From be4266f3b12ad3d6fc7226701cbc2badcd7f37a3 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Sun, 8 May 2022 22:04:20 +0200 Subject: [PATCH 1/3] implementing #10325 #10325 States that the events here are not available in Windows Server 2016 and up. I left this note but the poster of this issue asked for a link to document the way to find out if an event is applicable in these environments. Please provide such link. --- .../event-id-explanations.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 1b9d67ff10..76ba75181b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -20,6 +20,14 @@ ms.technology: windows-sec # Understanding Application Control events +**Applies to** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and up * + +* Not all events are available in Windows Server 2016 and up, e.g. (eg: 3099, 31xx). + A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: - Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational** From b99e24bb3008173e1937cfd48f4b51d6ad97765c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 9 May 2022 15:20:18 -0700 Subject: [PATCH 2/3] Update event-id-explanations.md --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 76ba75181b..d597eb2fe6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 04/30/2022 +ms.date: 05/09/2022 ms.technology: windows-sec --- From f99460406c4cf7299ff0985057d081fc619b89ce Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 17 May 2022 17:10:34 +0200 Subject: [PATCH 3/3] Update windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../event-id-explanations.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index d597eb2fe6..eaaf841ead 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -24,9 +24,7 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -- Windows Server 2016 and up * - -* Not all events are available in Windows Server 2016 and up, e.g. (eg: 3099, 31xx). +- Windows Server 2016 and later (limited events) A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: