(Windows 10)

windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md

@@ -1,24 +1,16 @@
 ---
-title: How Windows Hello for Business works - Authentication
+title: How Windows Hello for Business authentication works
-description: Learn about the authentication flow for  Windows Hello for Business.
+description: Learn about the Windows Hello for Business authentication flows.
-ms.date: 02/15/2022
+ms.date: 05/24/2023
-ms.topic: article
+ms.topic: reference
 ---
-# Windows Hello for Business and Authentication
+# Windows Hello for Business authentication
 
-Windows Hello for Business authentication is passwordless, two-factor authentication.  Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
+Windows Hello for Business authentication is a passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
 
-Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
+Azure AD-joined devices authenticate to Azure AD during sign-in and can, optionally, authenticate to Active Directory. Hybrid Azure AD-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure AD in the background.
 
-- [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
+## Azure AD join authentication to Azure AD
-- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust)
-- [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key)
-- [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
-- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust)
-- [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key)
-- [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
-
-## Azure AD join authentication to Azure Active Directory
 
 ![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png)
 
@@ -27,20 +19,20 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| 
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| 
 |B | The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
-|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
+|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  Azure AD then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
 |D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
-|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 
-## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)
+## Azure AD join authentication to Active Directory using cloud Kerberos trust
 
 ![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
 |A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
-|B | After locating an active 2016 domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
+|B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
 
 ## Azure AD join authentication to Active Directory using a key
 
@@ -48,9 +40,9 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates an active 2016 domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
+|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
-|B | The Kerberos provider sends the signed pre-authentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
 > You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
@@ -61,24 +53,24 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
+|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
-|B | The Kerberos provider sends the signed pre-authentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed pre-authentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed preauthentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
 > You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.  
 
-## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)
+## Hybrid Azure AD join authentication using cloud Kerberos trust
 
 ![Hybrid Azure AD join authentication using Azure AD Kerberos](images/howitworks/auth-haadj-cloudtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
 |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
 |C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
 |D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos will return the TGT to lsass, where it is cached and used for subsequent service ticket requests. Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 
 ## Hybrid Azure AD join authentication using a key
 
@@ -86,11 +78,11 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider.  The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider.  The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
-|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
-|E | Lsass informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | Lsass informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
 |G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
@@ -103,13 +95,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider.  The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to Winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider.  The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed pre-authentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed pre-authentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed preauthentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it hasn't been revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
-|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
-|E | Lsass informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | Lsass informs Winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
 |G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
 
 > [!IMPORTANT]
-> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller for the first time.
+> In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.

windows/security/identity-protection/remote-credential-guard.md

@@ -1,5 +1,5 @@
 ---
-title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
+title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard 
 description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
 ms.collection: 
 - highpri

windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md

@@ -1,5 +1,5 @@
 ---
-title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
+title: Get Started with Virtual Smart Cards - Walkthrough Guide 
 description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
 ms.topic: conceptual
 ms.date: 02/22/2023

windows/security/identity-protection/vpn/vpn-authentication.md

@@ -1,5 +1,5 @@
 ---
-title: VPN authentication options (Windows 10 and Windows 11)
+title: VPN authentication options 
 description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
 ms.date: 09/23/2021
 ms.topic: conceptual

windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md

@@ -1,5 +1,5 @@
 ---
-title: VPN auto-triggered profile options (Windows 10 and Windows 11)
+title: VPN auto-triggered profile options 
 description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
 ms.date: 09/23/2021
 ms.topic: conceptual

windows/security/identity-protection/vpn/vpn-conditional-access.md

@@ -1,5 +1,5 @@
 ---
-title: VPN and conditional access (Windows 10 and Windows 11)
+title: VPN and conditional access 
 description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
 ms.date: 09/23/2021
 ms.topic: conceptual

windows/security/identity-protection/vpn/vpn-connection-type.md

@@ -1,5 +1,5 @@
 ---
-title: VPN connection types (Windows 10 and Windows 11)
+title: VPN connection types 
 description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
 ms.date: 08/23/2021
 ms.topic: conceptual

windows/security/identity-protection/vpn/vpn-guide.md

@@ -1,5 +1,5 @@
 ---
-title: Windows VPN technical guide (Windows 10 and Windows 11)
+title: Windows VPN technical guide 
 description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
 ms.date: 02/21/2022
 ms.topic: conceptual

windows/security/identity-protection/vpn/vpn-name-resolution.md

@@ -1,5 +1,5 @@
 ---
-title: VPN name resolution (Windows 10 and Windows 11)
+title: VPN name resolution 
 description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
 ms.date: 09/23/2021
 ms.topic: conceptual

windows/security/identity-protection/vpn/vpn-profile-options.md

@@ -1,5 +1,5 @@
 ---
-title: VPN profile options (Windows 10 and Windows 11)
+title: VPN profile options 
 description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
 ms.date: 05/17/2018
 ms.topic: conceptual

windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md

@@ -1,5 +1,5 @@
 ---
-title: BCD settings and BitLocker (Windows 10)
+title: BCD settings and BitLocker 
 description: This article for IT professionals describes the BCD settings that are used by BitLocker.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/bitlocker/bitlocker-countermeasures.md

@@ -1,5 +1,5 @@
 ---
-title: BitLocker Countermeasures (Windows 10)
+title: BitLocker Countermeasures 
 description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md

@@ -1,5 +1,5 @@
 ---
-title: BitLocker deployment comparison (Windows 10)
+title: BitLocker deployment comparison 
 description: This article shows the BitLocker deployment comparison chart.
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md

@@ -1,5 +1,5 @@
 ---
-title: BitLocker Group Policy settings (Windows 10)
+title: BitLocker Group Policy settings 
 description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md

@@ -1,5 +1,5 @@
 ---
-title: BitLocker - How to enable Network Unlock (Windows 10)
+title: BitLocker - How to enable Network Unlock 
 description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md

@@ -1,5 +1,5 @@
 ---
-title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
+title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker 
 description: This article for the IT professional describes how to use tools to manage BitLocker.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md

@@ -1,5 +1,5 @@
 ---
-title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
+title: BitLocker Use BitLocker Recovery Password Viewer 
 description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md

@@ -1,5 +1,5 @@
 ---
-title: Prepare the organization for BitLocker Planning and policies (Windows 10)
+title: Prepare the organization for BitLocker Planning and policies 
 description: This article for the IT professional explains how can to plan for a BitLocker deployment.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md

@@ -1,5 +1,5 @@
 ---
-title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
+title: Protecting cluster shared volumes and storage area networks with BitLocker 
 description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md

@@ -1,5 +1,5 @@
 ---
-title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
+title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) 
 description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md

@@ -1,5 +1,5 @@
 ---
-title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
+title: How to collect Windows Information Protection (WIP) audit event logs 
 description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md

@@ -1,5 +1,5 @@
 ---
-title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
+title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune 
 description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md

@@ -1,5 +1,5 @@
 ---
-title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
+title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune 
 description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md

@@ -1,5 +1,5 @@
 ---
-title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
+title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) 
 description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md

@@ -1,5 +1,5 @@
 ---
-title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
+title: General guidance and best practices for Windows Information Protection (WIP) 
 description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md

@@ -1,5 +1,5 @@
 ---
-title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
+title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) 
 description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md

@@ -1,5 +1,5 @@
 ---
-title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager (Windows 10)
+title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager 
 description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md

@@ -1,5 +1,5 @@
 ---
-title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+title: Create a Windows Information Protection (WIP) policy using Microsoft Intune 
 description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md

@@ -1,5 +1,5 @@
 ---
-title: Recommended URLs for Windows Information Protection (Windows 10)
+title: Recommended URLs for Windows Information Protection 
 description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md

@@ -1,5 +1,5 @@
 ---
-title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
+title: Testing scenarios for Windows Information Protection (WIP) 
 description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
 ms.reviewer: 
 ms.prod: windows-client

windows/security/information-protection/windows-information-protection/using-owa-with-wip.md

@@ -1,5 +1,5 @@
 ---
-title: Using Outlook on the web with WIP (Windows 10)
+title: Using Outlook on the web with WIP 
 description: Options for using Outlook on the web with Windows Information Protection (WIP).
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md

@@ -1,5 +1,5 @@
 ---
-title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
+title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) 
 description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
 ms.prod: windows-client
 ms.localizationpriority: medium

windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md

@@ -1,5 +1,5 @@
 ---
-title: Advanced security audit policy settings (Windows 10)
+title: Advanced security audit policy settings 
 description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
 ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
 ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.

windows/security/threat-protection/auditing/advanced-security-auditing.md

@@ -1,5 +1,5 @@
 ---
-title: Advanced security audit policies (Windows 10)
+title: Advanced security audit policies 
 description: Advanced security audit policy settings may appear to overlap with basic policies, but they are recorded and applied differently. Learn more about them here.
 ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
 ms.reviewer: 

windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md

@@ -1,5 +1,5 @@
 ---
-title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
+title: Appendix A, Security monitoring recommendations for many audit events 
 description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
 ms.pagetype: security
 ms.prod: windows-client

windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md

@@ -1,5 +1,5 @@
 ---
-title: Apply a basic audit policy on a file or folder (Windows 10)
+title: Apply a basic audit policy on a file or folder 
 description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
 ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-account-lockout.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Account Lockout (Windows 10)
+title: Audit Account Lockout 
 description: The policy setting, Audit Account Lockout, enables you to audit security events  generated by a failed attempt to log on to an account that is locked out.
 ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-application-generated.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Application Generated (Windows 10)
+title: Audit Application Generated 
 description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs.
 ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-application-group-management.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Application Group Management (Windows 10)
+title: Audit Application Group Management 
 description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
 ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-audit-policy-change.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Audit Policy Change (Windows 10)
+title: Audit Audit Policy Change 
 description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy.
 ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-authentication-policy-change.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Authentication Policy Change (Windows 10)
+title: Audit Authentication Policy Change 
 description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
 ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-authorization-policy-change.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Authorization Policy Change (Windows 10)
+title: Audit Authorization Policy Change 
 description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
 ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-central-access-policy-staging.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Central Access Policy Staging (Windows 10)
+title: Audit Central Access Policy Staging 
 description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy.
 ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-certification-services.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Certification Services (Windows 10)
+title: Audit Certification Services 
 description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
 ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-computer-account-management.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Computer Account Management (Windows 10)
+title: Audit Computer Account Management 
 description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
 ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-credential-validation.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Credential Validation (Windows 10)
+title: Audit Credential Validation 
 description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
 ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Detailed Directory Service Replication (Windows 10)
+title: Audit Detailed Directory Service Replication 
 description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
 ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-detailed-file-share.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Detailed File Share (Windows 10)
+title: Audit Detailed File Share 
 description: The Advanced Security Audit policy setting, Audit Detailed File Share, allows you to audit attempts to access files and folders on a shared folder.
 ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-directory-service-access.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Directory Service Access (Windows 10)
+title: Audit Directory Service Access 
 description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed.
 ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-directory-service-changes.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Directory Service Changes (Windows 10)
+title: Audit Directory Service Changes 
 description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed
 ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-directory-service-replication.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Directory Service Replication (Windows 10)
+title: Audit Directory Service Replication 
 description: Audit Directory Service Replication is a policy setting that decides if audit events are created when replication between two domain controllers begins or ends.
 ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-distribution-group-management.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Distribution Group Management (Windows 10)
+title: Audit Distribution Group Management 
 description: The policy setting, Audit Distribution Group Management, determines if audit events are generated for specific distribution-group management tasks.
 ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-dpapi-activity.md

@@ -1,5 +1,5 @@
 ---
-title: Audit DPAPI Activity (Windows 10)
+title: Audit DPAPI Activity 
 description: The policy setting, Audit DPAPI Activity, decides if encryption/decryption calls  to the data protection application interface (DPAPI) generate audit events.
 ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-file-share.md

@@ -1,5 +1,5 @@
 ---
-title: Audit File Share (Windows 10)
+title: Audit File Share 
 description: The Advanced Security Audit policy setting, Audit File Share, determines if the operating system generates audit events when a file share is accessed.
 ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-file-system.md

@@ -1,5 +1,5 @@
 ---
-title: Audit File System (Windows 10)
+title: Audit File System 
 description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
 ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-filtering-platform-connection.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Filtering Platform Connection (Windows 10)
+title: Audit Filtering Platform Connection 
 description: The policy setting, Audit Filtering Platform Connection, decides if audit events are generated when connections are allow/blocked by Windows Filtering Platform.
 ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Filtering Platform Packet Drop (Windows 10)
+title: Audit Filtering Platform Packet Drop 
 description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform.
 ms.assetid: 95457601-68d1-4385-af20-87916ddab906
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Filtering Platform Policy Change (Windows 10)
+title: Audit Filtering Platform Policy Change 
 description: The policy setting, Audit Filtering Platform Policy Change, determines if audit events are generated for certain IPsec and Windows Filtering Platform actions.
 ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-group-membership.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Group Membership (Windows 10)
+title: Audit Group Membership 
 description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
 ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-handle-manipulation.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Handle Manipulation (Windows 10)
+title: Audit Handle Manipulation 
 description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
 ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-ipsec-driver.md

@@ -1,5 +1,5 @@
 ---
-title: Audit IPsec Driver (Windows 10)
+title: Audit IPsec Driver 
 description: The Advanced Security Audit policy setting, Audit IPsec Driver, determines if audit events are generated for the activities of the IPsec driver.
 ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md

@@ -1,5 +1,5 @@
 ---
-title: Audit IPsec Extended Mode (Windows 10)
+title: Audit IPsec Extended Mode 
 description: The setting, Audit IPsec Extended Mode, determines if audit events are generated for the results of IKE protocol and AuthIP during Extended Mode negotiations.
 ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-ipsec-main-mode.md

@@ -1,5 +1,5 @@
 ---
-title: Audit IPsec Main Mode (Windows 10)
+title: Audit IPsec Main Mode 
 description: Learn about the policy setting, Audit IPsec Main Mode, which determines if the results of certain protocols generate events during Main Mode negotiations.
 ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md

@@ -1,5 +1,5 @@
 ---
-title: Audit IPsec Quick Mode (Windows 10)
+title: Audit IPsec Quick Mode 
 description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
 ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Kerberos Authentication Service (Windows 10)
+title: Audit Kerberos Authentication Service 
 description: The policy setting Audit Kerberos Authentication Service decides if audit events are generated for Kerberos authentication ticket-granting ticket (TGT) requests
 ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Kerberos Service Ticket Operations (Windows 10)
+title: Audit Kerberos Service Ticket Operations 
 description: The policy setting, Audit Kerberos Service Ticket Operations, determines if security audit events are generated for Kerberos service ticket requests.
 ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-kernel-object.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Kernel Object (Windows 10)
+title: Audit Kernel Object 
 description: The policy setting, Audit Kernel Object, decides if user attempts to access the system kernel (which includes mutexes and semaphores) generate audit events.
 ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-logoff.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Logoff (Windows 10)
+title: Audit Logoff 
 description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
 ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-logon.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Logon (Windows 10)
+title: Audit Logon 
 description: The Advanced Security Audit policy setting, Audit Logon, determines if audit events are generated when a user attempts to log on to a computer.
 ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md

@@ -1,5 +1,5 @@
 ---
-title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
+title: Audit MPSSVC Rule-Level Policy Change 
 description: Audit MPSSVC Rule-Level Policy Change determines if audit events are generated when policy rules are altered for the Microsoft Protection Service (MPSSVC.exe).
 ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-network-policy-server.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Network Policy Server (Windows 10)
+title: Audit Network Policy Server 
 description: The policy setting, Audit Network Policy Server, determines if audit events are generated for RADIUS (IAS) and NAP activity on user access requests.
 ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Non-Sensitive Privilege Use (Windows 10)
+title: Audit Non-Sensitive Privilege Use 
 description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
 ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-other-account-logon-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Other Account Logon Events (Windows 10)
+title: Audit Other Account Logon Events 
 description: The policy setting, Audit Other Account Logon Events allows you to audit events when generated by responses to credential requests for certain kinds of user logons.
 ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-other-account-management-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Other Account Management Events (Windows 10)
+title: Audit Other Account Management Events 
 description: The Advanced Security Audit policy setting, Audit Other Account Management Events, determines if user account management audit events are generated.
 ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Other Logon/Logoff Events (Windows 10)
+title: Audit Other Logon/Logoff Events 
 description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
 ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-other-object-access-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Other Object Access Events (Windows 10)
+title: Audit Other Object Access Events 
 description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
 ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-other-policy-change-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Other Policy Change Events (Windows 10)
+title: Audit Other Policy Change Events 
 description: The policy setting, Audit Other Policy Change Events, determines if audit events are generated for security policy changes that are not otherwise audited.
 ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-other-privilege-use-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Other Privilege Use Events (Windows 10)
+title: Audit Other Privilege Use Events 
 description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
 ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-other-system-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Other System Events (Windows 10)
+title: Audit Other System Events 
 description: The Advanced Security Audit policy setting, Audit Other System Events, determines if the operating system audits various system events.
 ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-pnp-activity.md

@@ -1,5 +1,5 @@
 ---
-title: Audit PNP Activity (Windows 10)
+title: Audit PNP Activity 
 description: The advanced security audit policy setting, Audit PNP Activity, determines when plug and play detects an external device.
 ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-process-creation.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Process Creation (Windows 10)
+title: Audit Process Creation 
 description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts).
 ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-process-termination.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Process Termination (Windows 10)
+title: Audit Process Termination 
 description: The Advanced Security Audit policy setting, Audit Process Termination, determines if audit events are generated when an attempt is made to end a process.
 ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-registry.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Registry (Windows 10)
+title: Audit Registry 
 description: The Advanced Security Audit policy setting, Audit Registry, determines if audit events are generated when users attempt to access registry objects.
 ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-removable-storage.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Removable Storage (Windows 10)
+title: Audit Removable Storage 
 description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive.
 ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-rpc-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit RPC Events (Windows 10)
+title: Audit RPC Events 
 description: Audit RPC Events is an audit policy setting that determines if audit events are generated when inbound remote procedure call (RPC) connections are made.
 ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-sam.md

@@ -1,5 +1,5 @@
 ---
-title: Audit SAM (Windows 10)
+title: Audit SAM 
 description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects.
 ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-security-group-management.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Security Group Management (Windows 10)
+title: Audit Security Group Management 
 description: The policy setting, Audit Security Group Management, determines if audit events are generated when specific security group management tasks are performed.
 ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-security-state-change.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Security State Change (Windows 10)
+title: Audit Security State Change 
 description: The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
 ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-security-system-extension.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Security System Extension (Windows 10)
+title: Audit Security System Extension 
 description: The Advanced Security Audit policy setting, Audit Security System Extension, determines if audit events related to security system extensions are generated.
 ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Sensitive Privilege Use (Windows 10)
+title: Audit Sensitive Privilege Use 
 description: The policy setting, Audit Sensitive Privilege Use, determines if the operating system generates audit events when sensitive privileges (user rights) are used.
 ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-special-logon.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Special Logon (Windows 10)
+title: Audit Special Logon 
 description: The Advanced Security Audit policy setting, Audit Special Logon, determines if  audit events are generated under special sign in (or logon) circumstances.
 ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-system-integrity.md

@@ -1,5 +1,5 @@
 ---
-title: Audit System Integrity (Windows 10)
+title: Audit System Integrity 
 description: The policy setting, Audit System Integrity, determines if the operating system audits events that violate the integrity of the security subsystem.
 ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-token-right-adjusted.md

@@ -1,5 +1,5 @@
 ---
-title: Audit Token Right Adjusted (Windows 10)
+title: Audit Token Right Adjusted 
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Token Right Adjusted, which determines whether the operating system generates audit events when specific changes are made to the privileges of a token.
 manager: aaroncz
 author: vinaypamnani-msft

windows/security/threat-protection/auditing/audit-user-account-management.md

@@ -1,5 +1,5 @@
 ---
-title: Audit User Account Management (Windows 10)
+title: Audit User Account Management 
 description: Audit User Account Management is an audit policy setting that determines if the operating system generates audit events when certain tasks are performed.
 ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
 ms.reviewer: 

windows/security/threat-protection/auditing/audit-user-device-claims.md

@@ -1,5 +1,5 @@
 ---
-title: Audit User/Device Claims (Windows 10)
+title: Audit User/Device Claims 
 description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
 ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
 ms.reviewer: 

windows/security/threat-protection/auditing/basic-audit-account-logon-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit account logon events (Windows 10)
+title: Audit account logon events 
 description: Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
 ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
 ms.reviewer: 

windows/security/threat-protection/auditing/basic-audit-account-management.md

@@ -1,5 +1,5 @@
 ---
-title: Audit account management (Windows 10)
+title: Audit account management 
 description: Determines whether to audit each event of account management on a device.
 ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
 ms.reviewer: 

windows/security/threat-protection/auditing/basic-audit-directory-service-access.md

@@ -1,5 +1,5 @@
 ---
-title: Basic audit directory service access (Windows 10)
+title: Basic audit directory service access 
 description: Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
 ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
 ms.reviewer: 

windows/security/threat-protection/auditing/basic-audit-logon-events.md

@@ -1,5 +1,5 @@
 ---
-title: Audit logon events (Windows 10)
+title: Audit logon events 
 description: Determines whether to audit each instance of a user logging on to or logging off from a device.
 ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
 ms.reviewer: 

windows/security/threat-protection/auditing/basic-audit-object-access.md

@@ -1,5 +1,5 @@
 ---
-title: Audit object access (Windows 10)
+title: Audit object access 
 description: The policy setting, Audit object access, determines whether to audit the event generated when a user accesses an object that has its own SACL specified.
 ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
 ms.reviewer: