diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 1f1f11f0bd..8a39f5ec42 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 02/07/2022 +ms.date: 05/09/2022 --- # WindowsAutopilot CSP diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 66754be796..db7379ba1f 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -485,8 +485,8 @@ Any user accessing the system through Terminal Services has the Terminal Server | Attribute | Value | | :--: | :--: | -| Well-Known SID/RID | | -|Object Class| | +| Well-Known SID/RID | S-1-5-90 | +|Object Class| Foreign Security Principal| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
| diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 3843fecaa8..b964f460e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -44,6 +44,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. +> [!NOTE] +> If your Active Directory forest has multiple domains, your ADConnect accounts need to be members of the **Enterprise Key Admins** group. This membership is needed to write the keys to other domain users. + ### Section Review > [!div class="checklist"] @@ -63,4 +66,4 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f54986956f..2bfe923e1c 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -265,7 +265,7 @@ The account options on a user account includes an option -- **Smart card is requ **SCRIL setting for a user on Active Directory Users and Computers.** When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: -- the do not know their password. +- they do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password - domain controllers do not allow passwords for interactive authentication diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index aa92e85a9c..cb4136a227 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -17,45 +17,10 @@ metadata: ms.topic: faq ms.date: 11/10/2021 ms.technology: mde + title: Advanced security auditing FAQ -summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - - - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - - - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) - - - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) - - - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) - - - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-) - - - [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-) - - - [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-) - - - [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-) - - - [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-) - - - [How do I ascertain the purpose for accessing a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-) - - - [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-) - - - [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-) - - - [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-) - - - [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-) - - - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-) - - - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-) - - - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-) - +summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. sections: - name: Ignored diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 1b9d67ff10..eaaf841ead 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -14,12 +14,18 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 04/30/2022 +ms.date: 05/09/2022 ms.technology: windows-sec --- # Understanding Application Control events +**Applies to** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and later (limited events) + A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: - Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**