Event ID | Event message |
+-   High on domain controllers because of SYSVOL network access required by Group Policy.
-| - |- |
+
-| 5140 | A network share object was accessed.<br>**Note:**  This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. |
+-   Low on member servers and workstations.
-| 5142 | A network share object was added. | 
+
-| 5143 | A network share object was modified. | 
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                  |
-| 5144 | A network share object was deleted. |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 5168 | SPN check for SMB/SMB2 failed. |
+| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing for domain controllers, because it’s important to track deletion, creation, and modification events for network shares.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
- 
+| Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing to track deletion, creation, modification, and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares.                                |
-## Related topics
+| Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing to track deletion, creation, modification and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares.                                 |
 **Events List:**
 -   [5140](event-5140.md)(S, F): A network share object was accessed.
 -   [5142](event-5142.md)(S): A network share object was added.
 -   [5143](event-5143.md)(S): A network share object was modified.
 -   [5144](event-5144.md)(S): A network share object was deleted.
 -   [5168](event-5168.md)(F): SPN check for SMB/SMB2 failed.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-file-system.md
+++ b/windows/keep-secure/audit-file-system.md
@ -2,39 +2,57 @@
 title: Audit File System (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
 ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.pagetype: security
 ms.sitesec: library
-author: brianlic-msft
+author: Mir0sh
 ---
 # Audit File System
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
 Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
 Audit events are generated only for objects that have configured system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File System**, which determines whether the operating system generates audit events when users attempt to access file system objects.
 Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
 If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
 These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
-Event volume: Varies, depending on how file system SACLs are configured
+**Event volume**: Varies, depending on how file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s are configured.
-No audit events are generated for the default file system SACLs.
+No audit events are generated for the default file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s.
-Default: Not configured
+This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions.
-| Event ID | Event message |
+Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration.
-| - | - |
+
-| 4664 | An attempt was made to create a hard link. | 
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| 4985 | The state of a transaction has changed. |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 5051 | A file was virtualized. |
+| Domain Controller | IF              | IF              | IF               | IF               | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific file system objects.<br>Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. |
- 
+| Member Server     | IF              | IF              | IF               | IF               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-## Related topics
+| Workstation       | IF              | IF              | IF               | IF               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
 **Events List:**
 -   [4656](event-4656.md)(S, F): A handle to an object was requested.
 -   [4658](event-4658.md)(S): The handle to an object was closed.
 -   [4660](event-4660.md)(S): An object was deleted.
 -   [4663](event-4663.md)(S): An attempt was made to access an object.
 -   [4664](event-4664.md)(S): An attempt was made to create a hard link.
 -   [4985](event-4985.md)(S): The state of a transaction has changed.
 -   [5051](event-5051.md)(-): A file was virtualized.
 -   [4670](event-4670.md)(S): Permissions on an object were changed.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-filtering-platform-connection.md
+++ b/windows/keep-secure/audit-filtering-platform-connection.md
@ -2,48 +2,51 @@
 title: Audit Filtering Platform Connection (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
 ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Filtering Platform Connection
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Connection**, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
+
 Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
 Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-This security policy enables you to audit the following types of actions:
+This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications.
-   The Windows Firewall service blocks an application from accepting incoming connections on the network.
+**Event volume**: High.
 -   The Windows Filtering Platform allows or blocks a connection.
 -   The Windows Filtering Platform permits or blocks a bind to a local port.
 -   The Windows Filtering Platform permits or blocks an application or service from listening for incoming connections on a port.
-Event volume: High
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | No              | Yes             | IF               | Yes              | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
 | Member Server     | No              | Yes             | IF               | Yes              | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
 | Workstation       | No              | Yes             | IF               | Yes              | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
-Default: Not configured
+**Events List:**
-| Event ID | Event message |
+-   [5031](event-5031.md)(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
-| - | - |
+
-| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. | 
+-   [5150](event-5150.md)(-): The Windows Filtering Platform blocked a packet.
-| 5140 | A network share object was accessed. |
+
-| 5150 | The Windows Filtering Platform blocked a packet. | 
+-   [5151](event-5151.md)(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
-| 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet. | 
+
-| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. | 
+-   [5154](event-5154.md)(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-| 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |  
+
-| 5156 | The Windows Filtering Platform has allowed a connection. |
+-   [5155](event-5155.md)(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
-| 5157 | The Windows Filtering Platform has blocked a connection. |
+
-| 5158 | The Windows Filtering Platform has permitted a bind to a local port. | 
+-   [5156](event-5156.md)(S): The Windows Filtering Platform has permitted a connection.
-| 5159 | The Windows Filtering Platform has blocked a bind to a local port. |
+
- 
+-   [5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection.
-## Related topics
+
 -   [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port.
 -   [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-filtering-platform-packet-drop.md
+++ b/windows/keep-secure/audit-filtering-platform-packet-drop.md
@ -2,35 +2,37 @@
 title: Audit Filtering Platform Packet Drop (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
 ms.assetid: 95457601-68d1-4385-af20-87916ddab906
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Filtering Platform Packet Drop
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Packet Drop**, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
+
 Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
 Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network.
+A high rate of dropped packets *may* indicate that there have been attempts to gain unauthorized access to computers on your network.
-Event volume: High
+**Event volume**: High.
-Default setting: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
 |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | No              | No              | No               | No               | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
 | Member Server     | No              | No              | No               | No               | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
 | Workstation       | No              | No              | No               | No               | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
-| Event ID | Event message |
+**Events List:**
-| - | - |
+
-| 5152 | The Windows Filtering Platform blocked a packet. | 
+-   [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet.
-| 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. | 
+
- 
+-   [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-filtering-platform-policy-change.md
+++ b/windows/keep-secure/audit-filtering-platform-policy-change.md
@ -2,224 +2,117 @@
 title: Audit Filtering Platform Policy Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
 ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Filtering Platform Policy Change
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Policy Change**, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
+
 Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:
 -   IPsec services status.
 -   Changes to IPsec policy settings.
 -   Changes to Windows Filtering Platform Base Filtering Engine policy settings.
 -   Changes to WFP providers and engine.
 Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-This security policy setting determines whether the operating system generates audit events for:
+This subcategory is outside the scope of this document.
-   IPsec services status.
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                |
-   Changes to IPsec settings.
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
-   Status and changes to the Windows Filtering Platform engine and providers.
+| Domain Controller | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
-   IPsec Policy Agent service activities.
+| Member Server     | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
 | Workstation       | -               | -               | -                | -                | This subcategory is outside the scope of this document. |
-Event volume: Low
+## 4709(S): IPsec Services was started.
-Default: Not configured
+## 4710(S): IPsec Services was disabled.
-<table>
+## 4711(S): May contain any one of the following: 
-<colgroup>
+
-<col width="50%" />
+## 4712(F): IPsec Services encountered a potentially serious failure.
-<col width="50%" />
+
-</colgroup>
+## 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
-<thead>
+
-<tr class="header">
+## 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
-<th align="left">Event ID</th>
+
-<th align="left">Event message</th>
+## 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
-</tr>
+
-</thead>
+## 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
-<tbody>
+
-<tr class="odd">
+## 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
-<td align="left"><p>4709</p></td>
+
-<td align="left"><p>IPsec Services was started.</p></td>
+## 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
-</tr>
+
-<tr class="even">
+## 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
-<td align="left"><p>4710</p></td>
+
-<td align="left"><p>IPsec Services was disabled.</p></td>
+## 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
-</tr>
+
-<tr class="odd">
+## 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
-<td align="left"><p>4711</p></td>
+
-<td align="left"><p>May contain any one of the following:</p>
+## 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
-<ul>
+
-<li><p>PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.</p></li>
+## 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
-<li><p>PAStore Engine applied Active Directory storage IPsec policy on the computer.</p></li>
+
-<li><p>PAStore Engine applied local registry storage IPsec policy on the computer.</p></li>
+## 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
-<li><p>PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.</p></li>
+
-<li><p>PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.</p></li>
+## 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
-<li><p>PAStore Engine failed to apply local registry storage IPsec policy on the computer.</p></li>
+
-<li><p>PAStore Engine failed to apply some rules of the active IPsec policy on the computer.</p></li>
+## 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
-<li><p>PAStore Engine failed to load directory storage IPsec policy on the computer.</p></li>
+
-<li><p>PAStore Engine loaded directory storage IPsec policy on the computer.</p></li>
+## 5446(S): A Windows Filtering Platform callout has been changed.
-<li><p>PAStore Engine failed to load local storage IPsec policy on the computer.</p></li>
+
-<li><p>PAStore Engine loaded local storage IPsec policy on the computer.</p></li>
+## 5448(S): A Windows Filtering Platform provider has been changed.
-<li><p>PAStore Engine polled for changes to the active IPsec policy and detected no changes.</p></li>
+
-</ul></td>
+## 5449(S): A Windows Filtering Platform provider context has been changed.
-</tr>
+
-<tr class="even">
+## 5450(S): A Windows Filtering Platform sub-layer has been changed.
-<td align="left"><p>4712</p></td>
+
-<td align="left"><p>IPsec Services encountered a potentially serious failure.</p></td>
+## 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
-</tr>
+
-<tr class="odd">
+## 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
-<td align="left"><p>5040</p></td>
+
-<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was added.</p></td>
+## 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
-</tr>
+
-<tr class="even">
+## 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
-<td align="left"><p>5041</p></td>
+
-<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was modified.</p></td>
+## 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
-</tr>
+
-<tr class="odd">
+## 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
-<td align="left"><p>5042</p></td>
+
-<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was deleted.</p></td>
+## 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
-</tr>
+
-<tr class="even">
+## 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
-<td align="left"><p>5043</p></td>
+
-<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was added.</p></td>
+## 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
-</tr>
+
-<tr class="odd">
+## 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
-<td align="left"><p>5044</p></td>
+
-<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was modified.</p></td>
+## 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
-</tr>
+
-<tr class="even">
+## 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
-<td align="left"><p>5045</p></td>
+
-<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was deleted.</p></td>
+## 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
-</tr>
+
-<tr class="odd">
+## 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
-<td align="left"><p>5046</p></td>
+
-<td align="left"><p>A change has been made to IPsec settings. A Crypto Set was added.</p></td>
+## 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
-</tr>
+
-<tr class="even">
+## 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
-<td align="left"><p>5047</p></td>
+
-<td align="left"><p>A change has been made to IPsec settings. A Crypto Set was modified.</p></td>
+## 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
-</tr>
+
-<tr class="odd">
+## 5477(F): PAStore Engine failed to add quick mode filter.
 <td align="left"><p>5048</p></td>
 <td align="left"><p>A change has been made to IPsec settings. A Crypto Set was deleted.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5440</p></td>
 <td align="left"><p>The following callout was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5441</p></td>
 <td align="left"><p>The following filter was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5442</p></td>
 <td align="left"><p>The following provider was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5443</p></td>
 <td align="left"><p>The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5444</p></td>
 <td align="left"><p>The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5446</p></td>
 <td align="left"><p>A Windows Filtering Platform callout has been changed.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5448</p></td>
 <td align="left"><p>A Windows Filtering Platform provider has been changed.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5449</p></td>
 <td align="left"><p>A Windows Filtering Platform provider context has been changed.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5450</p></td>
 <td align="left"><p>A Windows Filtering Platform sub-layer has been changed.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5456</p></td>
 <td align="left"><p>PAStore Engine applied Active Directory storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5457</p></td>
 <td align="left"><p>PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5458</p></td>
 <td align="left"><p>PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5459</p></td>
 <td align="left"><p>PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5460</p></td>
 <td align="left"><p>PAStore Engine applied local registry storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5461</p></td>
 <td align="left"><p>PAStore Engine failed to apply local registry storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5462</p></td>
 <td align="left"><p>PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5463</p></td>
 <td align="left"><p>PAStore Engine polled for changes to the active IPsec policy and detected no changes.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5464</p></td>
 <td align="left"><p>PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5465</p></td>
 <td align="left"><p>PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5466</p></td>
 <td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5467</p></td>
 <td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5468</p></td>
 <td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5471</p></td>
 <td align="left"><p>PAStore Engine loaded local storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5472</p></td>
 <td align="left"><p>PAStore Engine failed to load local storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5473</p></td>
 <td align="left"><p>PAStore Engine loaded directory storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>5474</p></td>
 <td align="left"><p>PAStore Engine failed to load directory storage IPsec policy on the computer.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>5477</p></td>
 <td align="left"><p>PAStore Engine failed to add quick mode filter.</p></td>
 </tr>
 </tbody>
 </table>
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-group-membership.md
+++ b/windows/keep-secure/audit-group-membership.md
@ -2,37 +2,43 @@
 title: Audit Group Membership (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
 ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Group Membership
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the advanced security audit policy setting, **Audit Group Membership**, which enables you to audit group memberships when they are enumerated on the client PC.
+
 Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer.
 This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
 For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-> **Note:**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**.
+
- 
+You must also enable the [Audit Logon](audit-logon.md) subcategory.
 Multiple events are generated if the group membership information cannot fit in a single security audit event
-Event volume: High
+**Event volume**:
-Default: Not configured
+-   Low on a client computer.
-| Event ID | Event message |
+-   Medium on a domain controller or network servers.
-| - | - |
+
-| 4627 | Group membership information. |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
- 
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-## Related topics
+| Domain Controller | Yes             | No              | Yes              | No               | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | Yes             | No              | Yes              | No               | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | Yes             | No              | Yes              | No               | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 **Events List:**
 -   [4627](event-4627.md)(S): Group membership information.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-handle-manipulation.md
+++ b/windows/keep-secure/audit-handle-manipulation.md
@ -2,37 +2,37 @@
 title: Audit Handle Manipulation (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
 ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Handle Manipulation
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
-Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL.
+Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows object’s handle duplication and close actions.
-> **Important:**  Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).
+**Event volume**: High.
-Event volume: High, depending on how SACLs are configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                     |
 |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
 | Member Server     | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
 | Workstation       | No              | No              | No               | No               | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level. |
-Default: Not configured
+**Events List:**
-| Event ID | Event message |
+-   [4658](event-4658.md)(S): The handle to an object was closed.
-| - | - |
+
-| 4656 | A handle to an object was requested. | 
+-   [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
-| 4658 | The handle to an object was closed.  |
+
-| 4690 | An attempt was made to duplicate a handle to an object. | 
+## 4658(S): The handle to an object was closed.
- 
+
-## Related topics
+This event doesn’t generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-ipsec-driver.md
+++ b/windows/keep-secure/audit-ipsec-driver.md
@ -2,53 +2,65 @@
 title: Audit IPsec Driver (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
 ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit IPsec Driver
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit IPsec Driver**, which determines whether the operating system generates audit events for the activities of the IPsec driver.
-The IPsec driver, using the IP Filter List from the active IPsec policy, watches for outbound IP packets that must be secured and inbound IP packets that must be verified and decrypted. This security policy setting reports on the following activities of the IPsec driver:
+Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
-   Startup and shutdown of IPsec services.
+-   Startup and shutdown of the IPsec services.
-   Packets dropped due to integrity-check failure.
+
-   Packets dropped due to replay-check failure.
+-   Network packets dropped due to integrity check failure.
-   Packets dropped due to being in plaintext.
+
-   Packets received with an incorrect Security Parameter Index (SPI). (This can indicate malfunctioning hardware or interoperability problems.)
+-   Network packets dropped due to replay check failure.
-   Failure to process IPsec filters.
+
 -   Network packets dropped due to being in plaintext.
 -   Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated.
 -   Inability to process IPsec filters.
 A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
 Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
-Event volume: Medium
+This subcategory is outside the scope of this document.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                  |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
 | Member Server     | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
 | Workstation       | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
-| Event ID | Event message |
+## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
-| - | - |
+
-| 4960 | IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer.  This error might also indicate interoperability problems with other IPsec implementations. | 
+## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
-| 4961 | IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. | 
+
-| 4962 | IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. |
+## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
-| 4963 | IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. | 
+
-| 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. |
+## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
-| 5478 | IPsec Services has started successfully. | 
+
-| 5479 | IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | 
+## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
-| 5480 | IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. | 
+
-| 5483 | IPsec Services failed to initialize RPC server. IPsec Services could not be started. |
+## 5478(S): IPsec Services has started successfully.
-| 5484 | IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. | 
+
-| 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
+## 5479(): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
- 
+
-## Related topics
+## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
 ## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
 ## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
 ## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-ipsec-extended-mode.md
+++ b/windows/keep-secure/audit-ipsec-extended-mode.md
@ -2,41 +2,41 @@
 title: Audit IPsec Extended Mode (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
 ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit IPsec Extended Mode
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Extended Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
-IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
+Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
-AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation. 
+Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
 AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications.
-Event volume: High
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                   |
 |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
-Default: Not configured
+## 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
-| Event ID | Event message |
+## 4979: IPsec Main Mode and Extended Mode security associations were established.
-| - | - |
+
-| 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. | 
+## 4980: IPsec Main Mode and Extended Mode security associations were established.
-| 4979 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:**  This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information. |
+
-| 4980 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:**  This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information: |
+## 4981: IPsec Main Mode and Extended Mode security associations were established.
-| 4981 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:**  This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information. |
+
-| 4982 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:**  This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information. |
+## 4982: IPsec Main Mode and Extended Mode security associations were established.
-| 4983 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.<br>**Note:**  This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information. |
+
-| 4984 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.<br>**Note:**  This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |
+## 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- 
+
-## Related topics
+## 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-ipsec-main-mode.md
+++ b/windows/keep-secure/audit-ipsec-main-mode.md
@ -2,42 +2,45 @@
 title: Audit IPsec Main Mode (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
 ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit IPsec Main Mode
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Main Mode**, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
-IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
+Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
 AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
 Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities.
-Event volume: High
+Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                           |
 |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
-| Event ID | Event message |
+## 4646: Security ID: %1
-| - | - |
+
-| 4646 | Security ID: %1  |
+## 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
-| 4650 | An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. | 
+
-| 4651 | An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. | 
+## 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
-| 4652 | An IPsec Main Mode negotiation failed.<br>**Note:**  This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information. |
+
-| 4653 | An IPsec Main Mode negotiation failed.<br>**Note:**  This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |
+## 4652: An IPsec Main Mode negotiation failed.
-| 4655 | An IPsec Main Mode security association ended. |
+
-| 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. | 
+## 4653: An IPsec Main Mode negotiation failed.
-| 5049 | An IPsec Security Association was deleted. |
+
-| 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. | 
+## 4655: An IPsec Main Mode security association ended.
- 
+
-## Related topics
+## 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
 ## 5049: An IPsec Security Association was deleted.
 ## 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-ipsec-quick-mode.md
+++ b/windows/keep-secure/audit-ipsec-quick-mode.md
@ -2,36 +2,33 @@
 title: Audit IPsec Quick Mode (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
 ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit IPsec Quick Mode
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Quick Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
-IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
+Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
 AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
 Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange.
-Event volume: High
+Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                             |
 |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
-| Event ID | Event message |
+## 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
-|- |- |
+
-| 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.| 
+## 5451: An IPsec Quick Mode security association was established.
-| 5451 | An IPsec Quick Mode security association was established.| 
+
-| 5452 | An IPsec Quick Mode security association ended.| 
+## 5452: An IPsec Quick Mode security association ended.
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-kerberos-authentication-service.md
+++ b/windows/keep-secure/audit-kerberos-authentication-service.md
@ -2,35 +2,39 @@
 title: Audit Kerberos Authentication Service (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
 ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Kerberos Authentication Service
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Authentication Service**, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
+
 Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
 If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
-Event volume: High on Kerberos Key Distribution Center servers
+**Event volume**: High on Kerberos Key Distribution Center servers.
-Default: Not configured
+This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the user’s password has expired.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4768 | A Kerberos authentication ticket (TGT) was requested. | 
+| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on.<br>We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts. <br>Expected volume is high on domain controllers. |
-| 4771 | Kerberos preauthentication failed. |
+| Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 4772 | A Kerberos authentication ticket request failed. | 
+| Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
- 
+
-## Related topics
+**Events List:**
 -   [4768](event-4768.md)(S, F): A Kerberos authentication ticket (TGT) was requested.
 -   [4771](event-4771.md)(F): Kerberos pre-authentication failed.
 -   [4772](event-4772.md)(F): A Kerberos authentication ticket request failed.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-kerberos-service-ticket-operations.md
+++ b/windows/keep-secure/audit-kerberos-service-ticket-operations.md
@ -2,37 +2,39 @@
 title: Audit Kerberos Service Ticket Operations (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
 ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Kerberos Service Ticket Operations
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Service Ticket Operations**, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
+
 Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.
 Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity.
-Event volume:
+**Event volume**: Very High on Kerberos Key Distribution Center servers.
-   High on a domain controller that is in a Key Distribution Center (KDC)
+This subcategory contains events about issued TGSs and failed TGS requests.
 -   Low on domain members
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | Yes             | Yes              | Yes              | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
 | Member Server     | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | Workstation       | No              | No              | No               | No               | This subcategory makes sense only on domain controllers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| Event ID | Event message |
+**Events List:**
-| - | - |
+
-| 4769 | A Kerberos service ticket was requested. |  
+-   [4769](event-4769.md)(S, F): A Kerberos service ticket was requested.
-| 4770 | A Kerberos service ticket was renewed. |
+
- 
+-   [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
-## Related topics
+
 -   [4773](event-4773.md)(F): A Kerberos service ticket request failed.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-kernel-object.md
+++ b/windows/keep-secure/audit-kernel-object.md
@ -2,40 +2,45 @@
 title: Audit Kernel Object (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
 ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Kernel Object
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kernel Object**, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
-Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers.
+Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
-Typically, kernel objects are given SACLs only if the **AuditBaseObjects** or **AuditBaseDirectories** auditing options are enabled.
+Only kernel objects with a matching system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) generate security audit events. The audits generated are usually useful only to developers.
-> **Note:**  The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects.
+Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
- 
+
-Event volume: High if you have enabled one of the Global Object Access Auditing settings
+The “[Audit: Audit the access of global system objects](https://technet.microsoft.com/en-us/library/jj852233.aspx)” policy setting controls the default SACL of kernel objects.
 **Event volume**: High.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                               |
 |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | No              | No              | No               | No               | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
 | Member Server     | No              | No              | No               | No               | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
 | Workstation       | No              | No              | No               | No               | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
 **Events List:**
 -   [4656](event-4656.md)(S, F): A handle to an object was requested.
 -   [4658](event-4658.md)(S): The handle to an object was closed.
 -   [4660](event-4660.md)(S): An object was deleted.
 -   [4663](event-4663.md)(S): An attempt was made to access an object.
 Default setting: Not configured
 | Event ID | Event message |
 | - | - |
 | 4659 | A handle to an object was requested with intent to delete. | 
 | 4660 | An object was deleted. |
 | 4661 | A handle to an object was requested. | 
 | 4663 | An attempt was made to access an object. | 
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-logoff.md
+++ b/windows/keep-secure/audit-logoff.md
@ -2,38 +2,41 @@
 title: Audit Logoff (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
 ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Logoff
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logoff**, which determines whether the operating system generates audit events when logon sessions are terminated.
+
 Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
 These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
-> **Note: **  There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
+There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
- 
+
 Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
-Event volume: Low
+**Event volume**: Low.
-Default: Success
+This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4634 | An account was logged off. | 
+| Domain Controller | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| 4647 | User initiated logoff. |
+| Member Server     | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
- 
+| Workstation       | No              | No              | Yes              | No               | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-## Related topics
+
 **Events List:**
 -   [4634](event-4634.md)(S): An account was logged off.
 -   [4647](event-4647.md)(S): User initiated logoff.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-logon.md
+++ b/windows/keep-secure/audit-logon.md
@ -2,44 +2,53 @@
 title: Audit Logon (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
 ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Logon
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logon**, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
+
 Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.
 These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed.
 The following events are recorded:
 -   Logon success and failure.
-   Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the Runas command.
+
 -   Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the **RunAs** command.
 -   Security identifiers (SIDs) are filtered.
 Logon events are essential to tracking user activity and detecting potential attacks.
-Event volume: Low on a client computer; medium on a domain controller or network server
+**Event volume**:
-Default: Success for client computers; success and failure for servers
+-   Low on a client computer.
-| Event ID | Event message |
+-   Medium on a domain controllers or network servers.
-| - | - |
+
-| 4624 | An account was successfully logged on. | 
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                          |
-| 4625 | An account failed to log on. |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4648 | A logon was attempted using explicit credentials. | 
+| Domain Controller | Yes             | Yes             | Yes              | Yes              | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
-| 4675 | SIDs were filtered. |
+| Member Server     | Yes             | Yes             | Yes              | Yes              | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
- 
+| Workstation       | Yes             | Yes             | Yes              | Yes              | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
-## Related topics
+
 **Events List:**
 -   [4624](event-4624.md)(S): An account was successfully logged on.
 -   [4625](event-4625.md)(F): An account failed to log on.
 -   [4648](event-4648.md)(S): A logon was attempted using explicit credentials.
 -   [4675](event-4675.md)(S): SIDs were filtered.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
@ -2,54 +2,73 @@
 title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
 ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit MPSSVC Rule-Level Policy Change
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit MPSSVC Rule-Level Policy Change**, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
+
 Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
 The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer’s threat protection against malware. The tracked activities include:
 -   Active policies when the Windows Firewall service starts.
 -   Changes to Windows Firewall rules.
 -   Changes to the Windows Firewall exception list.
 -   Changes to Windows Firewall settings.
 -   Rules ignored or not applied by the Windows Firewall service.
 -   Changes to Windows Firewall Group Policy settings.
 Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
-Event volume: Low
+**Event volume**: Medium.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                               |
 |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | Yes             | Yes              | Yes              | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
 | Member Server     | Yes             | Yes             | Yes              | Yes              | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
 | Workstation       | Yes             | Yes             | Yes              | Yes              | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
-| Event ID | Event message |
+**Events List:**
-| - | - |
+
-| 4944 | The following policy was active when the Windows Firewall started. | 
+-   [4944](event-4944.md)(S): The following policy was active when the Windows Firewall started.
-| 4945 | A rule was listed when the Windows Firewall started. |
+
-| 4946 | A change has been made to Windows Firewall exception list. A rule was added. | 
+-   [4945](event-4945.md)(S): A rule was listed when the Windows Firewall started.
-| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. | 
+
-| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. |
+-   [4946](event-4946.md)(S): A change has been made to Windows Firewall exception list. A rule was added.
-| 4949 | Windows Firewall settings were restored to the default values. |
+
-| 4950 | A Windows Firewall setting has changed. |
+-   [4947](event-4947.md)(S): A change has been made to Windows Firewall exception list. A rule was modified.
-| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. | 
+
-| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. | 
+-   [4948](event-4948.md)(S): A change has been made to Windows Firewall exception list. A rule was deleted.
-| 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. |
+
-| 4954 | Windows Firewall Group Policy settings have changed. The new settings have been applied. | 
+-   [4949](event-4949.md)(S): Windows Firewall settings were restored to the default values.
-| 4956 | Windows Firewall has changed the active profile. |
+
-| 4957 | Windows Firewall did not apply the following rule: | 
+-   [4950](event-4950.md)(S): A Windows Firewall setting has changed.
-| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: | 
+
- 
+-   [4951](event-4951.md)(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
-## Related topics
+
 -   [4952](event-4952.md)(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
 -   [4953](event-4953.md)(F): A rule has been ignored by Windows Firewall because it could not parse the rule.
 -   [4954](event-4954.md)(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
 -   [4956](event-4956.md)(S): Windows Firewall has changed the active profile.
 -   [4957](event-4957.md)(F): Windows Firewall did not apply the following rule:
 -   [4958](event-4958.md)(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-network-policy-server.md
+++ b/windows/keep-secure/audit-network-policy-server.md
@ -2,40 +2,53 @@
 title: Audit Network Policy Server (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
 ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Network Policy Server
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Network Policy Server**, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
+
 Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
 If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
 This subcategory generates events only if NAS or IAS role is installed on the server.
 NAP events can be used to help understand the overall health of the network.
-Event volume: Medium to high on servers that are running Network Policy Server (NPS); moderate on other servers or on client computers
+**Event volume**: Medium to High on servers that are running [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS).
-Default: Success and failure
+Role-specific subcategories are outside the scope of this document.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                     |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 6272 | Network Policy Server granted access to a user. | 
+| Domain Controller | IF              | IF              | IF               | IF               | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
-| 6273 | Network Policy Server denied access to a user. |
+| Member Server     | IF              | IF              | IF               | IF               | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
-| 6274 | Network Policy Server discarded the request for a user. | 
+| Workstation       | No              | No              | No               | No               | [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role cannot be installed on client OS.                                                                                                 |
-| 6275 | Network Policy Server discarded the accounting request for a user. | 
+
-| 6276 | Network Policy Server quarantined a user. |
+## 6272: Network Policy Server granted access to a user.
-| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. | 
+
-| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. |
+## 6273: Network Policy Server denied access to a user.
-| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. |
+
-| 6280 | Network Policy Server unlocked the user account. |
+## 6274: Network Policy Server discarded the request for a user.
- 
+
-## Related topics
+## 6275: Network Policy Server discarded the accounting request for a user.
 ## 6276: Network Policy Server quarantined a user.
 ## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
 ## 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
 ## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
 ## 6280: Network Policy Server unlocked the user account.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-non-sensitive-privilege-use.md
+++ b/windows/keep-secure/audit-non-sensitive-privilege-use.md
@ -1,68 +1,84 @@
 ---
-title: Audit Non-Sensitive Privilege Use (Windows 10)
+title: Audit Non Sensitive Privilege Use (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
 ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
-# Audit Non-Sensitive Privilege Use
+# Audit Non Sensitive Privilege Use
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Non-Sensitive Privilege Use**, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
-The following privileges are non-sensitive:
+Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
-   **Access Credential Manager as a trusted caller**
+-   Access Credential Manager as a trusted caller
-   **Access this computer from the network**
+
-   **Add workstations to domain**
+-   Add workstations to domain
-   **Adjust memory quotas for a process**
+
-   **Allow log on locally**
+-   Adjust memory quotas for a process
-   **Allow log on through Terminal Services**
+
-   **Bypass traverse checking**
+-   Bypass traverse checking
-   **Change the system time**
+
-   **Create a page file**
+-   Change the system time
-   **Create global objects**
+
-   **Create permanent shared objects**
+-   Change the time zone
-   **Create symbolic links**
+
-   **Deny access to this computer from the network**
+-   Create a page file
-   **Deny log on as a batch job**
+
-   **Deny log on as a service**
+-   Create global objects
-   **Deny log on locally**
+
-   **Deny log on through Terminal Services**
+-   Create permanent shared objects
-   **Force shutdown from a remote system**
+
-   **Increase a process working set**
+-   Create symbolic links
-   **Increase scheduling priority**
+
-   **Lock pages in memory**
+-   Force shutdown from a remote system
-   **Log on as a batch job**
+
-   **Log on as a service**
+-   Increase a process working set
-   **Modify an object label**
+
-   **Perform volume maintenance tasks**
+-   Increase scheduling priority
-   **Profile single process**
+
-   **Profile system performance**
+-   Lock pages in memory
-   **Remove computer from docking station**
+
-   **Shut down the system**
+-   Modify an object label
-   **Synchronize directory service data**
+
 -   Perform volume maintenance tasks
 -   Profile single process
 -   Profile system performance
 -   Remove computer from docking station
 -   Shut down the system
 -   Synchronize directory service data
 This subcategory also contains informational events from filesystem Transaction Manager.
 If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-Event volume: Very high
+**Event volume**: Very High.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                            |
 |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | No              | IF              | No               | IF               | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
 | Member Server     | No              | IF              | No               | IF               | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
 | Workstation       | No              | IF              | No               | IF               | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF – You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
 **Events List:**
 -   [4673](event-4673.md)(S, F): A privileged service was called.
 -   [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
 -   [4985](event-4985.md)(S): The state of a transaction has changed.
 Default: Not configured
 | Event ID | Event message |
 | - | - |
 | 4672 | Special privileges assigned to new logon. | 
 | 4673 | A privileged service was called. | 
 | 4674 | An operation was attempted on a privileged object. | 
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-other-account-logon-events.md
+++ b/windows/keep-secure/audit-other-account-logon-events.md
@ -2,53 +2,27 @@
 title: Audit Other Account Logon Events (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
 ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Other Account Logon Events
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit Other Account Logon Events**, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
-Examples can include the following:
+**General Subcategory Information:**
-   Remote Desktop session disconnections
+This auditing subcategory does not contain any events. It is intended for future use.
 -   New Remote Desktop sessions
 -   Locking and unlocking a workstation
 -   Invoking a screen saver
 -   Dismissing a screen saver
 -   Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice
-    > **Note:**  This condition could be caused by a network misconfiguration.
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                   |
-     
+|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
-   Access to a wireless network granted to a user or computer account
+| Domain Controller | No              | No              | No               | No               | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
-   Access to a wired 802.1x network granted to a user or computer account
+| Member Server     | No              | No              | No               | No               | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
 | Workstation       | No              | No              | No               | No               | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
 Event volume: Varies, depending on system use
 Default: Not configured
 | Event ID | Event message |
 | - | - |
 | 4649 | A replay attack was detected. | 
 | 4778 | A session was reconnected to a Window Station. | 
 | 4779 | A session was disconnected from a Window Station. | 
 | 4800 | The workstation was locked. |
 | 4801 | The workstation was unlocked. | 
 | 4802 | The screen saver was invoked. |
 | 4803 | The screen saver was dismissed. | 
 | 5378 | The requested credentials delegation was disallowed by policy. | 
 | 5632 | A request was made to authenticate to a wireless network. |
 | 5633 | A request was made to authenticate to a wired network. |
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-other-account-management-events.md
+++ b/windows/keep-secure/audit-other-account-management-events.md
@ -2,38 +2,39 @@
 title: Audit Other Account Management Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
 ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Other Account Management Events
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Account Management Events**, which determines whether the operating system generates user account management audit events.
-Events can be generated for user account management auditing when:
+Audit Other Account Management Events determines whether the operating system generates user account management audit events.
-   The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data.
+**Event volume:** Typically Low on all types of computers.
 -   The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied.
 -   Changes are made to domain policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** or **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**.
 > **Note:**  These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.
 Event volume: Low
-Default: Not configured
+This subcategory allows you to audit next events:
-| Event ID | Event message |
+-   The password hash of a user account was accessed. This happens during an Active Directory Management Tool password migration.
-| - | - |
+
-| 4782 | The password hash for an account was accessed. | 
+-   The Password Policy Checking API was called. Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
-| 4793 | The Password Policy Checking API was called. |
+
- 
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                          |
-## Related topics
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | No              | Yes              | No               | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                             |
 | Member Server     | No              | No              | No               | No               | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | No              | No              | No               | No               | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
 **Events List:**
 -   [4782](event-4782.md)(S): The password hash an account was accessed.
 -   [4793](event-4793.md)(S): The Password Policy Checking API was called.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-other-logonlogoff-events.md
+++ b/windows/keep-secure/audit-other-logonlogoff-events.md
@ -2,50 +2,65 @@
 title: Audit Other Logon/Logoff Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
 ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Other Logon/Logoff Events
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Logon/Logoff Events**, which determines whether Windows generates audit events for other logon or logoff events.
+
 Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
 These other logon or logoff events include:
 -   A Remote Desktop session connects or disconnects.
 -   A workstation is locked or unlocked.
 -   A screen saver is invoked or dismissed.
 -   A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
-   A user is granted access to a wireless network. It can either be a user account or the computer account.
+
-   A user is granted access to a wired 802.1x network. It can either be a user account or the computer account.
+-   A user is granted access to a wireless network. It can be either a user account or the computer account.
 -   A user is granted access to a wired 802.1x network. It can be either a user account or the computer account.
 Logon events are essential to understanding user activity and detecting potential attacks.
-Event volume: Low
+**Event volume**: Low.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
 | Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events.                          |
 | Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events.                          |
-| Event ID | Event message |
+**Events List:**
-| - | - |
+
-| 4649 | A replay attack was detected. | 
+-   [4649](event-4649.md)(S): A replay attack was detected.
-| 4778 | A session was reconnected to a Window Station. | 
+
-| 4779 | A session was disconnected from a Window Station. | 
+-   [4778](event-4778.md)(S): A session was reconnected to a Window Station.
-| 4800 | The workstation was locked. |
+
-| 4801 | The workstation was unlocked. | 
+-   [4779](event-4779.md)(S): A session was disconnected from a Window Station.
-| 4802 | The screen saver was invoked. |
+
-| 4803 | The screen saver was dismissed. | 
+-   [4800](event-4800.md)(S): The workstation was locked.
-| 5378 | The requested credentials delegation was disallowed by policy. | 
+
-| 5632 | A request was made to authenticate to a wireless network. |
+-   [4801](event-4801.md)(S): The workstation was unlocked.
-| 5633 | A request was made to authenticate to a wired network. |
+
- 
+-   [4802](event-4802.md)(S): The screen saver was invoked.
-## Related topics
+
 -   [4803](event-4803.md)(S): The screen saver was dismissed.
 -   [5378](event-5378.md)(F): The requested credentials delegation was disallowed by policy.
 -   [5632](event-5632.md)(S): A request was made to authenticate to a wireless network.
 -   [5633](event-5633.md)(S): A request was made to authenticate to a wired network.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-other-object-access-events.md
+++ b/windows/keep-secure/audit-other-object-access-events.md
@ -2,55 +2,53 @@
 title: Audit Other Object Access Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
 ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Other Object Access Events
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Object Access Events**, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
-For scheduler jobs, the following actions are audited:
+Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
-   Job created.
+**Event volume**: Low.
 -   Job deleted.
 -   Job enabled.
 -   Job disabled.
 -   Job updated.
-For COM+ objects, the following actions are audited:
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                           |
 |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
 | Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
 | Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
-   Catalog object added.
+**Events List:**
 -   Catalog object updated.
 -   Catalog object deleted.
-Event volume: Low
+-   [4671](event-4671.md)(-): An application attempted to access a blocked ordinal through the TBS.
-Default: Not configured
+-   [4691](event-4691.md)(S): Indirect access to an object was requested.
-| Event ID | Event message |
+-   [5148](event-5148.md)(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
-| - | - |
+
-| 4671 | An application attempted to access a blocked ordinal through the TBS. | 
+-   [5149](event-5149.md)(F): The DoS attack has subsided and normal processing is being resumed.
-| 4691 | Indirect access to an object was requested. |
+
-| 4698 | A scheduled task was created. |
+-   [4698](event-4698.md)(S): A scheduled task was created.
-| 4699 | A scheduled task was deleted. |
+
-| 4700 | A scheduled task was enabled. |
+-   [4699](event-4699.md)(S): A scheduled task was deleted.
-| 4701 | A scheduled task was disabled. |
+
-| 4702 | A scheduled task was updated. |
+-   [4700](event-4700.md)(S): A scheduled task was enabled.
-| 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. |
+
-| 5149 | The DoS attack has subsided and normal processing is being resumed. |
+-   [4701](event-4701.md)(S): A scheduled task was disabled.
-| 5888 | An object in the COM+ Catalog was modified. |
+
-| 5889 | An object was deleted from the COM+ Catalog. |
+-   [4702](event-4702.md)(S): A scheduled task was updated.
-| 5890 | An object was added to the COM+ Catalog. |
+
- 
+-   [5888](event-5888.md)(S): An object in the COM+ Catalog was modified.
-## Related topics
+
 -   [5889](event-5889.md)(S): An object was deleted from the COM+ Catalog.
 -   [5890](event-5890.md)(S): An object was added to the COM+ Catalog.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-other-policy-change-events.md
+++ b/windows/keep-secure/audit-other-policy-change-events.md
@ -2,50 +2,61 @@
 title: Audit Other Policy Change Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
 ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Other Policy Change Events
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Policy Change Events**, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
-These other activities in the Policy Change category that can be audited include:
+Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
-   Trusted Platform Module (TPM) configuration changes.
+**Event volume**: Low.
 -   Kernel-mode cryptographic self tests.
 -   Cryptographic provider operations.
 -   Cryptographic context operations or modifications.
-Event volume: Low
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | Yes             | IF               | Yes              | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
 | Member Server     | IF              | Yes             | IF               | Yes              | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
 | Workstation       | IF              | Yes             | IF               | Yes              | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
-Default: Not configured
+**Events List:**
-| Event ID | Event message |
+-   [4714](event-4714.md)(S): Encrypted data recovery policy was changed.
-| - | - |
+
-| 4670 | Permissions on an object were changed. | 
+-   [4819](event-4819.md)(S): Central Access Policies on the machine have been changed.
-| 4909 | The local policy settings for the TBS were changed. | 
+
-| 4910 | The group policy settings for the TBS were changed. |
+-   [4826](event-4826.md)(S): Boot Configuration Data loaded.
-| 5063 | A cryptographic provider operation was attempted. |
+
-| 5064 | A cryptographic context operation was attempted. |
+-   [4909](event-4909.md)(-): The local policy settings for the TBS were changed.
-| 5065 | A cryptographic context modification was attempted. | 
+
-| 5066 | A cryptographic function operation was attempted. |
+-   [4910](event-4910.md)(-): The group policy settings for the TBS were changed.
-| 5067 | A cryptographic function modification was attempted. | 
+
-| 5068 | A cryptographic function provider operation was attempted. | 
+-   [5063](event-5063.md)(S, F): A cryptographic provider operation was attempted.
-| 5069 | A cryptographic function property operation was attempted. |
+
-| 5070 | A cryptographic function property modification was attempted. | 
+-   [5064](event-5064.md)(S, F): A cryptographic context operation was attempted.
-| 5447 | A Windows Filtering Platform filter has been changed. |
+
-| 6144 | Security policy in the group policy objects has been applied successfully. | 
+-   [5065](event-5065.md)(S, F): A cryptographic context modification was attempted.
-| 6145 | One or more errors occurred while processing security policy in the group policy objects. | 
+
- 
+-   [5066](event-5066.md)(S, F): A cryptographic function operation was attempted.
-## Related topics
+
 -   [5067](event-5067.md)(S, F): A cryptographic function modification was attempted.
 -   [5068](event-5068.md)(S, F): A cryptographic function provider operation was attempted.
 -   [5069](event-5069.md)(S, F): A cryptographic function property operation was attempted.
 -   [5070](event-5070.md)(S, F): A cryptographic function property modification was attempted.
 -   [5447](event-5447.md)(S): A Windows Filtering Platform filter has been changed.
 -   [6144](event-6144.md)(S): Security policy in the group policy objects has been applied successfully.
 -   [6145](event-6145.md)(F): One or more errors occurred while processing security policy in the group policy objects.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-other-privilege-use-events.md
+++ b/windows/keep-secure/audit-other-privilege-use-events.md
@ -2,21 +2,31 @@
 title: Audit Other Privilege Use Events (Windows 10)
 description: This security policy setting is not used.
 ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Other Privilege Use Events
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                              |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
 | Domain Controller | No              | No              | No               | No               | This auditing subcategory doesn’t have any informative events inside. |
 | Member Server     | No              | No              | No               | No               | This auditing subcategory doesn’t have any informative events inside. |
 | Workstation       | No              | No              | No               | No               | This auditing subcategory doesn’t have any informative events inside. |
 **Events List:**
 -   [4985](event-4674.md)(S): The state of a transaction has changed.
 This security policy setting is not used.
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-other-system-events.md
+++ b/windows/keep-secure/audit-other-system-events.md
@ -2,59 +2,87 @@
 title: Audit Other System Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
 ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Other System Events
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other System Events**, which determines whether the operating system audits various system events.
+
 Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
 Audit Other System Events determines whether the operating system audits various system events.
 The system events in this category include:
 -   Startup and shutdown of the Windows Firewall service and driver.
 -   Security policy processing by the Windows Firewall service.
 -   Cryptography key file and migration operations.
-> **Important:**  Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats.
+-   BranchCache events.
 Event volume: Low
-Default: Success and failure
+**Event volume**: Low.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                               |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 5024 | The Windows Firewall Service has started successfully. | 
+| Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
-| 5025 | The Windows Firewall Service has been stopped. |
+| Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
-| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. | 
+| Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
-| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. |
+
-| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. |
+**Events List:**
-| 5030 | The Windows Firewall Service failed to start. |
+
-| 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.| 
+-   [5024](event-5024.md)(S): The Windows Firewall Service has started successfully.
-| 5033 | The Windows Firewall Driver has started successfully. |
+
-| 5034 | The Windows Firewall Driver has been stopped. |
+-   [5025](event-5025.md)(S): The Windows Firewall Service has been stopped.
-| 5035 | The Windows Firewall Driver failed to start. |
+
-| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating.| 
+-   [5027](event-5027.md)(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
-| 5058 | Key file operation. |
+
-| 5059 | Key migration operation.| 
+-   [5028](event-5028.md)(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
-| 6400 | BranchCache: Received an incorrectly formatted response while discovering availability of content.| 
+
-| 6401 | BranchCache: Received invalid data from a peer. Data discarded. |
+-   [5029](event-5029.md)(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
-| 6402 | BranchCache: The message to the hosted cache offering it data is incorrectly formatted.| 
+
-| 6403 | BranchCache: The hosted cache sent an incorrectly formatted response to the client. |
+-   [5030](event-5030.md)(F): The Windows Firewall Service failed to start.
-| 6404 | BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.| 
+
-| 6405 | BranchCache: %2 instance(s) of event id %1 occurred. |
+-   [5032](event-5032.md)(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
-| 6406 | %1 registered to Windows Firewall to control filtering for the following: %2| 
+
-| 6407 | 1% |
+-   [5033](event-5033.md)(S): The Windows Firewall Driver has started successfully.
-| 6408 | Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 |
+
- 
+-   [5034](event-5034.md)(S): The Windows Firewall Driver was stopped.
-## Related topics
+
 -   [5035](event-5035.md)(F): The Windows Firewall Driver failed to start.
 -   [5037](event-5037.md)(F): The Windows Firewall Driver detected critical runtime error. Terminating.
 -   [5058](event-5058.md)(S, F): Key file operation.
 -   [5059](event-5059.md)(S, F): Key migration operation.
 -   [6400](event-6400.md)(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
 -   [6401](event-6401.md)(-): BranchCache: Received invalid data from a peer. Data discarded.
 -   [6402](event-6402.md)(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
 -   [6403](event-6403.md)(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
 -   [6404](event-6404.md)(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
 -   [6405](event-6405.md)(-): BranchCache: %2 instance(s) of event id %1 occurred.
 -   [6406](event-6406.md)(-): %1 registered to Windows Firewall to control filtering for the following: %2
 -   [6407](event-6407.md)(-): 1%
 -   [6408](event-6408.md)(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2
 -   [6409](event-6408.md)(-): BranchCache: A service connection point object could not be parsed.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-pnp-activity.md
+++ b/windows/keep-secure/audit-pnp-activity.md
@ -2,32 +2,45 @@
 title: Audit PNP Activity (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
 ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit PNP Activity
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device.
-A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a PC a PnP event is triggered.
+Audit PNP Activity determines when Plug and Play detects an external device.
-Event volume: Varies, depending on how the computer is used
+A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
-Default: Not configured
+**Event volume**: Varies, depending on how the computer is used. Typically Low.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 6416 | A new external device was recognized by the system. |
+| Domain Controller | Yes             | No              | Yes              | No               | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
- 
+| Member Server     | Yes             | No              | Yes              | No               | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
-## Related topics
+| Workstation       | Yes             | No              | Yes              | No               | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.    |
 **Events List:**
 -   [6416](event-6416.md)(S): A new external device was recognized by the System
 -   [6419](event-6419.md)(S): A request was made to disable a device
 -   [6420](event-6420.md)(S): A device was disabled.
 -   [6421](event-6421.md)(S): A request was made to enable a device.
 -   [6422](event-6422.md)(S): A device was enabled.
 -   [6423](event-6423.md)(S): The installation of this device is forbidden by system policy.
 -   [6424](event-6424.md)(S): The installation of this device was allowed, after having previously been forbidden by policy.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-process-creation.md
+++ b/windows/keep-secure/audit-process-creation.md
@ -2,34 +2,37 @@
 title: Audit Process Creation (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts).
 ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Process Creation
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Creation**, which determines whether the operating system generates audit events when a process is created (starts).
+
 Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).
 These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.
-Event volume: Low to medium, depending on system usage
+**Event volume**: Low to Medium, depending on system usage.
-Default: Not configured
+This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4688 | A new process has been created.| 
+| Domain Controller | Yes             | No              | Yes              | No               | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| 4696 | A primary token was assigned to a process.| 
+| Member Server     | Yes             | No              | Yes              | No               | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
- 
+| Workstation       | Yes             | No              | Yes              | No               | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-## Related topics
+
 **Events List:**
 -   [4688](event-4688.md)(S): A new process has been created.
 -   [4696](event-4696.md)(S): A primary token was assigned to process.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-process-termination.md
+++ b/windows/keep-secure/audit-process-termination.md
@ -2,37 +2,35 @@
 title: Audit Process Termination (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process.
 ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Process Termination
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Termination**, which determines whether the operating system generates audit events when an attempt is made to end a process.
+
 Audit Process Termination determines whether the operating system generates audit events when process has exited.
 Success audits record successful attempts and Failure audits record unsuccessful attempts.
 If you do not configure this policy setting, no audit event is generated when a process ends.
 This policy setting can help you track user activity and understand how the computer is used.
-Event volume: Varies, depending on how the computer is used
+**Event volume**: Low to Medium, depending on system usage.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | No              | No              | IF               | No               | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | No              | No              | IF               | No               | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | No              | No              | IF               | No               | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Event ID | Event message |
+**Events List:**
 | - | - |
 | 4689 | A process has exited. |
-## Related topics
+-   [4689](event-4689.md)(S): A process has exited.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-registry.md
+++ b/windows/keep-secure/audit-registry.md
@ -2,37 +2,45 @@
 title: Audit Registry (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects.
 ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Registry
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Registry**, which determines whether the operating system generates audit events when users attempt to access registry objects.
-Audit events are generated only for objects that have configured system access control lists (SACLs) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
+Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
-If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching 
+If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
 SACL.
-Event volume: Low to medium, depending on how registry SACLs are configured
+**Event volume**: Low to Medium, depending on how registry SACLs are configured.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | IF              | IF              | IF               | IF               | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific registry objects.<br>Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. |
 | Member Server     | IF              | IF              | IF               | IF               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | Workstation       | IF              | IF              | IF               | IF               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| Event ID | Event message |
+**Events List:**
-| - | - |
+
-| 4657 | A registry value was modified. |
+-   [4663](event-4663.md)(S): An attempt was made to access an object.
-| 5039 | A registry key was virtualized. |
+
- 
+-   [4656](event-4656.md)(S, F): A handle to an object was requested.
-## Related topics
+
 -   [4658](event-4658.md)(S): The handle to an object was closed.
 -   [4660](event-4660.md)(S): An object was deleted.
 -   [4657](event-4657.md)(S): A registry value was modified.
 -   [5039](event-5039.md)(-): A registry key was virtualized.
 -   [4670](event-4670.md)(S): Permissions on an object were changed.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-removable-storage.md
+++ b/windows/keep-secure/audit-removable-storage.md
@ -2,128 +2,35 @@
 title: Audit Removable Storage (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive.
 ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Removable Storage
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive.
-Event volume: Low
+Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | Yes             | Yes              | Yes              | This subcategory will help identify when and which files or folders were accessed or modified on removable devices.<br>It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device.<br>You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed. <br>We recommend Failure auditing to track failed access attempts. |
 | Member Server     | Yes             | Yes             | Yes              | Yes              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | Workstation       | Yes             | Yes             | Yes              | Yes              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 **Events List:**
 -   [4656](event-4656.md)(S, F): A handle to an object was requested.
 -   [4658](event-4658.md)(S): The handle to an object was closed.
 -   [4663](event-4663.md)(S): An attempt was made to access an object.
 Default: Not configured
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Event ID</th>
 <th align="left">Event message</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>4663</p></td>
 <td align="left"><p>An attempt was made to access an object.</p>
 <p>Subject:</p>
 <p>Security ID: %1</p>
 <p>Account Name: %2</p>
 <p>Account Domain: %3</p>
 <p>Logon ID: %4</p>
 <p>Object:</p>
 <p>Object Server: %5</p>
 <p>Object Type: %6</p>
 <p>Object Name: %7</p>
 <p>Handle ID: %8</p>
 <p>Process Information:</p>
 <p>Process ID: %11</p>
 <p>Process Name: %12</p>
 <p>Access Request Information:</p>
 <p>Accesses: %9</p>
 <p>Access Mask: %10</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>4659</p></td>
 <td align="left"><p>A handle to an object was requested with intent to delete.</p>
 <p>Subject:</p>
 <p>Security ID: %1</p>
 <p>Account Name: %2</p>
 <p>Account Domain: %3</p>
 <p>Logon ID: %4</p>
 <p>Object:</p>
 <p>Object Server: %5</p>
 <p>Object Type: %6</p>
 <p>Object Name: %7</p>
 <p>Handle ID: %8</p>
 <p>Process Information:</p>
 <p>Process ID: %13</p>
 <p>Access Request Information:</p>
 <p>Transaction ID: %9</p>
 <p>Accesses: %10</p>
 <p>Access Mask: %11</p>
 <p>Privileges Used for Access Check: %12</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>4818</p></td>
 <td align="left"><p>Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.</p>
 <p>Subject:</p>
 <p>Security ID: %1</p>
 <p>Account Name: %2</p>
 <p>Account Domain: %3</p>
 <p>Logon ID: %4</p>
 <p>Object:</p>
 <p>Object Server: %5</p>
 <p>Object Type: %6</p>
 <p>Object Name: %7</p>
 <p>Handle ID: %8</p>
 <p>Process Information:</p>
 <p>Process ID: %9</p>
 <p>Process Name: %10</p>
 <p>Current Central Access Policy results:</p>
 <p>Access Reasons: %11</p>
 <p>Proposed Central Access Policy results that differ from the current Central Access Policy results:</p>
 <p>Access Reasons: %12</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>4656</p></td>
 <td align="left"><p>A handle to an object was requested.</p>
 <p>Subject:</p>
 <p>Security ID: %1</p>
 <p>Account Name: %2</p>
 <p>Account Domain: %3</p>
 <p>Logon ID: %4</p>
 <p>Object:</p>
 <p>Object Server: %5</p>
 <p>Object Type: %6</p>
 <p>Object Name: %7</p>
 <p>Handle ID: %8</p>
 <p>Resource Attributes: %17</p>
 <p>Process Information:</p>
 <p>Process ID: %15</p>
 <p>Process Name: %16</p>
 <p>Access Request Information:</p>
 <p>Transaction ID: %9</p>
 <p>Accesses: %10</p>
 <p>Access Reasons: %11</p>
 <p>Access Mask: %12</p>
 <p>Privileges Used for Access Check: %13</p>
 <p>Restricted SID Count: %14</p></td>
 </tr>
 </tbody>
 </table>
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-rpc-events.md
+++ b/windows/keep-secure/audit-rpc-events.md
@ -2,32 +2,29 @@
 title: Audit RPC Events (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
 ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit RPC Events
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit RPC Events**, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
-RPC is a technology for creating distributed client/server programs. RPC is an interprocess communication technique that enables client and server software to communicate. For more information, see [What Is RPC?](http://technet.microsoft.com/library/cc787851.aspx).
+Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
-Event volume: High on RPC servers
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                 |
 |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------|
 | Domain Controller | No              | No              | No               | No               | Events in this subcategory occur rarely. |
 | Member Server     | No              | No              | No               | No               | Events in this subcategory occur rarely. |
 | Workstation       | No              | No              | No               | No               | Events in this subcategory occur rarely. |
-Default: Not configured
+**Events List:**
-| Event ID | Event message |
+-   [5712](event-5712.md)(S): A Remote Procedure Call (RPC) was attempted.
 | - | - |
 | 5712 | A Remote Procedure Call (RPC) was attempted. |
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-sam.md
+++ b/windows/keep-secure/audit-sam.md
@ -2,52 +2,55 @@
 title: Audit SAM (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
 ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit SAM
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit SAM**, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
+
 Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx)) objects.
 The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
-SAM objects include the following:
+-   SAM objects include the following:
 -   SAM\_ALIAS: A local group
 -   SAM\_GROUP: A group that is not a local group
 -   SAM\_USER: A user account
 -   SAM\_DOMAIN: A domain
 -   SAM\_SERVER: A computer account
 If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-> **Note:**  Only the SACL for SAM\_SERVER can be modified.
+Only a [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) for SAM\_SERVER can be modified.
- 
+
 Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
-Event volume: High on domain controllers
+**Event volume**: High on domain controllers.
-> **Note:**  For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).
+For information about reducing the number of events generated in this subcategory, see [KB841001](https://support.microsoft.com/en-us/kb/841001).
 Default setting: Not configured
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                    |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4659 | A handle to an object was requested with intent to delete.| 
+| Domain Controller | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
-| 4660 | An object was deleted. |
+| Member Server     | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
-| 4661 | A handle to an object was requested.| 
+| Workstation       | -               | -               | -                | -                | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
-| 4663 | An attempt was made to access an object.|
+
- 
+**Events List:**
-## Related topics
+
 -   [4661](event-4661.md)(S, F): A handle to an object was requested.
 # 
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-security-group-management.md
+++ b/windows/keep-secure/audit-security-group-management.md
@ -2,52 +2,91 @@
 title: Audit Security Group Management (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed.
 ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Security Group Management
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit Security Group Management**, which determines whether the operating system generates audit events when specific security group management tasks are performed.
-Tasks for security group management include:
+Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
-   A security group is created, changed, or deleted.
+**Event volume**: Low.
 -   A member is added to or removed from a security group.
 -   A group's type is changed.
 Security groups can be used for access control permissions and also as distribution lists.
-Event volume: Low
+This subcategory allows you to audit events generated by changes to security groups such as the following:
-Default: Success
+-   Security group is created, changed, or deleted.
-| Event ID | Event message |
+-   Member is added or removed from a security group.
 | - | - |
 | 4727 | A security-enabled global group was created. | 
 | 4728 | A member was added to a security-enabled global group. | 
 | 4729 | A member was removed from a security-enabled global group. | 
 | 4730 | A security-enabled global group was deleted. |
 | 4731 | A security-enabled local group was created. |
 | 4732 | A member was added to a security-enabled local group.| 
 | 4733 | A member was removed from a security-enabled local group.| 
 | 4734 | A security-enabled local group was deleted. |
 | 4735 | A security-enabled local group was changed. |
 | 4737 | A security-enabled global group was changed. |
 | 4754 | A security-enabled universal group was created.| 
 | 4755 | A security-enabled universal group was changed. |
 | 4756 | A member was added to a security-enabled universal group.| 
 | 4757 | A member was removed from a security-enabled universal group.| 
 | 4758 | A security-enabled universal group was deleted. |
 | 4764 | A group's type was changed. |
-## Related topics
+-   Group type is changed.
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                         |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 **Events List:**
 -   [4731](event-4731.md)(S): A security-enabled local group was created.
 -   [4732](event-4732.md)(S): A member was added to a security-enabled local group.
 -   [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
 -   [4734](event-4734.md)(S): A security-enabled local group was deleted.
 -   [4735](event-4735.md)(S): A security-enabled local group was changed.
 -   [4764](event-4764.md)(S): A group’s type was changed.
 -   [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
 **4727(S): A security-enabled global group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.” Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
 **4737(S): A security-enabled global group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.” Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. 
 **4728(S): A member was added to a security-enabled global group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.” Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
 **4729(S): A member was removed from a security-enabled global group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.” Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
 **4730(S): A security-enabled global group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.” Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
 **4754(S): A security-enabled universal group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
 **4755(S): A security-enabled universal group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
 **4756(S): A member was added to a security-enabled universal group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
 **4757(S): A member was removed from a security-enabled universal group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
 **4758(S): A security-enabled universal group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 **Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-security-state-change.md
+++ b/windows/keep-secure/audit-security-state-change.md
@ -2,44 +2,37 @@
 title: Audit Security State Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
 ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Security State Change
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security State Change**, which determines whether Windows generates audit events for changes in the security state of a system.
-Changes in the security state of the operating system include:
+Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.
-   System startup and shutdown.
+**Event volume**: Low.
 -   Change of system time.
 -   System recovery from **CrashOnAuditFail**. This event is logged after a system reboots following **CrashOnAuditFail**.
-    > **Important:**  Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**.
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                      |
-     
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-System startup and shutdown events are important for understanding system usage.
+| Domain Controller | Yes             | No              | Yes              | No               | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | Yes             | No              | Yes              | No               | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | Yes             | No              | Yes              | No               | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-Event volume: Low
+**Events List:**
-Default: Success
+-   [4608](event-4608.md)(S): Windows is starting up.
-| Event ID | Event message summary | Minimum requirement |
+-   [4616](event-4616.md)(S): The system time was changed.
-| - | - | - |
+
-| 4608 | Windows is starting up. | Windows Vista, Windows Server 2008 | 
+-   [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.
-| 4609 | Windows is shutting down. | Windows Vista, Windows Server 2008 |
+
-| 4616 | The system time was changed.| Windows Vista, Windows Server 2008 |
+>**Note**&nbsp;&nbsp;Event **4609(S): Windows is shutting down** currently doesn’t generate. It is a defined event, but it is never invoked by the operating system.
 | 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.| Windows Vista, Windows Server 2008 | 
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-security-system-extension.md
+++ b/windows/keep-secure/audit-security-system-extension.md
@ -2,43 +2,47 @@
 title: Audit Security System Extension (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions.
 ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Security System Extension
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security System Extension**, which determines whether the operating system generates audit events related to security system extensions.
+
 Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events.
 Changes to security system extensions in the operating system include the following activities:
-   A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
+
 -   Security extension code is loaded (for example, an authentication, notification, or security package). Security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
 -   A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
-> **Important:**  Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
+Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
 Event volume: Low
-These events are expected to appear more on a domain controller than on client computers or member servers.
+**Event volume**: Low.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | No              | Yes              | No               | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | Yes             | No              | Yes              | No               | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
 | Workstation       | Yes             | No              | Yes              | No               | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
-| Event ID | Event message |
+**Events List:**
-| - | - |
+
-| 4610 | An authentication package has been loaded by the Local Security Authority. | 
+-   [4610](event-4610.md)(S): An authentication package has been loaded by the Local Security Authority.
-| 4611 | A trusted logon process has been registered with the Local Security Authority.| 
+
-| 4614 | A notification package has been loaded by the Security Account Manager. |
+-   [4611](event-4611.md)(S): A trusted logon process has been registered with the Local Security Authority.
-| 4622 | A security package has been loaded by the Local Security Authority. |
+
-| 4697 | A service was installed in the system. |
+-   [4614](event-4614.md)(S): A notification package has been loaded by the Security Account Manager.
- 
+
-## Related topics
+-   [4622](event-4622.md)(S): A security package has been loaded by the Local Security Authority.
 -   [4697](event-4697.md)(S): A service was installed in the system.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-sensitive-privilege-use.md
+++ b/windows/keep-secure/audit-sensitive-privilege-use.md
@ -2,51 +2,70 @@
 title: Audit Sensitive Privilege Use (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
 ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Sensitive Privilege Use
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Sensitive Privilege Use**, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
-Actions that can be audited include:
+Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:
-   A privileged service is called.
+
-   One of the following privileges is called:
+-   Act as part of the operating system
-    - **Act as part of the operating system**
+
-    - **Back up files and directories**
+-   Back up files and directories
-    - **Create a token object**
+
-    - **Debug programs**
+-   Restore files and directories
-    - **Enable computer and user accounts to be trusted for delegation**
+
-    - **Generate security audits**
+-   Create a token object
-    - **Impersonate a client after authentication**
+
-    - **Load and unload device drivers**
+-   Debug programs
-    - **Manage auditing and security log**
+
-    - **Modify firmware environment values**
+-   Enable computer and user accounts to be trusted for delegation
-    - **Replace a process-level token**
+
-    - **Restore files and directories**
+-   Generate security audits
-    - **Take ownership of files or other objects**
+
 -   Impersonate a client after authentication
 -   Load and unload device drivers
 -   Manage auditing and security log
 -   Modify firmware environment values
 -   Replace a process-level token
 -   Take ownership of files or other objects
 The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](https://technet.microsoft.com/en-us/library/jj852206.aspx)” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.
 This subcategory also contains informational events from the file system Transaction Manager.
 If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-Event volume: High
+**Event volume**: High.
-Default: Not configured
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                      |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | Yes             | Yes              | Yes              | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
 | Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
 | Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
 **Events List:**
 -   [4673](event-4673.md)(S, F): A privileged service was called.
 -   [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
 -   [4985](event-4985.md)(S): The state of a transaction has changed.
 >**Note**&nbsp;&nbsp;For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
 | Event ID | Event message |
 | - | - |
 | 4672 | Special privileges assigned to new logon.| 
 | 4673 | A privileged service was called. |
 | 4674 | An operation was attempted on a privileged object.| 
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-special-logon.md
+++ b/windows/keep-secure/audit-special-logon.md
@ -2,38 +2,43 @@
 title: Audit Special Logon (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
 ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit Special Logon
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
 This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Special Logon**, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
-This security policy setting determines whether the operating system generates audit events when:
+Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.
-   A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
+This subcategory allows you to audit events generated by special logons such as the following:
 -   A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/p/?linkid=120183).
-Users holding special privileges can potentially make changes to the system. We recommend that you track their activity.
+-   The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
-Event volume: Low
+-   A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.
-Default: Success
+**Event volume**:
-| Event ID | Event message |
+-   Low on a client computer.
-| - | - |
+
-| 4964 | Special groups have been assigned to a new logon.| 
+-   Medium on a domain controllers or network servers.
- 
+
-## Related topics
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Member Server     | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | Yes             | No              | Yes              | No               | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 **Events List:**
 -   [4964](event-4964.md)(S): Special groups have been assigned to a new logon.
 -   [4672](event-4672.md)(S): Special privileges assigned to new logon.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-system-integrity.md
+++ b/windows/keep-secure/audit-system-integrity.md
@ -2,51 +2,67 @@
 title: Audit System Integrity (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.
 ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit System Integrity
 **Applies to**
-   Windows 10
+-   Windows 10
-   Windows 10 Mobile
+-   Windows Server 2016
-This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit System Integrity**, which determines whether the operating system audits events that violate the integrity of the security subsystem.
+
 Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.
 Activities that violate the integrity of the security subsystem include the following:
 -   Audited events are lost due to a failure of the auditing system.
 -   A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
 -   A remote procedure call (RPC) integrity violation is detected.
 -   A code integrity violation with an invalid hash value of an executable file is detected.
 -   Cryptographic tasks are performed.
-> **Important:**  Violations of security subsystem integrity are critical and could indicate a potential security attack.
+Violations of security subsystem integrity are critical and could indicate a potential security attack.
 Event volume: Low
-Default: Success and failure
+**Event volume**: Low.
-| Event ID | Event message |
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| - | - |
+|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. | 
+| Domain Controller | Yes             | Yes             | Yes              | Yes              | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
-| 4615 | Invalid use of LPC port. |
+| Member Server     | Yes             | Yes             | Yes              | Yes              | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
-| 4618 | A monitored security event pattern has occurred.| 
+| Workstation       | Yes             | Yes             | Yes              | Yes              | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
-| 4816 | RPC detected an integrity violation while decrypting an incoming message.| 
+
-| 5038 | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.| 
+**Events List:**
-| 5056 | A cryptographic self-test was performed. |
+
-| 5057 | A cryptographic primitive operation failed.| 
+-   [4612](event-4612.md)(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
-| 5060 | Verification operation failed. |
+
-| 5061 | Cryptographic operation. |
+-   [4615](event-4615.md)(S): Invalid use of LPC port.
-| 5062 | A kernel-mode cryptographic self-test was performed.| 
+
-| 6281 | Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.| 
+-   [4618](event-4618.md)(S): A monitored security event pattern has occurred.
- 
+
-## Related topics
+-   [4816](event-4816.md)(S): RPC detected an integrity violation while decrypting an incoming message.
 -   [5038](event-5038.md)(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
 -   [5056](event-5056.md)(S): A cryptographic self-test was performed.
 -   [5062](event-5062.md)(S): A kernel-mode cryptographic self-test was performed.
 -   [5057](event-5057.md)(F): A cryptographic primitive operation failed.
 -   [5060](event-5060.md)(F): Verification operation failed.
 -   [5061](event-5061.md)(S, F): Cryptographic operation.
 -   [6281](event-6281.md)(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
 -   [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-user-account-management.md
+++ b/windows/keep-secure/audit-user-account-management.md
@ -2,56 +2,81 @@
 title: Audit User Account Management (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed.
 ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit User Account Management
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit User Account Management**, which determines whether the operating system generates audit events when specific user account management tasks are performed.
-Tasks that are audited for user account management include:
+Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.
 **Event volume**: Low.
 This policy setting allows you to audit changes to user accounts. Events include the following:
 -   A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
 -   A user account’s password is set or changed.
 -   A security identifier (SID) is added to the SID History of a user account, or fails to be added.
 -   The Directory Services Restore Mode password is configured.
 -   Permissions on administrative user accounts are changed.
 -   A user's local group membership was enumerated.
 -   A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
 -   A user account password is set or changed.
 -   Security identifier (SID) history is added to a user account.
 -   The Directory Services Restore Mode password is set.
 -   Permissions are changed on accounts that are members of administrator groups.
 -   Credential Manager credentials are backed up or restored.
-This policy setting is essential for tracking events that involve provisioning and managing user accounts.
+Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer accounts.
-Event volume: Low
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                     |
 |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | Domain Controller | Yes             | Yes             | Yes              | Yes              | This subcategory contains many useful events for monitoring, especially for critical domain accounts, such as domain admins, service accounts, database admins, and so on.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for domain accounts, DSRM account password change failures, and failed SID History add attempts. |
 | Member Server     | Yes             | Yes             | Yes              | Yes              | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts.                                                                                                                |
 | Workstation       | Yes             | Yes             | Yes              | Yes              | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts.                                                                                                                |
-Default: Success
+**Events List:**
-| Event ID | Event message |
+-   [4720](event-4720.md)(S): A user account was created.
-| - | - |
+
-| 4720 | A user account was created. | 
+-   [4722](event-4722.md)(S): A user account was enabled.
-| 4722 | A user account was enabled. |
+
-| 4723 | An attempt was made to change an account's password.| 
+-   [4723](event-4723.md)(S, F): An attempt was made to change an account's password.
-| 4724 | An attempt was made to reset an account's password. |
+
-| 4725 | A user account was disabled. |
+-   [4724](event-4724.md)(S, F): An attempt was made to reset an account's password.
-| 4726 | A user account was deleted. |
+
-| 4738 | A user account was changed. |
+-   [4725](event-4725.md)(S): A user account was disabled.
-| 4740 | A user account was locked out.| 
+
-| 4765 | SID History was added to an account.| 
+-   [4726](event-4726.md)(S): A user account was deleted.
-| 4766 | An attempt to add SID History to an account failed.| 
+
-| 4767 | A user account was unlocked. |
+-   [4738](event-4738.md)(S): A user account was changed.
-| 4780 | The ACL was set on accounts which are members of administrators groups.| 
+
-| 4781 | The name of an account was changed: |
+-   [4740](event-4740.md)(S): A user account was locked out.
-| 4794 | An attempt was made to set the Directory Services Restore Mode.| 
+
-| 5376 | Credential Manager credentials were backed up. |
+-   [4765](event-4765.md)(S): SID History was added to an account.
-| 5377 | Credential Manager credentials were restored from a backup.|
+
- 
+-   [4766](event-4766.md)(F): An attempt to add SID History to an account failed.
-## Related topics
+
 -   [4767](event-4767.md)(S): A user account was unlocked.
 -   [4780](event-4780.md)(S): The ACL was set on accounts which are members of administrators groups.
 -   [4781](event-4781.md)(S): The name of an account was changed.
 -   [4794](event-4794.md)(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
 -   [4798](event-4798.md)(S): A user's local group membership was enumerated.
 -   [5376](event-5376.md)(S): Credential Manager credentials were backed up.
 -   [5377](event-5377.md)(S): Credential Manager credentials were restored from a backup.
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/audit-user-device-claims.md
+++ b/windows/keep-secure/audit-user-device-claims.md
@ -2,63 +2,39 @@
 title: Audit User/Device Claims (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims.
 ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype: security
+author: Mir0sh
 author: brianlic-msft
 ---
 # Audit User/Device Claims
 **Applies to**
-   Windows 10
+-   Windows 10
 -   Windows Server 2016
 This topic for the IT professional describes the advanced security audit policy setting, **Audit User/Device Claims**, which enables you to audit security events that are generated by user and device claims.
-Event volume:
+Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
-Default: Not configured
+For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-<table>
+***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory.
-<colgroup>
+
-<col width="50%" />
+**Event volume**:
-<col width="50%" />
+
-</colgroup>
+-   Low on a client computer.
-<thead>
+
-<tr class="header">
+-   Medium on a domain controller or network servers.
-<th align="left">Event ID</th>
+
-<th align="left">Event message</th>
+| Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                        |
-</tr>
+|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-</thead>
+| Domain Controller | IF              | No              | IF               | No               | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-<tbody>
+| Member Server     | IF              | No              | IF               | No               | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-<tr class="odd">
+| Workstation       | IF              | No              | IF               | No               | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-<td align="left"><p>4626</p></td>
+
-<td align="left"><p>User / Device claims information.</p>
+**Events List:**
-<p>Subject:</p>
+
-<p>Security ID: %1</p>
+-   [4626](event-4626.md)(S): User/Device claims information.
 <p>Account Name: %2</p>
 <p>Account Domain: %3</p>
 <p>Logon ID: %4</p>
 <p>Logon Type:%9</p>
 <p>New Logon:</p>
 <p>Security ID: %5</p>
 <p>Account Name: %6</p>
 <p>Account Domain: %7</p>
 <p>Logon ID: %8</p>
 <p>Event in sequence: %10 of %11</p>
 <p>User Claims: %12</p>
 <p>Device Claims: %13</p>
 <p>The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.</p>
 <p>The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).</p>
 <p>The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.</p>
 <p>This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.</p></td>
 </tr>
 </tbody>
 </table>
 ## Related topics
 - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
--- a/windows/keep-secure/basic-firewall-policy-design.md
+++ b/windows/keep-secure/basic-firewall-policy-design.md
@ -0,0 +1,66 @@
 ---
 title: Basic Firewall Policy Design (Windows 10)
 description: Basic Firewall Policy Design
 ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Basic Firewall Policy Design
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
 The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped.
 Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted.
 Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
 -   On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
 -   When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
    For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
 -   For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization.
    For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
 With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
 >**Caution:**  Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
 By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later.
 If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
 Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
 An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation.
 After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
 >**Important:**  If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
 The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.
 For more information about this design:
 -   This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
 -   To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
 -   Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
 -   To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
 -   For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
 **Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)
--- a/windows/keep-secure/boundary-zone-gpos.md
+++ b/windows/keep-secure/boundary-zone-gpos.md
@ -0,0 +1,28 @@
 ---
 title: Boundary Zone GPOs (Windows 10)
 description: Boundary Zone GPOs
 ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Boundary Zone GPOs
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
 >**Note:**  If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
 This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone.
 The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows.
 In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed.
 -   [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary.md)
--- a/windows/keep-secure/boundary-zone.md
+++ b/windows/keep-secure/boundary-zone.md
@ -0,0 +1,63 @@
 ---
 title: Boundary Zone (Windows 10)
 description: Boundary Zone
 ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Boundary Zone
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
 Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device.
 The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it.
 Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
 ![design flowchart](images/wfas-designflowchart1.gif)
 The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
 You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
 Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
 ## GPO settings for boundary zone servers running at least Windows Server 2008
 The boundary zone GPO for devices running at least Windows Server 2008 should include the following:
 -   IPsec default settings that specify the following options:
    1.  Exempt all ICMP traffic from IPsec.
    2.  Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
    3.  Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems..
        If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
    4.  Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
 -   The following connection security rules:
    -   A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
    -   A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication.
 -   A registry policy that includes the following values:
    -   Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
    >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
 **Next: **[Encryption Zone](encryption-zone.md)
--- a/windows/keep-secure/certificate-based-isolation-policy-design-example.md
+++ b/windows/keep-secure/certificate-based-isolation-policy-design-example.md
@ -0,0 +1,52 @@
 ---
 title: Certificate-based Isolation Policy Design Example (Windows 10)
 description: Certificate-based Isolation Policy Design Example
 ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Certificate-based Isolation Policy Design Example
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
 One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the devices that receive this information.
 ## Design requirements
 One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it cannot authenticate.
 A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed.
 In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server.
 The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate.
 The creation of the IPsec connection security rules for a non-Windows device is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows device by using the standard IPsec protocols is the subject of this design.
 The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates.
 **Other traffic notes:**
 -   None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device.
 ## Design details
 Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization.
 The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules.
 When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because the majority of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
 By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
 Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
 **Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
--- a/windows/keep-secure/certificate-based-isolation-policy-design.md
+++ b/windows/keep-secure/certificate-based-isolation-policy-design.md
@ -0,0 +1,40 @@
 ---
 title: Certificate-based Isolation Policy Design (Windows 10)
 description: Certificate-based Isolation Policy Design
 ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Certificate-based Isolation Policy Design
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
 Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices cannot join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol.
 To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that do not run Windows.
 The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain.
 For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but are not part of the Active Directory domain. For other devices, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner.
 For more info about this design:
 -   This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
 -   To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
 -   Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
 -   To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
 -   For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
 **Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@ -16,7 +16,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |New or changed topic | Description |
 |----------------------|-------------|
-| [Windows security baselines](security-baselines.md) | New |
+| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
 | [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
 | [Windows security baselines](windows-security-baselines.md) | New |
 ## May 2016
--- a/windows/keep-secure/change-rules-from-request-to-require-mode.md
+++ b/windows/keep-secure/change-rules-from-request-to-require-mode.md
@ -0,0 +1,56 @@
 ---
 title: Change Rules from Request to Require Mode (Windows 10)
 description: Change Rules from Request to Require Mode
 ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Change Rules from Request to Require Mode
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 In this topic:
 -   [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode)
 -   [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices)
 ## To convert a rule from request to require mode
 1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the navigation pane, click **Connection Security Rules**.
 3.  In the details pane, double-click the connection security rule that you want to modify.
 4.  Click the **Authentication** tab.
 5.  In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**.
 ## To apply the modified GPOs to the client devices
 1.  The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt:
    ``` syntax
    gpupdate /force
    ```
 2.  To verify that the modified GPO is correctly applied to the client devices, you can run the following command:
    ``` syntax
    gpresult /r /scope computer
    ```
 3.  Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device.
--- a/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
+++ b/windows/keep-secure/checklist-configuring-basic-firewall-settings.md
@ -0,0 +1,26 @@
 ---
 title: Checklist Configuring Basic Firewall Settings (Windows 10)
 description: Checklist Configuring Basic Firewall Settings
 ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Configuring Basic Firewall Settings
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
 **Checklist: Configuring firewall defaults and settings**
 | Task | Reference |
 | - | - |
 | Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| 
 | Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
 | Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)| 
--- a/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md
@ -0,0 +1,43 @@
 ---
 title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
 description: Checklist Configuring Rules for an Isolated Server Zone
 ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Configuring Rules for an Isolated Server Zone
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
 In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer.
 Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication.
 The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server.
 **Checklist: Configuring rules for isolated servers**
 | Task | Reference |
 | - | - |
 | Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.<br/>Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
 | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
 | Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
 | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| 
 | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| 
 | Create a rule that requests authentication for all network traffic.<br/>**Important:**  Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
 | Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| 
 | Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| 
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
 Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.
--- a/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@ -0,0 +1,40 @@
 ---
 title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10)
 description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
 ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
 The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
 **Checklist: Configuring rules for isolated servers**
 | Task | Reference |
 | - | - |
 | Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
 | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) |
 | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
 | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
 | Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) |
 | Create a rule that requests authentication for all inbound network traffic. <br/><br/>**Important:**  Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
 | If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| 
 | Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) |
 | Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| 
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
 Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested.
--- a/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md
@ -0,0 +1,32 @@
 ---
 title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
 description: Checklist Configuring Rules for the Boundary Zone
 ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Configuring Rules for the Boundary Zone
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
 Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.
 **Checklist: Configuring boundary zone rules**
 This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs.
 | Task | Reference |
 | - | - |
 | Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) |
 | If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
 | Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 
--- a/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md
@ -0,0 +1,33 @@
 ---
 title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
 description: Checklist Configuring Rules for the Encryption Zone
 ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Configuring Rules for the Encryption Zone
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
 Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.
 **Checklist: Configuring encryption zone rules**
 This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
 | Task | Reference |
 | - | - |
 | Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| 
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
 | Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 
--- a/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md
@ -0,0 +1,37 @@
 ---
 title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
 description: Checklist Configuring Rules for the Isolated Domain
 ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Configuring Rules for the Isolated Domain
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
 **Checklist: Configuring isolated domain rules**
 | Task | Reference |
 | - | - |
 | Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
 | Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| 
 | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
 | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
 | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| 
 | Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
 | Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
 | Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 
 Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.
--- a/windows/keep-secure/checklist-creating-group-policy-objects.md
+++ b/windows/keep-secure/checklist-creating-group-policy-objects.md
@ -0,0 +1,43 @@
 ---
 title: Checklist Creating Group Policy Objects (Windows 10)
 description: Checklist Creating Group Policy Objects
 ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Creating Group Policy Objects
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
 The checklists for firewall, domain isolation, and server isolation include a link to this checklist.
 ## About membership groups
 For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
 ## About exclusion groups
 A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
 You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
 **Checklist: Creating Group Policy objects**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| 
 | Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.<br/>If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
 | Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
 | Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
 | Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
 | If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
 | Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
--- a/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
+++ b/windows/keep-secure/checklist-creating-inbound-firewall-rules.md
@ -0,0 +1,39 @@
 ---
 title: Checklist Creating Inbound Firewall Rules (Windows 10)
 description: Checklist Creating Inbound Firewall Rules
 ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Creating Inbound Firewall Rules
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This checklist includes tasks for creating firewall rules in your GPOs.
 **Checklist: Creating inbound firewall rules**
 | Task | Reference |
 | - | - |
 | Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)| 
 | Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)| 
 | Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)| 
 | Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)| 
 | Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)| 
--- a/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
+++ b/windows/keep-secure/checklist-creating-outbound-firewall-rules.md
@ -0,0 +1,39 @@
 ---
 title: Checklist Creating Outbound Firewall Rules (Windows 10)
 description: Checklist Creating Outbound Firewall Rules
 ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Creating Outbound Firewall Rules
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This checklist includes tasks for creating outbound firewall rules in your GPOs.
 >**Important:**  By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.
 **Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
 | Task | Reference |
 | - | - |
 | Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)| 
 | Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)| 
 | Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)| 
--- a/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@ -0,0 +1,33 @@
 ---
 title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10)
 description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone
 ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
 **Checklist: Configuring isolated server zone client rules**
 | Task | Reference |
 | - | - |
 | Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
 | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
 | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| 
 | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
 | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
 | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| 
 | Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
--- a/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md
@ -0,0 +1,36 @@
 ---
 title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
 description: Checklist Implementing a Basic Firewall Policy Design
 ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Implementing a Basic Firewall Policy Design
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
 >**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
 The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
  **Checklist: Implementing a basic firewall policy design**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| 
 | Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
 | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| 
 | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| 
 | Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| 
 | Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)| 
 | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
 | Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
 | According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| 
--- a/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md
@ -0,0 +1,30 @@
 ---
 title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
 description: Checklist Implementing a Certificate-based Isolation Policy Design
 ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Implementing a Certificate-based Isolation Policy Design
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
 >**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
 **Checklist: Implementing certificate-based authentication**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
 | Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
 | Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| 
 | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| 
 | On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| 
--- a/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md
@ -0,0 +1,34 @@
 ---
 title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
 description: Checklist Implementing a Domain Isolation Policy Design
 ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Implementing a Domain Isolation Policy Design
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
 >**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
 The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
 **Checklist: Implementing a domain isolation policy design**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
 | Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| 
 | Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| 
 | Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| 
 | Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| 
 | According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| 
 | After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| 
--- a/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md
@ -0,0 +1,33 @@
 ---
 title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
 description: Checklist Implementing a Standalone Server Isolation Policy Design
 ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Checklist: Implementing a Standalone Server Isolation Policy Design
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
 This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
 >**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
 **Checklist: Implementing a standalone server isolation policy design**
 | Task | Reference |
 | - | - |
 | Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Server Isolation Policy Design](server-isolation-policy-design.md)<br/>[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)<br/>[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
 | Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| 
 | Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| 
 | Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 
 | After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| 
 | According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) |
--- a/windows/keep-secure/configure-authentication-methods.md
+++ b/windows/keep-secure/configure-authentication-methods.md
@ -0,0 +1,75 @@
 ---
 title: Configure Authentication Methods (Windows 10)
 description: Configure Authentication Methods
 ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Configure Authentication Methods
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
 >**Note:**  If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 **To configure authentication methods**
 1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
 3.  On the **IPsec Settings** tab, click **Customize**.
 4.  In the **Authentication Method** section, select the type of authentication that you want to use from among the following:
    1.  **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default.
    2.  **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.
    3.  **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
    4.  **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials.
    5.  **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
    6.  **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
        The first authentication method can be one of the following:
        -   **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
        -   **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
        -   **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used.
        -   **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes.
        If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
        The second authentication method can be one of the following:
        -   **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
        -   **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
        -   **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups.
        -   **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule.
        If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
        >**Important:**  Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
 5.  Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor.
--- a/windows/keep-secure/configure-data-protection-quick-mode-settings.md
+++ b/windows/keep-secure/configure-data-protection-quick-mode-settings.md
@ -0,0 +1,62 @@
 ---
 title: Configure Data Protection (Quick Mode) Settings (Windows 10)
 description: Configure Data Protection (Quick Mode) Settings
 ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Configure Data Protection (Quick Mode) Settings
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 **To configure quick mode settings**
 1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
 3.  On the **IPsec Settings** tab, click **Customize**.
 4.  In the **Data protection (Quick Mode)** section, click **Advanced**, and then click **Customize**.
 5.  If you require encryption for all network traffic in the specified zone, then check **Require encryption for all connection security rules that use these settings**. Selecting this option disables the **Data integrity** section, and forces you to select only integrity algorithms that are combined with an encryption algorithm. If you do not select this option, then you can use only data integrity algorithms. Before selecting this option, consider the performance impact and the increase in network traffic that will result. We recommend that you use this setting only on network traffic that truly requires it, such as to and from computers in the encryption zone.
 6.  If you did not select **Require encryption**, then select the data integrity algorithms that you want to use to help protect the data sessions between the two computers. If the data integrity algorithms displayed in the list are not what you want, then do the following:
    1.  From the left column, remove any of the data integrity algorithms that you do not want by selecting the algorithm and then clicking **Remove**.
    2.  Add any required data integrity algorithms by clicking **Add**, selecting the appropriate protocol (ESP or AH) and algorithm (SHA1 or MD5), selecting the key lifetime in minutes or sessions, and then clicking **OK**. We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. We also recommend that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT).
    3.  In **Key lifetime (in sessions)**, type the number of times that the quick mode session can be rekeyed. After this number is reached, the quick mode SA must be renegotiated. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode SA. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
    4.  Click **OK** to save your algorithm combination settings.
    5.  After the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on.
 7.  Select the data integrity and encryption algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following:
    1.  From the second column, remove any of the data integrity and encryption algorithms that you do not want by selecting the algorithm combination and then clicking **Remove**.
    2.  Add any required integrity and encryption algorithm combinations by clicking **Add**, and then doing the following:
    3.  Select the appropriate protocol (ESP or AH). We recommend that you use ESP instead of AH if you have any devices on your network that use NAT.
    4.  Select the appropriate encryption algorithm. The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. We recommend that you do not include DES in any combination. It is included for backward compatibility only.
    5.  Select the appropriate integrity algorithm (SHA1 or MD5). We recommend that you do not include MD5 in any combination. It is included for backward compatibility only.
    6.  In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
 8.  Click **OK** three times to save your settings.
--- a/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@ -0,0 +1,38 @@
 ---
 title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
 description: Configure Group Policy to Autoenroll and Deploy Certificates
 ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Configure Group Policy to Autoenroll and Deploy Certificates
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
 **Administrative credentials**
 To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest and a member of the Enterprise Admins group.
 **To configure Group Policy to autoenroll certificates**
 1.  Open the Group Policy Management console.
 2.  In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
 3.  In the navigation pane, expand the following path: **Computer Configuration**, **Policies**, **Windows Settings**, **Security Settings**, **Public Key Policies**.
 4.  Double-click **Certificate Services Client - Auto-Enrollment**.
 5.  In the **Properties** dialog box, change **Configuration Model** to **Enabled**.
 6.  Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**.
 7.  Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed.
--- a/windows/keep-secure/configure-key-exchange-main-mode-settings.md
+++ b/windows/keep-secure/configure-key-exchange-main-mode-settings.md
@ -0,0 +1,62 @@
 ---
 title: Configure Key Exchange (Main Mode) Settings (Windows 10)
 description: Configure Key Exchange (Main Mode) Settings
 ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Configure Key Exchange (Main Mode) Settings
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 **To configure key exchange settings**
 1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
 3.  On the **IPsec Settings** tab, click **Customize**.
 4.  In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**.
 5.  Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following:
    **Important**  
    In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices.
    Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected.
    **Note**  
    When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select.
    1.  Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**.
    2.  Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**.
        >**Caution:**  We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only.
    3.  After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on.
 6.  From the list on the right, select the key exchange algorithm that you want to use.
    >**Caution:**  We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only. 
 7.  In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key.
    >**Note:**  You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance.
 8.  In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key.
 9.  Click **OK** three times to save your settings.
--- a/windows/keep-secure/configure-the-rules-to-require-encryption.md
+++ b/windows/keep-secure/configure-the-rules-to-require-encryption.md
@ -0,0 +1,53 @@
 ---
 title: Configure the Rules to Require Encryption (Windows 10)
 description: Configure the Rules to Require Encryption
 ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Configure the Rules to Require Encryption
 If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption.
 **Administrative credentials**
 To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 **To modify an authentication request rule to also require encryption**
 1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the navigation pane, click **Connection Security Rules**.
 3.  In the details pane, double-click the connection security rule you want to modify.
 4.  On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**.
 5.  In the navigation pane, right-click **Windows Firewall with Advanced Security – LDAP://CN={***guid***}**, and then click **Properties**.
 6.  Click the **IPsec Settings** tab.
 7.  Under **IPsec defaults**, click **Customize**.
 8.  Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**.
 9.  Click **Require encryption for all connection security rules that use these settings**.
    This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone.
 10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
    **Note**  
    Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
    Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell.
    For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
 11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
 12. Click **OK** three times to save your changes.
--- a/windows/keep-secure/configure-the-windows-firewall-log.md
+++ b/windows/keep-secure/configure-the-windows-firewall-log.md
@ -0,0 +1,53 @@
 ---
 title: Configure the Windows Firewall Log (Windows 10)
 description: Configure the Windows Firewall Log
 ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
 ---
 # Configure the Windows Firewall Log
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 Technical Preview
 To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
 **Administrative credentials**
 To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
 In this topic:
 - [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log)
 ## To configure the Windows Firewall log
 1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
 2.  In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
 3.  For each network location type (Domain, Private, Public), perform the following steps.
    1.  Click the tab that corresponds to the network location type.
    2.  Under **Logging**, click **Customize**.
    3.  The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
        >**Important:**  The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
    4.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
    5.  No logging occurs until you set one of following two options:
        -   To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
        -   To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
    6.  Click **OK** twice.
--- a/Show More
+++ b/Show More