From 77d18b1ba6294fd57f6448064366ad420f374cdd Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 10 Mar 2021 15:51:34 +0530 Subject: [PATCH 01/21] Updated --- .../mdm/Language-pack-management-csp.md | 65 +++++++++++++++++++ ...onfiguration-service-provider-reference.md | 27 ++++++++ 2 files changed, 92 insertions(+) create mode 100644 windows/client-management/mdm/Language-pack-management-csp.md diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md new file mode 100644 index 0000000000..ba439c06a3 --- /dev/null +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -0,0 +1,65 @@ +--- +title: LanguagePackManagement CSP +description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 03/12/2021 +--- + +# LanguagePackManagement CSP + + +Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. + + +Device context +1. Enumerate installed languages with GET command on the "InstalledLanguges" node + +Sample command +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers** +**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers** + +The nodes under “InstalledLanguages” are the language tags of the installed languages. The “providers” node under language tag is the bit map representation of either "language pack (features)" or "LXPs". 1 indicates the language pack installed is a System Language Pack (non-LXP), “2” stands for LXPs installed. “3” stands for both installed. + +2. Install language pack features with EXECUTE command on the "StartInstall" node of the language + +Sample command +**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** +**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** + +The installation is an asynchronous operation. IT admin can query the ‘Status’ node using + +**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** +**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** + +Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed +> [!NOTE] +> If the IT administration has not set the policy of blocking cleanup of unused language packs, then this command will fail. + +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. + +Sample command +**DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** + +4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node + +Sample command +**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** + + + + + + + + + + + + diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index dcf8eec173..727a6c5348 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1374,6 +1374,33 @@ Additional lists: + +[LanguagePackManagement CSP](languagepackmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck markcheck markcheck mark
+ + + [Maps CSP](maps-csp.md) From 4eb06c120dde73dbf61b6f1420d5cf59692b3250 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 15 Mar 2021 15:46:47 +0530 Subject: [PATCH 02/21] updated --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- .../mdm/configuration-service-provider-reference.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index ba439c06a3..755472b5af 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,5 +1,5 @@ --- -title: LanguagePackManagement CSP +title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. ms.reviewer: manager: dansimp @@ -11,7 +11,7 @@ author: nimishasatapathy ms.date: 03/12/2021 --- -# LanguagePackManagement CSP +# Language Pack Management CSP Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 727a6c5348..d689057684 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[LanguagePackManagement CSP](languagepackmanagement-csp.md) +[Language Pack Management CSP](language- pack-management-csp.md) From 07920ba872a88179aebf8d5458fcf08c71f1ed96 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 22 Mar 2021 12:16:50 +0530 Subject: [PATCH 03/21] updated --- .../mdm/configuration-service-provider-reference.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index d689057684..867a99d7d0 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[Language Pack Management CSP](language- pack-management-csp.md) +[LanguagePackManagement CSP](language- pack-management-csp.md)
@@ -1389,13 +1389,13 @@ Additional lists: - - + + + + - -
Mobile Enterprise
cross markcross markcross markcross mark cross markcheck markcheck mark check markcheck markcheck mark
From f3672663d6f118bb9e0f8b91c847e86a9529cd1c Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 22 Mar 2021 14:55:48 +0530 Subject: [PATCH 04/21] updated --- .../mdm/configuration-service-provider-reference.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 867a99d7d0..2f152af35b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1375,7 +1375,7 @@ Additional lists: -[LanguagePackManagement CSP](language- pack-management-csp.md) +[LanguagePackManagement CSP](language-pack-management-csp.md) @@ -1389,13 +1389,12 @@ Additional lists: - - - - - - + + + + +
Mobile Enterprise
cross markcross markcross markcheck mark check markcheck markcheck markcross markcheck markcheck markcross mark
From c2a85c0c718ddde7cdeee43e37171045d0b81a38 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 09:05:44 -0700 Subject: [PATCH 05/21] Update Language-pack-management-csp.md --- .../mdm/Language-pack-management-csp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 755472b5af..85fe76af37 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,6 +1,6 @@ --- title: Language Pack Management CSP -description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. +description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp ms.author: dansimp @@ -8,17 +8,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nimishasatapathy -ms.date: 03/12/2021 +ms.date: 06/22/2021 --- # Language Pack Management CSP -Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of optional FODs (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. - +Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to allow provisioning of optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. device management tools like Intune can use management commands remotely to devices to configure language related settings. Device context -1. Enumerate installed languages with GET command on the "InstalledLanguges" node +1. Enumerate installed languages with GET command on the "InstalledLanguges" node: Sample command **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** @@ -30,10 +29,11 @@ The nodes under “InstalledLanguages” are the language tags of the installed 2. Install language pack features with EXECUTE command on the "StartInstall" node of the language Sample command + **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** -The installation is an asynchronous operation. IT admin can query the ‘Status’ node using +The installation is an asynchronous operation. IT admin can query the ‘Status’ node by using the following commands: **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** From c8d156c7354b04770d47904928c4d89e59d8e30e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 13:19:59 -0700 Subject: [PATCH 06/21] Update configuration-service-provider-reference.md fixing relative link --- .../mdm/configuration-service-provider-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 2f152af35b..8d54b43c2b 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1109,7 +1109,7 @@ Additional lists: check mark -Only for mobile application management (MAM) +Only for mobile application management (MAM) check mark check mark @@ -2843,4 +2843,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update -- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) +- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) From 769114b7494120e57e068de280a77cb18b49c4d9 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 23 Jun 2021 13:28:04 -0700 Subject: [PATCH 07/21] Update Language-pack-management-csp.md --- .../mdm/Language-pack-management-csp.md | 42 ++++++++++++------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 85fe76af37..2e9d2f4140 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -14,43 +14,55 @@ ms.date: 06/22/2021 # Language Pack Management CSP -Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to allow provisioning of optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. device management tools like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to provision optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. Device management tools such as Intune can use management commands remotely to devices to configure language related settings. -Device context -1. Enumerate installed languages with GET command on the "InstalledLanguges" node: +1. List the installed languages with GET command on the "InstalledLanguges" node. For example: -Sample command -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers** -**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers** +``` +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers +GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers +``` -The nodes under “InstalledLanguages” are the language tags of the installed languages. The “providers” node under language tag is the bit map representation of either "language pack (features)" or "LXPs". 1 indicates the language pack installed is a System Language Pack (non-LXP), “2” stands for LXPs installed. “3” stands for both installed. +The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indidcates that the LXP is installed. **3** indicates that both are installed. -2. Install language pack features with EXECUTE command on the "StartInstall" node of the language - -Sample command +2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, +``` **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** +``` -The installation is an asynchronous operation. IT admin can query the ‘Status’ node by using the following commands: +The installation is an asynchronous operation. You can query the **Status** node by using the following commands: +``` **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** +``` + +Return value definitions are: + +- 0 – Not started +- 1 – In process +- 2 – Succeeded +- 3 – Failed. ErrorCode is a HRESULT that could help you diagnose the issue and why installation failed -Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed > [!NOTE] -> If the IT administration has not set the policy of blocking cleanup of unused language packs, then this command will fail. +> If the IT administrator has not set the policy of blocking cleanup of unused language packs, then this command will fail. -3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. +3. Delete installed Language with the DELETE command on the installed language tag. The deletion will run in background, and admins can query the installed language later and resend the command if needed. Sample command +``` **DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** +``` 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node Sample command +``` **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** +``` From 4a278d355423eb63947930bfda1eab44643500b1 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 25 Jun 2021 09:22:30 -0700 Subject: [PATCH 08/21] Update configuration-service-provider-reference.md --- .../mdm/configuration-service-provider-reference.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 3dad2ebf68..679a0aabe7 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1036,7 +1036,6 @@ Additional lists: check mark Only for mobile application management (MAM) - check mark check mark check mark From 8d5d5e2f5ad1cf5ec2d42c19692250213fa9a3cd Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 25 Jun 2021 16:20:23 -0700 Subject: [PATCH 09/21] Acrolinx "a existing" --- .../security/information-protection/tpm/tpm-recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 6bde2d3d8d..2a29a3881a 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -95,7 +95,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). +- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features). ### IoT Core From c163663490a9c6b53e407a7ea2145407739cac0d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 25 Jun 2021 16:20:54 -0700 Subject: [PATCH 10/21] Fixed broken note --- .../security/information-protection/tpm/tpm-recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 2a29a3881a..658a7d98d5 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -72,7 +72,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. - +> > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. ## Discrete, Integrated or Firmware TPM? From f3a48169fa776b759e5f8f8e5dd3d4fa6c113b4a Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 15:03:31 +0530 Subject: [PATCH 11/21] Update Language-pack-management-csp.md --- windows/client-management/mdm/Language-pack-management-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 2e9d2f4140..d5266e8bf7 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -24,7 +24,7 @@ GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Provide GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers ``` -The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indidcates that the LXP is installed. **3** indicates that both are installed. +The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, From 305560033d5d1e7ffb8db62e7b65ef3e963d4201 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 17:01:16 +0530 Subject: [PATCH 12/21] Updated --- .../mdm/Language-pack-management-csp.md | 64 ++++++------------- .../policy-configuration-service-provider.md | 9 +++ 2 files changed, 29 insertions(+), 44 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index d5266e8bf7..3c7af93899 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -1,5 +1,5 @@ --- -title: Language Pack Management CSP +title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp @@ -14,64 +14,40 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to provision optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. Device management tools such as Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. -1. List the installed languages with GET command on the "InstalledLanguges" node. For example: +1. Enumerate installed languages with GET command on the "InstalledLanguages" node + + ***GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers*** -``` -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers -GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers -``` -The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, -``` -**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** -**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** -``` + ***ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** + **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation*** -The installation is an asynchronous operation. You can query the **Status** node by using the following commands: + The installation is an asynchronous operation. You can query the **Status** node by using the following commands: -``` -**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** -**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** -``` + *****GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**** + ***GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode*** -Return value definitions are: - -- 0 – Not started -- 1 – In process -- 2 – Succeeded -- 3 – Failed. ErrorCode is a HRESULT that could help you diagnose the issue and why installation failed + Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. > [!NOTE] -> If the IT administrator has not set the policy of blocking cleanup of unused language packs, then this command will fail. +> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. -3. Delete installed Language with the DELETE command on the installed language tag. The deletion will run in background, and admins can query the installed language later and resend the command if needed. +3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. -Sample command -``` -**DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)** -``` + + ***DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN(Delete command)*** 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node -Sample command -``` -**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** -``` - - - - - - - - - - + **.*/Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages*** + \ No newline at end of file diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index fbe229c166..329281e328 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1371,6 +1371,7 @@ The following diagram shows the Policy configuration service provider in tree fo + ## ADMX_ICM policies
@@ -6781,6 +6782,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### Language Pack Management CSP policies + +
+
+ LanmanWorkstation/EnableInsecureGuestLogons +
+
+ ### Licensing policies
From 6b6be2cac41decb77f9ded8b594274a4956cc761 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sun, 27 Jun 2021 23:45:45 +0530 Subject: [PATCH 13/21] Updated --- .../mdm/Language-pack-management-csp.md | 21 +++++++++++-------- ...onfiguration-service-provider-reference.md | 1 + 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 3c7af93899..f4a96bb39f 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -18,22 +18,25 @@ The Language Pack Management CSP allows a direct way to provision language packs 1. Enumerate installed languages with GET command on the "InstalledLanguages" node - ***GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers*** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed. + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + - Indicates the language pack installed is a System Language Pack (non-LXP) + - Indicates that the LXP is installed. + - Indicates that both are installed. 2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example, - ***ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** - **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation*** + **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/** + **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation** The installation is an asynchronous operation. You can query the **Status** node by using the following commands: - *****GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**** - ***GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode*** + **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status** + **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode** Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. @@ -43,11 +46,11 @@ The Language Pack Management CSP allows a direct way to provision language packs 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. - ***DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN(Delete command)*** + **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)** 4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node - **.*/Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages*** + **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** \ No newline at end of file diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 679a0aabe7..4f9dd3d9da 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1302,6 +1302,7 @@ Additional lists: check mark check mark cross mark + cross mark From 79aa1ec40fdb67558946ea5a0a45fe963b91e092 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 28 Jun 2021 00:02:45 +0530 Subject: [PATCH 14/21] Updated --- .../mdm/Language-pack-management-csp.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index f4a96bb39f..dab7171589 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -3,7 +3,7 @@ title: Language Pack Management CSP description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. ms.reviewer: manager: dansimp -ms.author: dansimp +ms.author: v-nsatapathy ms.topic: article ms.prod: w10 ms.technology: windows @@ -14,16 +14,15 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. 1. Enumerate installed languages with GET command on the "InstalledLanguages" node - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** - **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** + **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (feature)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. @@ -52,5 +51,3 @@ The Language Pack Management CSP allows a direct way to provision language packs **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages** - - \ No newline at end of file From 127f9618472920da0a49c483a55b616a65dc73de Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 28 Jun 2021 00:08:19 +0530 Subject: [PATCH 15/21] Update Language-pack-management-csp.md --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index dab7171589..4dbd9ec98a 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -14,7 +14,7 @@ ms.date: 06/22/2021 # Language Pack Management CSP -The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. +The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings. 1. Enumerate installed languages with GET command on the "InstalledLanguages" node @@ -22,7 +22,7 @@ The Language Pack Management CSP allows a direct way to provision language packs **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (feature)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. From 4497fee51b2b1d8d1176a86ce303d395849492cc Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:34:58 -0600 Subject: [PATCH 16/21] Apply suggestions from code review --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 4dbd9ec98a..40b8e8546f 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -22,7 +22,7 @@ The Language Pack Management CSP allows a direct way to provision language packs **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers** **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers** - The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). + The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1). - Indicates the language pack installed is a System Language Pack (non-LXP) - Indicates that the LXP is installed. - Indicates that both are installed. @@ -40,7 +40,7 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. > [!NOTE] -> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From b20ff81b07a24be019f09cc0aad92c4462c4f700 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:38:48 -0700 Subject: [PATCH 17/21] Update windows/client-management/mdm/Language-pack-management-csp.md Co-authored-by: Diana Hanson --- windows/client-management/mdm/Language-pack-management-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 40b8e8546f..0a1e9f72a4 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,7 +39,7 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. -> [!NOTE] + > [!NOTE] > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From acbcb2af334d511dc268af19e4df7e533063b797 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:40:57 -0600 Subject: [PATCH 18/21] Pencil edit indenting note --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 0a1e9f72a4..ab539346d8 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,8 +39,8 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. - > [!NOTE] - > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > [!NOTE] + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From a8a6c1e53d2a0314b4d7c60e8f47b8d809c74d6f Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 28 Jun 2021 09:45:44 -0600 Subject: [PATCH 19/21] Pencil edit indent note more --- windows/client-management/mdm/Language-pack-management-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index ab539346d8..0a1e9f72a4 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -39,8 +39,8 @@ The Language Pack Management CSP allows a direct way to provision language packs Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed. - > [!NOTE] - > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. + > [!NOTE] + > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail. 3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. From ac723009ef483f88684707563a95f415dc7d7b1a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:49:57 -0700 Subject: [PATCH 20/21] term updates --- windows/client-management/mdm/policy-csp-admx-printing.md | 6 +++--- windows/client-management/windows-10-mobile-and-mdm.md | 2 +- .../deployment/upgrade/upgrade-windows-phone-8-1-to-10.md | 2 +- windows/security/threat-protection/auditing/event-4624.md | 2 +- windows/security/threat-protection/auditing/event-4648.md | 2 +- windows/security/threat-protection/auditing/event-4688.md | 2 +- windows/security/threat-protection/auditing/event-4696.md | 2 +- windows/security/threat-protection/auditing/event-4703.md | 2 +- windows/security/threat-protection/auditing/event-4704.md | 2 +- windows/security/threat-protection/auditing/event-4705.md | 2 +- windows/security/threat-protection/auditing/event-4717.md | 2 +- windows/security/threat-protection/auditing/event-4718.md | 2 +- windows/security/threat-protection/auditing/event-4732.md | 2 +- windows/security/threat-protection/auditing/event-4733.md | 2 +- windows/security/threat-protection/auditing/event-4751.md | 2 +- windows/security/threat-protection/auditing/event-4752.md | 2 +- windows/security/threat-protection/auditing/event-4768.md | 2 +- windows/security/threat-protection/auditing/event-4771.md | 2 +- windows/security/threat-protection/auditing/event-4776.md | 2 +- windows/security/threat-protection/auditing/event-4778.md | 2 +- windows/security/threat-protection/auditing/event-4779.md | 2 +- 21 files changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index c831b4a527..3ed6f22a6c 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1842,11 +1842,11 @@ Available in the latest Windows 10 Insider Preview Build. Announces the presence On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. -If you enable this setting, the print spooler announces shared printers to the print browse master servers. +If you enable this setting, the print spooler announces shared printers to the print browse main servers. -If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available. +If you disable this setting, shared printers are not announced to print browse main servers, even if Active Directory is not available. -If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available. +If you do not configure this setting, shared printers are announced to browse main servers only when Active Directory is not available. > [!NOTE] > A client license is used each time a client computer announces a printer to a print browse master on the domain. diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 608f2041b2..47b2fc60cb 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -978,7 +978,7 @@ This is a list of attributes that are supported by DHA and can trigger the corre - **Boot Manager Version** The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted). - **Code integrity version** Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted). - **Secure Boot Configuration Policy (SBCP) present** Specifies whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash. -- **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant. +- **Boot cycle allow list** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant. #### Example scenario diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md index 2876fbd034..d07348165d 100644 --- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md @@ -32,7 +32,7 @@ This article describes how system administrators can upgrade eligible Windows Ph The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. To determine if the device is eligible for an upgrade with MDM, see the [How to determine whether an upgrade is available for a device](#howto-upgrade-available) topic in this article. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. -If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whitelist) with app allow-lists that could adversely affect the device after you upgrade. +If you use a list of allowed applications (app allow listing) with MDM, verify that system applications are allow-listed before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) with app allow-lists that could adversely affect the device after you upgrade. Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can block the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to restrict the Upgrade Advisor app, see the [How to restrict the Upgrade Advisor app](#howto-restrict) section in this article. Enterprises that have restricted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index f34d8e3ae4..27db3be3f3 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -286,7 +286,7 @@ For 4624(S): An account was successfully logged on. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 8483ee08ac..44eb565de4 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -179,7 +179,7 @@ The following table is similar to the table in [Appendix A: Security monitoring | **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.
Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the allow list. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.
For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 39167d9431..6e90a42a1e 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -193,7 +193,7 @@ For 4688(S): A new process has been created. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "whitelist-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"Creator Subject\\Security ID"** and **"Target Subject\\Security ID"** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** corresponding to accounts from another domain or "external" accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"Creator Subject\\Security ID"** or **"Target Subject\\Security ID"** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 520d0d5d1e..e35c7d44e0 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -153,7 +153,7 @@ For 4696(S): A primary token was assigned to process. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** and **“New Token Information\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or **“New Token Information\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index 243fa17ce2..3d024b8ccf 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -195,7 +195,7 @@ Otherwise, see the recommendations in the following table. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Security ID**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Security ID**” and **“Enabled Privileges”** to see what was enabled. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. | diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index 4dc7eb2c64..a4e0e07aa3 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -153,7 +153,7 @@ For 4704(S): A user right was assigned. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\ Account Name**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. Also check the “**Target Account\\Account Name**” and **“New Right”** to see what was enabled. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. | diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 9478ffd125..83accc384e 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -152,7 +152,7 @@ For 4705(S): A user right was removed. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Target Account\\Account Name**” that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user rights policies, for example, an allow list of accounts that can perform certain actions, monitor this event to confirm that it was appropriate that the “**Removed Right**” was removed from “**Target** **Account\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Target Account\\Account Name”** to see whether the account type is as expected.
For example, if some accounts have critical user rights which should never be removed, monitor this event for the **“Target** **Account\\Account Name”** and the appropriate rights.
As another example, if non-administrative accounts should never be granted certain user rights (for example, **SeAuditPrivilege**), you might monitor this event, because a right can be removed only after it was previously granted. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index 32576cdc3b..3b438e68d4 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -127,7 +127,7 @@ For 4717(S): System security access was granted to an account. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that any “**Access Right**” was granted only to the appropriate “**Account Modified\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), monitor this event for those accounts and rights. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index 2c7f91f8c7..75f96131fe 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -127,7 +127,7 @@ For 4718(S): System security access was removed from an account. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list.
If you have specific user logon rights policies, for example, an allow list of accounts that can log on to certain computers, monitor this event to confirm that it was appropriate that the “**Access Right**” was removed from “**Account Modified\\Account Name**.” | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** and “**Account Modified\\Account Name”** to see whether the account type is as expected.
For example, if critical remote network service accounts have user logon rights which should never be removed (for example, **SeNetworkLogonRight**), monitor this event for the **“Account Modified\\Account Name”** and the appropriate rights.
As another example, if non-service accounts should never be granted certain logon rights (for example, **SeServiceLogonRight**), you might monitor this event, because a right can be removed only after it was previously granted. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. | diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index 43c74c4d05..543455432e 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -154,7 +154,7 @@ For 4732(S): A member was added to a security-enabled local group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index b7bad044d0..2b749c0511 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -161,7 +161,7 @@ For 4733(S): A member was removed from a security-enabled local group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index a6ac4afde8..39888ce838 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -158,7 +158,7 @@ For 4751(S): A member was added to a security-disabled global group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index 7a81d28e4f..a1e4dff838 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -149,7 +149,7 @@ For 4752(S): A member was removed from a security-disabled global group. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** and **“Member\\Security ID”** that correspond to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Security ID”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index d4de56e2c7..cea554341c 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -305,7 +305,7 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“User ID”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“User ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“User ID”** for accounts that are outside the allow list. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index ec7a4064e5..c5aea23ecb 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -274,7 +274,7 @@ For 4771(F): Kerberos pre-authentication failed. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. | - You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index d5d1fcdf4f..75dc6a4a69 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -130,7 +130,7 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | | **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. | diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 74b7630bc6..8293e41487 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -127,7 +127,7 @@ For 4778(S): A session was reconnected to a Window Station. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | -| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about. | diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 7cf0dec285..f9c2757ab6 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -131,7 +131,7 @@ For 4779(S): A session was disconnected from a Window Station. | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the high-value account or accounts. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Account Name”** (with other information) to monitor how or when a particular account is being used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Account Name”** that corresponds to the accounts that should never be used. | -| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Account Name”** for accounts that are outside the whitelist. | +| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Subject\\Account Name”** for accounts that are outside the allow list. | | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Account Name”** to see whether the account type is as expected. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.
For example, you might have computers to which connections should not be made from certain accounts or addresses. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Account Name”** that you are concerned about.
If you have a target **Computer:** (or other target device) to which connections should not be made from certain accounts or addresses, monitor this event for the corresponding **Client Name** or **Client Address**. | From 40664b79fbf7f9d650ee4220890c3ef2fe8a574b Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 28 Jun 2021 08:57:46 -0700 Subject: [PATCH 21/21] term up --- windows/client-management/mdm/policy-csp-admx-printing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 3ed6f22a6c..0781ec7432 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -1838,7 +1838,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse master servers for the domain. +Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse main servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced.