From 5623edae66a2c6057664c5eedd0f60cb84215ed3 Mon Sep 17 00:00:00 2001 From: djust270 Date: Wed, 12 Oct 2022 14:58:52 -0400 Subject: [PATCH 1/9] Added Get-AppAUMID function --- ...ation-user-model-id-of-an-installed-app.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 27d56ce3c5..8b57c08b2f 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -109,3 +109,40 @@ listAumids("CustomerAccount") # Get a list of AUMIDs for all accounts on the device: listAumids("allusers") ``` + +## Example +The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start Menu + +```powershell +function Get-AppAUMID { +param ( +[string]$AppName +) +$Apps = (New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() +if ($AppName){ + $Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}} + if ($Result){ + Return $Result + } + else {"Unable to locate {0}" -f $AppName} +} +else { + $Result = $Apps | Select-Object name,@{n="AUMID";e={$_.path}} + Return $Result +} +} +``` + +The following Windows PowerShell commands demonstrate how you can call the Get-AppAUMID function after you've created it. + +```powershell +# Get the AUMID for OneDrive +Get-AppAUMID -AppName OneDrive + +# Get the AUMID for Microsoft Word +Get-AppAUMID -AppName Word + +# List all apps and their AUMID in the Start Menu +Get-AppAUMID +``` + From 6934aed167e5e7aff7a11103d354ba4a9029a78c Mon Sep 17 00:00:00 2001 From: djust270 Date: Wed, 12 Oct 2022 14:59:15 -0400 Subject: [PATCH 2/9] Updated Get-AppAUMID --- .../find-the-application-user-model-id-of-an-installed-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 8b57c08b2f..0e134f6c34 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -118,7 +118,7 @@ function Get-AppAUMID { param ( [string]$AppName ) -$Apps = (New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() +$Apps = (New-Object -ComObject Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() if ($AppName){ $Result = $Apps | Where-Object { $_.name -like "*$AppName*" } | Select-Object name,@{n="AUMID";e={$_.path}} if ($Result){ From b1a2f3c79d904537fb2c337903c7d764f03261c6 Mon Sep 17 00:00:00 2001 From: David Just <57944742+djust270@users.noreply.github.com> Date: Thu, 13 Oct 2022 05:15:41 -0400 Subject: [PATCH 3/9] Update windows/configuration/find-the-application-user-model-id-of-an-installed-app.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../find-the-application-user-model-id-of-an-installed-app.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 0e134f6c34..4960887e14 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -111,7 +111,8 @@ listAumids("allusers") ``` ## Example -The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start Menu + +The following code sample creates a function in Windows PowerShell that returns the AUMID of any application currently listed in the Start menu. ```powershell function Get-AppAUMID { From 3635446ec3c7e6e34083ba6b64004104096a2b55 Mon Sep 17 00:00:00 2001 From: David Just <57944742+djust270@users.noreply.github.com> Date: Thu, 13 Oct 2022 05:15:53 -0400 Subject: [PATCH 4/9] Update windows/configuration/find-the-application-user-model-id-of-an-installed-app.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../find-the-application-user-model-id-of-an-installed-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 4960887e14..4e3e609d5e 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -143,7 +143,7 @@ Get-AppAUMID -AppName OneDrive # Get the AUMID for Microsoft Word Get-AppAUMID -AppName Word -# List all apps and their AUMID in the Start Menu +# List all apps and their AUMID in the Start menu Get-AppAUMID ``` From f8cd35e285c88deded61ec5df9792651a67c6b5c Mon Sep 17 00:00:00 2001 From: Quentin BRUSA <122641985+qbrusa@users.noreply.github.com> Date: Thu, 19 Jan 2023 08:59:17 -0500 Subject: [PATCH 5/9] Move Event Volume section Move Event Volume section before EID table recommandation --- .../auditing/audit-authorization-policy-change.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index b7fd89b268..caa5d33848 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -20,6 +20,8 @@ ms.topic: reference Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects. +**Event volume**: Medium to High. + | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Domain Controller | IF | No | IF | No | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.
However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).
If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | @@ -40,5 +42,3 @@ Audit Authorization Policy Change allows you to audit assignment and removal of - [4913](event-4913.md)(S): Central Access Policy on the object was changed. -**Event volume**: Medium to High. - From 1c791fd89916f35635ddb5cc333568960b52397f Mon Sep 17 00:00:00 2001 From: Quentin BRUSA <122641985+qbrusa@users.noreply.github.com> Date: Thu, 19 Jan 2023 09:03:05 -0500 Subject: [PATCH 6/9] Add missing link for EID 4902, 4907, 4904, 4905 --- .../auditing/audit-audit-policy-change.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index c5cdf8c616..74134a5bd9 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -49,13 +49,13 @@ Changes to audit policy that are audited include: The following events will be enabled with Success auditing in this subcategory: -- 4902(S): The Per-user audit policy table was created. +- [4902](event-4902.md)(S): The Per-user audit policy table was created. -- 4907(S): Auditing settings on object were changed. +- [4907](event-4907.md)(S): Auditing settings on object were changed. -- 4904(S): An attempt was made to register a security event source. +- [4904](event-4904.md)(S): An attempt was made to register a security event source. -- 4905(S): An attempt was made to unregister a security event source. +- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting. @@ -79,4 +79,4 @@ All other events in this subcategory will be logged regardless of the "Audit Pol - [4904](event-4904.md)(S): An attempt was made to register a security event source. -- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. \ No newline at end of file +- [4905](event-4905.md)(S): An attempt was made to unregister a security event source. From c79a1c4be6c835f6a884fe19a6d9ee3ef106a962 Mon Sep 17 00:00:00 2001 From: JHayes-MS <91642326+JHayes-MS@users.noreply.github.com> Date: Thu, 19 Jan 2023 06:36:58 -0800 Subject: [PATCH 7/9] Added links for How to Articles for CA Policies Added 2 links with details on configuring CA Policies and about the exception itself. --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index c34e8342eb..1190cc13fb 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f, from their device compliance policy using **Select Excluded Cloud Apps**. +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access polices see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise From 3684ad6e122aa53bead6d9df78864dbfd7a90680 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Mon, 23 Jan 2023 13:58:03 -0800 Subject: [PATCH 8/9] Update windowsdefenderapplicationguard-csp.md --- .../mdm/windowsdefenderapplicationguard-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 32799b0ffd..8e0ff9f02d 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -334,7 +334,7 @@ Value type is integer. Supported operation is Get. -- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. +- Bit 0 - Set to 1 when Application Guard is enabled into Windows Isolated environment mode. - Bit 1 - Set to 1 when the client machine is Hyper-V capable. - Bit 2 - Reserved for Microsoft. - Bit 3 - Set to 1 when Application Guard is installed on the client machine. From 699d10a08e834f5bacd13616ff9170a1e833aa0c Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 24 Jan 2023 10:05:24 -0800 Subject: [PATCH 9/9] Update windows/deployment/windows-10-subscription-activation.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 1190cc13fb..4f8562a41b 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -40,7 +40,7 @@ This article covers the following information: For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). > [!NOTE] -> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access polices see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). +> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their device compliance policy using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions). ## Subscription activation for Enterprise