| Windows Autopilot Deployment Service | After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 version 1903 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index d212b266b1..b062a6e72b 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -27,7 +27,7 @@ This document, the [Advanced security audit policy settings](advanced-security-a
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the whitelist of accounts. |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the allow list of accounts. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index 50dcccadde..8c764f65c4 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -35,9 +35,9 @@ Attempts to install or load security system extensions or services are critical
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index d245a30f27..6862a8d6a8 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -108,7 +108,7 @@ For 4611(S): A trusted logon process has been registered with the Local Security
- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
-- Typically this event has an informational purpose. If you defined the list of allowed Logon Processes in the system, then you can check is “**Logon Process Name”** field value in the whitelist or not.
+- Typically this event has an informational purpose. If you defined the list of allowed Logon Processes in the system, then you can check is “**Logon Process Name”** field value in the allow list or not.
-
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index 8dd6e72adc..f86b22408c 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -78,5 +78,5 @@ Each time a system starts, it loads the notification package DLLs from **HKEY\_L
For 4614(S): A notification package has been loaded by the Security Account Manager.
-- Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the whitelist or not.
+- Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the allow list or not.
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index e425430b75..385f508b09 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -100,5 +100,5 @@ These are some Security Package DLLs loaded by default in Windows 10:
For 4622(S): A security package has been loaded by the Local Security Authority.
-- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the whitelist or not.
+- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not.
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index a7f80d6745..cf8e0d63b8 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -277,7 +277,7 @@ For 4624(S): An account was successfully logged on.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“New Logon\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“New Logon\\Security ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“New Logon\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“New Logon\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“New Logon\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index 97bb3eda59..5a44bd38f1 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -178,7 +178,7 @@ The following table is similar to the table in [Appendix A: Security monitoring
| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.
Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the whitelist. |
+| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.
For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions. |
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 94d84a85cf..55ace9419d 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -192,7 +192,7 @@ For 4688(S): A new process has been created.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Creator Subject\\Security ID”** and **“Target Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Creator Subject\\Security ID”** and **“Target Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index cc31b9e54f..0268cd25a8 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -152,7 +152,7 @@ For 4696(S): A primary token was assigned to process.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index 5c8f7fcc36..9e2056f25d 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -194,7 +194,7 @@ Otherwise, see the recommendations in the following table.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. |
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index f78b83ef3c..7db8499254 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -152,7 +152,7 @@ For 4704(S): A user right was assigned.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. |
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 09c240e026..a89086caee 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -151,7 +151,7 @@ For 4705(S): A user right was removed.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user rights policies, for example, a whitelist of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.
For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.
As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. |
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index 13f2c744aa..ffe87e87e0 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -126,7 +126,7 @@ For 4717(S): System security access was granted to an account.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user logon rights policies, for example, a whitelist of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. |
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index 9bb398d835..ecef74c71a 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -126,7 +126,7 @@ For 4718(S): System security access was removed from an account.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist.
If you have specific user logon rights policies, for example, a whitelist of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.
As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. |
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index 511b73b62c..65ba0ae840 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -153,7 +153,7 @@ For 4732(S): A member was added to a security-enabled local group.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index e7b90640ec..b970a918bc 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -160,7 +160,7 @@ For 4733(S): A member was removed from a security-enabled local group.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index 3d070ae403..e72bc3b3a0 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -157,7 +157,7 @@ For 4751(S): A member was added to a security-disabled global group.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index 63d0425219..b1fc1df98f 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -148,7 +148,7 @@ For 4752(S): A member was removed from a security-disabled global group.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 74e6e22b45..1da086eb93 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -304,13 +304,13 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the allow list. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. |
- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
-- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the whitelist, generate the alert.
+- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the allow list, generate the alert.
- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index 199a11849a..64f7bf4503 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -280,9 +280,9 @@ For 4769(S, F): A Kerberos service ticket was requested.
- You can track all [4769](event-4769.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
-- If you know that **Account Name** should be able to request tickets (should be used) only from a known whitelist of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** is not from your whitelist of IP addresses, generate the alert.
+- If you know that **Account Name** should be able to request tickets (should be used) only from a known allow list of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** is not from your allow list of IP addresses, generate the alert.
-- All **Client Address** = ::1 means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have a whitelist of accounts allowed to log on to domain controllers, monitor events with **Client Address** = ::1 and any **Account Name** outside the whitelist.
+- All **Client Address** = ::1 means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have an allow list of accounts allowed to log on to domain controllers, monitor events with **Client Address** = ::1 and any **Account Name** outside the allow list.
- All [4769](event-4769.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index f97c972551..b099911afd 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -208,12 +208,12 @@ For 4771(F): Kerberos pre-authentication failed.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
-- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the whitelist, generate the alert.
+- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the allow list, generate the alert.
- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index 895d43226c..2e759dcb4e 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -129,7 +129,7 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the whitelist. |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the allow list. |
| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. |
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index 92d5783c67..265b39dbcf 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -126,7 +126,7 @@ For 4778(S): A session was reconnected to a Window Station.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. |
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index a5a3de2a56..bd733289bb 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -130,7 +130,7 @@ For 4779(S): A session was disconnected from a Window Station.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.
For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.
If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. |
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index e2b46de2c3..a13a14a7de 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -180,7 +180,7 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
-- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the whitelist.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index cdfc758875..6a97371b47 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -180,7 +180,7 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the whitelist.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 76a8a34a2d..f35e1cf804 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -180,7 +180,7 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the whitelist.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index db0d9fed09..2a7c5b7895 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -62,7 +62,7 @@ Because your protection is a cloud service, computers must have access to the in
## Validate connections between your network and the cloud
-After whitelisting the URLs listed above, you can test if you are connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
+After allowing the URLs listed above, you can test if you are connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
**Use the cmdline tool to validate cloud-delivered protection:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index ab87a6d7f1..7f7ce8196d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -159,7 +159,7 @@ Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
-Step 3: Whitelist your application on Microsoft Defender Security Center
+Step 3: allow your application on Microsoft Defender Security Center
@@ -279,11 +279,11 @@ After providing your credentials, you'll need to grant consent to the applicatio
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
-### Step 3: Whitelist your application on Microsoft Defender Security Center
-You'll need to whitelist the application you created in Microsoft Defender Security Center.
+### Step 3: Allow your application on Microsoft Defender Security Center
+You'll need to allow the application you created in Microsoft Defender Security Center.
-You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you.
+You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index d33c9a2195..0f087e2e04 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -37,7 +37,7 @@ Controlled folder access is especially useful in helping to protect your documen
With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 858060526b..7853dd9b56 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -1,7 +1,7 @@
---
title: Add additional folders and apps to be protected
-description: Add additional folders that should be protected by Controlled folder access, or whitelist apps that are incorrectly blocking changes to important files.
-keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
+description: Add additional folders that should be protected by Controlled folder access, or allow apps that are incorrectly blocking changes to important files.
+keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index cf50d3ac04..d892904b96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -207,7 +207,7 @@ You may now enroll more devices. You can also enroll them later, after you have
```
-9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
+9. To allow Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
```xml
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
index d67b31e398..05fc7da212 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
@@ -72,7 +72,7 @@ MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.mi
### Kernel extension policy
-Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft.
+Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
## Check installation status
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index b1deb73638..3613ce2eb0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
>
> In the meantime, starting with macOS Catalina update 10.15.4, Apple introduced a user facing *Legacy System Extension* warning to signal applications that rely on kernel extensions.
>
-> If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
+> If you have previously allowed the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to allow the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to allow the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
## 101.00.31
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
index 04299aa29c..a0dcdc9364 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
@@ -1,7 +1,7 @@
---
title: Manage automation folder exclusions
description: Add automation folder exclusions to control the files that are excluded from an automated investigation.
-keywords: manage, automation, exclusion, whitelist, blacklist, block, clean, malicious
+keywords: manage, automation, exclusion, block, clean, malicious
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index c2f2dd8964..328f88b28d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -2,7 +2,7 @@
title: Manage indicators
ms.reviewer:
description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
-keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
+keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index fc6cb7176a..ebad60bf6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -140,12 +140,12 @@ the following discovery methods:
If a Transparent proxy or WPAD has been implemented in the network topology,
there is no need for special configuration settings. For more information on
Microsoft Defender ATP URL exclusions in the proxy, see the
-Appendix section in this document for the URLs Whitelisting or on
+Appendix section in this document for the URLs allow list or on
[Microsoft
Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
> [!NOTE]
-> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus).
+> For a detailed list of URLs that need to be allowed, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus).
**Manual static proxy configuration:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
index ea417b545a..965b186fad 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
@@ -1,7 +1,7 @@
---
title: Troubleshoot Microsoft Defender Advanced Threat Protection service issues
description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
-keywords: troubleshoot Microsoft Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer
+keywords: troubleshoot Microsoft Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, allow, event viewer
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -28,7 +28,7 @@ Configure your browser to allow cookies.
## Elements or data missing on the portal
If some UI elements or data is missing on Microsoft Defender Security Center it’s possible that proxy settings are blocking it.
-Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
+Make sure that `*.securitycenter.windows.com` is included the proxy allow list.
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index 12ce265639..b435c4b723 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -74,7 +74,7 @@ If you've tested the feature with the demo site and with audit mode, and network
## Exclude website from network protection scope
-To whitelist the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
+To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
## Collect diagnostic data for file submissions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
index 0628b4a46e..17903652ed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
@@ -69,11 +69,11 @@ If the portal dashboard, and other sections show an error message such as "Data
-You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
+You'll need to allow the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
## Portal communication issues
-If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communication.
+If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are allowed and open for communication.
- `*.blob.core.windows.net
crl.microsoft.com`
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 6356278506..15bf8bc91c 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -60,7 +60,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
| **Windows Defender SmartScreen**
helps prevent
malicious applications
from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.
**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
| **Credential Guard**
helps keep attackers
from gaining access through
Pass-the-Hash or
Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
| **Enterprise certificate pinning**
helps prevent
man-in-the-middle attacks
that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.
**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
-| **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
+| **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.
**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
| **Microsoft Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox antimalware solution. Microsoft Defender Antivirus has been significantly improved since it was introduced in Windows 8.
**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
| **Blocking of untrusted fonts**
helps prevent fonts
from being used in
elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).
**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
| **Memory protections**
help prevent malware
from using memory manipulation
techniques such as buffer
overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.
**More information**: [Table 2](#table-2), later in this topic |
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 69291f7a17..da3aea58e5 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -174,7 +174,7 @@ To gain the most value out of the baseline subscription we recommend to have the
- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This ensures that the security event log is generating the required events.
- Apply at least an Audit-Only AppLocker policy to devices.
- - If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met.
+ - If you are already allowing or restricting events by using AppLocker, then this requirement is met.
- AppLocker events contain extremely useful information, such as file hash and digital signature information for executables and scripts.
- Enable disabled event channels and set the minimum size for modern event files.
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 4ead268500..a7254e397b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -1,7 +1,7 @@
---
title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows 10)
description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 7591c17136..fd016ed909 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -1,7 +1,7 @@
---
title: Allow COM object registration in a WDAC policy (Windows 10)
description: You can allow COM object registration in a Windows Defender Application Control policy.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index 8f28ada884..c5f703e0aa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -1,7 +1,7 @@
---
title: Audit Windows Defender Application Control policies (Windows 10)
description: Audits allow admins to discover apps that were missed during an initial policy scan and to identify new apps that were installed since the policy was created.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index e07be3cc57..a7e35f839e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -1,7 +1,7 @@
---
title: Create a code signing cert for Windows Defender Application Control (Windows 10)
description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index 1a27567a27..077d800cdc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -1,7 +1,7 @@
---
title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10)
description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
@@ -66,7 +66,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
> [!Note]
>
- > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
+ > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
> - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md).
> - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md).
>
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 9957c0ae10..8b4a0fa4ff 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -1,7 +1,7 @@
---
title: Create a WDAC policy for fully-managed devices (Windows 10)
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.topic: conceptual
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index fbee02749f..89cecfc78b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -1,7 +1,7 @@
---
title: Create a WDAC policy for lightly-managed devices (Windows 10)
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.topic: conceptual
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 1ea8df15e9..3abf426167 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -1,7 +1,7 @@
---
title: Deploy catalog files to support Windows Defender Application Control (Windows 10)
description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 0fc1b53db9..f4ee690c02 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -1,7 +1,7 @@
---
title: Use multiple Windows Defender Application Control Policies (Windows 10)
description: Windows Defender Application Control supports multiple code integrity policies for one device.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index 1700437f22..9151364753 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -1,7 +1,7 @@
---
title: Deploy WDAC policies via Group Policy (Windows 10)
description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 2ec54bcba7..651222522b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -1,7 +1,7 @@
---
title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10)
description: You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
index 31261f15de..b1e6b39844 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -1,7 +1,7 @@
---
title: Disable Windows Defender Application Control policies (Windows 10)
description: This topic covers how to disable unsigned or signed WDAC policies.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
index ea8808ca7f..9d9abf86c3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
@@ -1,7 +1,7 @@
---
title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10)
description: Learn how to test a Windows Defender Application Control (WDAC) policy in enforced mode by following these steps in an elevated Windows PowerShell session.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 182c28dedc..965a842f19 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -1,7 +1,7 @@
---
title: Understanding Application Control events (Windows 10)
description: Learn what different Windows Defender Application Control events signify.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 6a84a32f71..293ed79adc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -1,7 +1,7 @@
---
title: Example WDAC base policies (Windows 10)
description: When creating a WDAC policy for an organization, start from one of the many available example base policies.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.topic: article
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index d7bdf7e3c3..638d0f40cd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -1,7 +1,7 @@
---
title: Feature Availability
description: Compare WDAC and AppLocker feature availability.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
index ebb66d445a..0c2cbcf366 100644
--- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
@@ -1,7 +1,7 @@
---
title: Manage packaged apps with WDAC (Windows 10)
description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
index 6054e9f6bd..8437b48c3c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -1,7 +1,7 @@
---
title: Merge Windows Defender Application Control policies (Windows 10)
description: Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. Learn how with this guide.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 8e442a2a0f..443397ada3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -1,7 +1,7 @@
---
title: Microsoft recommended block rules (Windows 10)
description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
@@ -26,7 +26,7 @@ ms.date: 04/09/2019
Members of the security community\* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
-Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application whitelisting policies, including Windows Defender Application Control:
+Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
- addinprocess.exe
- addinprocess32.exe
@@ -53,7 +53,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
[1]A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
-[2]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+[2]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
*Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index cccca7a73e..9c6d253b10 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -1,7 +1,7 @@
---
title: Plan for WDAC policy management (Windows 10)
description: How to plan for Windows Defender Application Control (WDAC) policy management.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 74f69040e8..3b0e313266 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -1,7 +1,7 @@
---
title: Query Application Control events with Advanced Hunting (Windows 10)
description: Learn how to query Windows Defender Application Control events across your entire organization by using Advanced Hunting.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 5b823d7eeb..e14032719c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -1,7 +1,7 @@
---
title: Understand WDAC policy rules and file rules (Windows 10)
description: Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index db8225d362..601d01340e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -1,7 +1,7 @@
---
title: Policy creation for common WDAC usage scenarios (Windows 10)
description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 54d8ea8492..266e60b744 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -1,7 +1,7 @@
---
title: Understand Windows Defender Application Control policy design decisions (Windows 10)
description: Understand Windows Defender Application Control policy design decisions.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index da33a878fe..555168716a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -1,7 +1,7 @@
---
title: Use code signing to simplify application control for classic Windows applications (Windows 10)
description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index 5e852821b5..d050e42b00 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -1,7 +1,7 @@
---
title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows 10)
description: You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 7386316a87..5bbcb531fa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -1,7 +1,7 @@
---
title: Use signed policies to protect Windows Defender Application Control against tampering (Windows 10)
description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 8dfefbb2b5..43cc718d71 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -1,7 +1,7 @@
---
title: Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows 10)
description: WDAC policies can be used not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 90585fe7cb..5490ef7a77 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -1,7 +1,7 @@
---
title: Windows Defender Application Control and .NET Hardening (Windows 10)
description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 09a7320fa3..7705229827 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -1,7 +1,7 @@
---
title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows 10)
description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index 675381d926..8ad3ce6f98 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -1,7 +1,7 @@
---
title: Authorize apps deployed with a WDAC managed installer (Windows 10)
description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
@@ -56,7 +56,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
An example of a valid Managed Installer rule collection is shown below.
-For more information about creating an AppLocker policy that includes a managed installer and configuring client devices, see [Simplify application whitelisting with Configuration Manager and Windows 10](https://cloudblogs.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/).
+For more information about creating an AppLocker policy that includes a managed installer and configuring client devices, see [Simplify application listing with Configuration Manager and Windows 10](https://cloudblogs.microsoft.com/enterprisemobility/2016/06/20/configmgr-as-a-managed-installer-with-win10/).
As mentioned above, the AppLocker CSP for OMA-URI policies does not currently support the Managed Installer rule collection or the Service Enforcement rule extensions mentioned below.
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 7a955f8700..73deb5fff0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -1,7 +1,7 @@
---
title: WDAC and AppLocker Overview
description: Compare Windows application control technologies.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index 9e0b0651d1..0484518b2a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -1,7 +1,7 @@
---
title: Planning and getting started on the Windows Defender Application Control deployment process (Windows 10)
description: Learn how to gather information, create a plan, and begin to test initial code integrity policies for a Windows Defender Application Control deployment.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
@@ -46,7 +46,7 @@ This topic provides a roadmap for planning and getting started on the Windows De
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
- For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications, where older versions of the application had vulnerabilities, also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
+ For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you allow them in your WDAC policies. Other applications, where older versions of the application had vulnerabilities, also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Microsoft recommended block rules](microsoft-recommended-block-rules.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
index 66a776eaf6..1d18afd93e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -1,7 +1,7 @@
---
title: Windows Defender Application Control design guide (Windows 10)
description: Microsoft Windows Defender Application Control allows organizations to control what apps and drivers will run on their managed Windows 10 devices.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
index d3e82010c2..9ee20747b7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md
@@ -1,7 +1,7 @@
---
title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10)
description: Gather information about how your deployed Windows Defender Application Control policies are behaving.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 7f723913e2..e6c525c383 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -1,7 +1,7 @@
---
title: Application Control for Windows
description: Application Control restricts which applications users are allowed to run and the code that runs in the system core.
-keywords: whitelisting, security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 9c4ca00884..e389280262 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -37,7 +37,7 @@ This hardware-based root of trust comes from the device’s Secure Boot feature,
This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
-Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist).
+Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a block list), or a list of known 'good' SRTM measurements (also known as an allow list).
Each option has a drawback:
- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
index a17ad45ab9..33b2c4f62e 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -38,7 +38,7 @@ This hardware-based root of trust comes from the device’s Secure Boot feature,
This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
-Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist).
+Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a block list), or a list of known 'good' SRTM measurements (also known as an allow list).
Each option has a drawback:
- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.
|