mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
(Windows 10)
This commit is contained in:
Paolo Matarazzo
parent
0b6ae89c96
commit
d6cd44eb56
@ -1,24 +1,16 @@
|
||||
---
|
||||
title: How Windows Hello for Business works - Authentication
|
||||
description: Learn about the authentication flow for Windows Hello for Business.
|
||||
ms.date: 02/15/2022
|
||||
ms.topic: article
|
||||
title: How Windows Hello for Business authentication works
|
||||
description: Learn about the Windows Hello for Business authentication flows.
|
||||
ms.date: 05/24/2023
|
||||
ms.topic: reference
|
||||
---
|
||||
# Windows Hello for Business and Authentication
|
||||
# Windows Hello for Business authentication
|
||||
|
||||
Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
|
||||
Windows Hello for Business authentication is a passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
|
||||
|
||||
Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
|
||||
Azure AD-joined devices authenticate to Azure AD during sign-in and can, optionally, authenticate to Active Directory. Hybrid Azure AD-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure AD in the background.
|
||||
|
||||
- [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
|
||||
- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust)
|
||||
- [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key)
|
||||
- [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
|
||||
- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust)
|
||||
- [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key)
|
||||
- [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
|
||||
|
||||
## Azure AD join authentication to Azure Active Directory
|
||||
## Azure AD join authentication to Azure AD
|
||||
|
||||
|
||||
|
||||
@ -27,20 +19,20 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
|
||||
|
||||
| Phase | Description |
|
||||
| :----: | :----------- |
|
||||
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
|
||||
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
|
||||
|B | The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
|
||||
|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
|
||||
|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. Azure AD then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
|
||||
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|
||||
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|
||||
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|
||||
|
||||
## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)
|
||||
## Azure AD join authentication to Active Directory using cloud Kerberos trust
|
||||
|
||||
|
||||
|
||||
| Phase | Description |
|
||||
| :----: | :----------- |
|
||||
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
|
||||
|B | After locating an active 2016 domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
|
||||
|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
|
||||
|
||||
## Azure AD join authentication to Active Directory using a key
|
||||
|
||||
@ -48,9 +40,9 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
|
||||
|
||||
| Phase | Description |
|
||||
| :----: | :----------- |
|
||||
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates an active 2016 domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
|
||||
|B | The Kerberos provider sends the signed pre-authentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|
||||
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
|
||||
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
|
||||
|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|
||||
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|
||||
|
||||
> [!NOTE]
|
||||
> You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
|
||||
@ -61,24 +53,24 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
|
||||
|
||||
| Phase | Description |
|
||||
| :----: | :----------- |
|
||||
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
|
||||
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|
||||
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
|
||||
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
|
||||
|B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|
||||
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|
||||
|
||||
> [!NOTE]
|
||||
> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
|
||||
|
||||
## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)
|
||||
## Hybrid Azure AD join authentication using cloud Kerberos trust
|
||||
|
||||
|
||||
|
||||
| Phase | Description |
|
||||
| :----: | :----------- |
|
||||
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
|
||||
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
|
||||
|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
|
||||
|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
|
||||
|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
|
||||
|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos will return the TGT to lsass, where it is cached and used for subsequent service ticket requests. Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|
||||
|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|
||||
|
||||
## Hybrid Azure AD join authentication using a key
|
||||
|
||||
@ -86,11 +78,11 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
|
||||
|
||||
| Phase | Description |
|
||||
| :----: | :----------- |
|
||||
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|
||||
|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|
||||
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|
||||
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
|
||||
|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|
||||
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|
||||
|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|
||||
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|
||||
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|
||||
|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|
||||
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|
||||
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
|
||||
|
||||
@ -103,13 +95,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
|
||||
|
||||
| Phase | Description |
|
||||
| :----: | :----------- |
|
||||
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|
||||
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|
||||
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|
||||
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
|
||||
|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|
||||
|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|
||||
|B | The Kerberos provider sends the signed preauthentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|
||||
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|
||||
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
|
||||
|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|
||||
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|
||||
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
|
||||
|
||||
> [!IMPORTANT]
|
||||
> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller for the first time.
|
||||
> In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
|
||||
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
|
||||
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
|
||||
ms.collection:
|
||||
- highpri
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
|
||||
title: Get Started with Virtual Smart Cards - Walkthrough Guide
|
||||
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/22/2023
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: VPN authentication options (Windows 10 and Windows 11)
|
||||
title: VPN authentication options
|
||||
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
|
||||
ms.date: 09/23/2021
|
||||
ms.topic: conceptual
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: VPN auto-triggered profile options (Windows 10 and Windows 11)
|
||||
title: VPN auto-triggered profile options
|
||||
description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
|
||||
ms.date: 09/23/2021
|
||||
ms.topic: conceptual
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: VPN and conditional access (Windows 10 and Windows 11)
|
||||
title: VPN and conditional access
|
||||
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
|
||||
ms.date: 09/23/2021
|
||||
ms.topic: conceptual
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: VPN connection types (Windows 10 and Windows 11)
|
||||
title: VPN connection types
|
||||
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
|
||||
ms.date: 08/23/2021
|
||||
ms.topic: conceptual
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Windows VPN technical guide (Windows 10 and Windows 11)
|
||||
title: Windows VPN technical guide
|
||||
description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
|
||||
ms.date: 02/21/2022
|
||||
ms.topic: conceptual
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: VPN name resolution (Windows 10 and Windows 11)
|
||||
title: VPN name resolution
|
||||
description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
|
||||
ms.date: 09/23/2021
|
||||
ms.topic: conceptual
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: VPN profile options (Windows 10 and Windows 11)
|
||||
title: VPN profile options
|
||||
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
|
||||
ms.date: 05/17/2018
|
||||
ms.topic: conceptual
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: BCD settings and BitLocker (Windows 10)
|
||||
title: BCD settings and BitLocker
|
||||
description: This article for IT professionals describes the BCD settings that are used by BitLocker.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: BitLocker Countermeasures (Windows 10)
|
||||
title: BitLocker Countermeasures
|
||||
description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: BitLocker deployment comparison (Windows 10)
|
||||
title: BitLocker deployment comparison
|
||||
description: This article shows the BitLocker deployment comparison chart.
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: BitLocker Group Policy settings (Windows 10)
|
||||
title: BitLocker Group Policy settings
|
||||
description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: BitLocker - How to enable Network Unlock (Windows 10)
|
||||
title: BitLocker - How to enable Network Unlock
|
||||
description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
|
||||
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker
|
||||
description: This article for the IT professional describes how to use tools to manage BitLocker.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
|
||||
title: BitLocker Use BitLocker Recovery Password Viewer
|
||||
description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Prepare the organization for BitLocker Planning and policies (Windows 10)
|
||||
title: Prepare the organization for BitLocker Planning and policies
|
||||
description: This article for the IT professional explains how can to plan for a BitLocker deployment.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
|
||||
title: Protecting cluster shared volumes and storage area networks with BitLocker
|
||||
description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
|
||||
title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
|
||||
description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
|
||||
title: How to collect Windows Information Protection (WIP) audit event logs
|
||||
description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
|
||||
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
|
||||
description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
|
||||
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
|
||||
description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
|
||||
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
|
||||
description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
|
||||
title: General guidance and best practices for Windows Information Protection (WIP)
|
||||
description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
|
||||
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
|
||||
description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager (Windows 10)
|
||||
title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
|
||||
description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
|
||||
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune
|
||||
description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Recommended URLs for Windows Information Protection (Windows 10)
|
||||
title: Recommended URLs for Windows Information Protection
|
||||
description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
|
||||
title: Testing scenarios for Windows Information Protection (WIP)
|
||||
description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
|
||||
ms.reviewer:
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Using Outlook on the web with WIP (Windows 10)
|
||||
title: Using Outlook on the web with WIP
|
||||
description: Options for using Outlook on the web with Windows Information Protection (WIP).
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
|
||||
title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
|
||||
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
|
||||
ms.prod: windows-client
|
||||
ms.localizationpriority: medium
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Advanced security audit policy settings (Windows 10)
|
||||
title: Advanced security audit policy settings
|
||||
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
|
||||
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
|
||||
ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Advanced security audit policies (Windows 10)
|
||||
title: Advanced security audit policies
|
||||
description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
|
||||
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
|
||||
title: Appendix A, Security monitoring recommendations for many audit events
|
||||
description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
|
||||
ms.pagetype: security
|
||||
ms.prod: windows-client
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Apply a basic audit policy on a file or folder (Windows 10)
|
||||
title: Apply a basic audit policy on a file or folder
|
||||
description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
|
||||
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Account Lockout (Windows 10)
|
||||
title: Audit Account Lockout
|
||||
description: The policy setting, Audit Account Lockout, enables you to audit security events generated by a failed attempt to log on to an account that is locked out.
|
||||
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Application Generated (Windows 10)
|
||||
title: Audit Application Generated
|
||||
description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs.
|
||||
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Application Group Management (Windows 10)
|
||||
title: Audit Application Group Management
|
||||
description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
|
||||
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Audit Policy Change (Windows 10)
|
||||
title: Audit Audit Policy Change
|
||||
description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy.
|
||||
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Authentication Policy Change (Windows 10)
|
||||
title: Audit Authentication Policy Change
|
||||
description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
|
||||
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Authorization Policy Change (Windows 10)
|
||||
title: Audit Authorization Policy Change
|
||||
description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
|
||||
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Central Access Policy Staging (Windows 10)
|
||||
title: Audit Central Access Policy Staging
|
||||
description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy.
|
||||
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Certification Services (Windows 10)
|
||||
title: Audit Certification Services
|
||||
description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
|
||||
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Computer Account Management (Windows 10)
|
||||
title: Audit Computer Account Management
|
||||
description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
|
||||
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Credential Validation (Windows 10)
|
||||
title: Audit Credential Validation
|
||||
description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
|
||||
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Detailed Directory Service Replication (Windows 10)
|
||||
title: Audit Detailed Directory Service Replication
|
||||
description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
|
||||
ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Detailed File Share (Windows 10)
|
||||
title: Audit Detailed File Share
|
||||
description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder.
|
||||
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Directory Service Access (Windows 10)
|
||||
title: Audit Directory Service Access
|
||||
description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed.
|
||||
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Directory Service Changes (Windows 10)
|
||||
title: Audit Directory Service Changes
|
||||
description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed
|
||||
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Directory Service Replication (Windows 10)
|
||||
title: Audit Directory Service Replication
|
||||
description: Audit Directory Service Replication is a policy setting that decides if audit events are created when replication between two domain controllers begins or ends.
|
||||
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Distribution Group Management (Windows 10)
|
||||
title: Audit Distribution Group Management
|
||||
description: The policy setting, Audit Distribution Group Management, determines if audit events are generated for specific distribution-group management tasks.
|
||||
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit DPAPI Activity (Windows 10)
|
||||
title: Audit DPAPI Activity
|
||||
description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls to the data protection application interface (DPAPI) generate audit events.
|
||||
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit File Share (Windows 10)
|
||||
title: Audit File Share
|
||||
description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed.
|
||||
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit File System (Windows 10)
|
||||
title: Audit File System
|
||||
description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
|
||||
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Filtering Platform Connection (Windows 10)
|
||||
title: Audit Filtering Platform Connection
|
||||
description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform.
|
||||
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Filtering Platform Packet Drop (Windows 10)
|
||||
title: Audit Filtering Platform Packet Drop
|
||||
description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform.
|
||||
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Filtering Platform Policy Change (Windows 10)
|
||||
title: Audit Filtering Platform Policy Change
|
||||
description: The policy setting, Audit Filtering Platform Policy Change, determines if audit events are generated for certain IPsec and Windows Filtering Platform actions.
|
||||
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Group Membership (Windows 10)
|
||||
title: Audit Group Membership
|
||||
description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
|
||||
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Handle Manipulation (Windows 10)
|
||||
title: Audit Handle Manipulation
|
||||
description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
|
||||
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit IPsec Driver (Windows 10)
|
||||
title: Audit IPsec Driver
|
||||
description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver.
|
||||
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit IPsec Extended Mode (Windows 10)
|
||||
title: Audit IPsec Extended Mode
|
||||
description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations.
|
||||
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit IPsec Main Mode (Windows 10)
|
||||
title: Audit IPsec Main Mode
|
||||
description: Learn about the policy setting, Audit IPsec Main Mode, which determines if the results of certain protocols generate events during Main Mode negotiations.
|
||||
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit IPsec Quick Mode (Windows 10)
|
||||
title: Audit IPsec Quick Mode
|
||||
description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
|
||||
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Kerberos Authentication Service (Windows 10)
|
||||
title: Audit Kerberos Authentication Service
|
||||
description: The policy setting Audit Kerberos Authentication Service decides if audit events are generated for Kerberos authentication ticket-granting ticket (TGT) requests
|
||||
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Kerberos Service Ticket Operations (Windows 10)
|
||||
title: Audit Kerberos Service Ticket Operations
|
||||
description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests.
|
||||
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Kernel Object (Windows 10)
|
||||
title: Audit Kernel Object
|
||||
description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events.
|
||||
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Logoff (Windows 10)
|
||||
title: Audit Logoff
|
||||
description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
|
||||
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Logon (Windows 10)
|
||||
title: Audit Logon
|
||||
description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer.
|
||||
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
|
||||
title: Audit MPSSVC Rule-Level Policy Change
|
||||
description: Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).
|
||||
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Network Policy Server (Windows 10)
|
||||
title: Audit Network Policy Server
|
||||
description: The policy setting, Audit Network Policy Server, determines if audit events are generated for RADIUS (IAS) and NAP activity on user access requests.
|
||||
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Non-Sensitive Privilege Use (Windows 10)
|
||||
title: Audit Non-Sensitive Privilege Use
|
||||
description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
|
||||
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Other Account Logon Events (Windows 10)
|
||||
title: Audit Other Account Logon Events
|
||||
description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
|
||||
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Other Account Management Events (Windows 10)
|
||||
title: Audit Other Account Management Events
|
||||
description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated.
|
||||
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Other Logon/Logoff Events (Windows 10)
|
||||
title: Audit Other Logon/Logoff Events
|
||||
description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
|
||||
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Other Object Access Events (Windows 10)
|
||||
title: Audit Other Object Access Events
|
||||
description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
|
||||
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Other Policy Change Events (Windows 10)
|
||||
title: Audit Other Policy Change Events
|
||||
description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited.
|
||||
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Other Privilege Use Events (Windows 10)
|
||||
title: Audit Other Privilege Use Events
|
||||
description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
|
||||
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Other System Events (Windows 10)
|
||||
title: Audit Other System Events
|
||||
description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events.
|
||||
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit PNP Activity (Windows 10)
|
||||
title: Audit PNP Activity
|
||||
description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device.
|
||||
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Process Creation (Windows 10)
|
||||
title: Audit Process Creation
|
||||
description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts).
|
||||
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Process Termination (Windows 10)
|
||||
title: Audit Process Termination
|
||||
description: The Advanced Security Audit policy setting, Audit Process Termination, determines if audit events are generated when an attempt is made to end a process.
|
||||
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Registry (Windows 10)
|
||||
title: Audit Registry
|
||||
description: The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects.
|
||||
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Removable Storage (Windows 10)
|
||||
title: Audit Removable Storage
|
||||
description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive.
|
||||
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit RPC Events (Windows 10)
|
||||
title: Audit RPC Events
|
||||
description: Audit RPC Events is an audit policy setting that determines if audit events are generated when inbound remote procedure call (RPC) connections are made.
|
||||
ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit SAM (Windows 10)
|
||||
title: Audit SAM
|
||||
description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects.
|
||||
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Security Group Management (Windows 10)
|
||||
title: Audit Security Group Management
|
||||
description: The policy setting, Audit Security Group Management, determines if audit events are generated when specific security group management tasks are performed.
|
||||
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Security State Change (Windows 10)
|
||||
title: Audit Security State Change
|
||||
description: The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
|
||||
ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Security System Extension (Windows 10)
|
||||
title: Audit Security System Extension
|
||||
description: The Advanced Security Audit policy setting, Audit Security System Extension, determines if audit events related to security system extensions are generated.
|
||||
ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Sensitive Privilege Use (Windows 10)
|
||||
title: Audit Sensitive Privilege Use
|
||||
description: The policy setting, Audit Sensitive Privilege Use, determines if the operating system generates audit events when sensitive privileges (user rights) are used.
|
||||
ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Special Logon (Windows 10)
|
||||
title: Audit Special Logon
|
||||
description: The Advanced Security Audit policy setting, Audit Special Logon, determines if audit events are generated under special sign in (or logon) circumstances.
|
||||
ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit System Integrity (Windows 10)
|
||||
title: Audit System Integrity
|
||||
description: The policy setting, Audit System Integrity, determines if the operating system audits events that violate the integrity of the security subsystem.
|
||||
ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit Token Right Adjusted (Windows 10)
|
||||
title: Audit Token Right Adjusted
|
||||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
|
||||
manager: aaroncz
|
||||
author: vinaypamnani-msft
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit User Account Management (Windows 10)
|
||||
title: Audit User Account Management
|
||||
description: Audit User Account Management is an audit policy setting that determines if the operating system generates audit events when certain tasks are performed.
|
||||
ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit User/Device Claims (Windows 10)
|
||||
title: Audit User/Device Claims
|
||||
description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
|
||||
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit account logon events (Windows 10)
|
||||
title: Audit account logon events
|
||||
description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
|
||||
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit account management (Windows 10)
|
||||
title: Audit account management
|
||||
description: Determines whether to audit each event of account management on a device.
|
||||
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Basic audit directory service access (Windows 10)
|
||||
title: Basic audit directory service access
|
||||
description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
|
||||
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit logon events (Windows 10)
|
||||
title: Audit logon events
|
||||
description: Determines whether to audit each instance of a user logging on to or logging off from a device.
|
||||
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
|
||||
ms.reviewer:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Audit object access (Windows 10)
|
||||
title: Audit object access
|
||||
description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
|
||||
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
|
||||
ms.reviewer:
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user