deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2226 from MicrosoftDocs/master

Browse Source 
Publish 3/06/2020 3:32 PM PST
This commit is contained in:
Thomas Raya 2020-03-06 17:44:18 -06:00 committed by GitHub
commit db70feab1e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 520 additions and 541 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -1,6 +1,11 @@
{
"redirections": [
{
"source_path": "devices/hololens/hololens-whats-new.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes",
"redirect_document_id": true
},
{
"source_path": "devices/hololens/hololens-upgrade-enterprise.md",
"redirect_url": "https://docs.microsoft.com/hololens/hololens-requirements#upgrade-to-windows-holographic-for-business",
"redirect_document_id": true

54
devices/hololens/TOC.md
View File

@ -1,6 +1,6 @@
# [HoloLens overview](index.md)
# [Microsoft HoloLens](index.md)
# Get Started with HoloLens 2
# Get started with HoloLens 2
## [HoloLens 2 hardware](hololens2-hardware.md)
## [Get your HoloLens 2 ready to use](hololens2-setup.md)
## [Set up your HoloLens 2](hololens2-start.md)
@ -16,56 +16,56 @@
## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md)
## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md)
# Deploying HoloLens and Mixed Reality Apps in Commercial Environments
## [Deployment planning](hololens-requirements.md)
## [Commercial feature overview](hololens-commercial-features.md)
## [Lincense Requriements](hololens-licenses-requirements.md)
## [Commercial Infrastructure Guidance](hololens-commercial-infrastructure.md)
# Deploy HoloLens and mixed-reality apps in commercial environments
## [Commercial features](hololens-commercial-features.md)
## [Deploy HoloLens in a commercial environment](hololens-requirements.md)
## [Determine what licenses you need](hololens-licenses-requirements.md)
## [Configure your network for HoloLens](hololens-commercial-infrastructure.md)
## [Unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md)
## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
## [Use a provisioning package to configure HoloLens](hololens-provisioning.md)
## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
## [Set up ring based updates for HoloLens](hololens-updates.md)
## [Manage HoloLens updates](hololens-updates.md)
## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
# Navigating Windows Holographic
## [Start menu and mixed reality home](holographic-home.md)
## [Use your voice with HoloLens](hololens-cortana.md)
## [Find and save files](holographic-data.md)
## [Create, share, and view photos and video](holographic-photos-and-videos.md)
## [Find, open, and save files](holographic-data.md)
## [Create mixed reality photos and videos](holographic-photos-and-videos.md)
# User management and access management
## [Accounts on HoloLens](hololens-identity.md)
## [Manage user identity and sign-in for HoloLens](hololens-identity.md)
## [Share your HoloLens with multiple people](hololens-multiple-users.md)
## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md)
## [Set up limited application access](hololens-kiosk.md)
## [Set up HoloLens as a kiosk for specific applications](hololens-kiosk.md)
# Holographic Applications
## [Try 3D Viewer](holographic-3d-viewer-beta.md)
# Holographic applications
## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md)
## [Find, install, and uninstall applications](holographic-store-apps.md)
## [Install and uninstall custom applications](holographic-custom-apps.md)
## [Manage custom apps for HoloLens](holographic-custom-apps.md)
# Accessories and connectivity
## [Connect to Bluetooth and USB-C devices](hololens-connect-devices.md)
## [Use the HoloLens (1st gen) clicker](hololens1-clicker.md)
## [Connect to a network](hololens-network.md)
## [Use HoloLens offline](hololens-offline.md)
## [Manage connection endpoints for HoloLens](hololens-offline.md)
# Hologram optics and placement in space
## [Tips for viewing clear Holograms](hololens-calibration.md)
## [Improve visual quality and comfort](hololens-calibration.md)
## [Environment considerations for HoloLens](hololens-environment-considerations.md)
## [Spatial mapping on HoloLens](hololens-spaces.md)
## [Map physical spaces with HoloLens](hololens-spaces.md)
# Update, troubleshoot, or recover HoloLens
## [Update HoloLens](hololens-update-hololens.md)
## [Restart, reset, or recover](hololens-recovery.md)
## [Troubleshoot HoloLens](hololens-troubleshooting.md)
## [Known issues](hololens-known-issues.md)
## [Restart, reset, or recover HoloLens](hololens-recovery.md)
## [Troubleshoot HoloLens issues](hololens-troubleshooting.md)
## [Known issues for HoloLens](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)
## [Frequently asked security questions](hololens-faq-security.md)
## [Hololens services status](hololens-status.md)
## [SCEP Whitepaper](scep-whitepaper.md)
## [Status of the HoloLens services](hololens-status.md)
## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb)
## [SCEP whitepaper](scep-whitepaper.md)
# [Release Notes](hololens-release-notes.md)
# [HoloLens release notes](hololens-release-notes.md)
# [Give us feedback](hololens-feedback.md)
# [Join the Windows Insider program](hololens-insider.md)
# [Insider preview for Microsoft HoloLens](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

7
devices/hololens/holographic-custom-apps.md
View File

@ -1,6 +1,6 @@
---
title: Manage custom apps for HoloLens
description: Side load custom apps on HoloLens. Learn more about installing, and uninstalling holographic apps.
description: Side load custom apps on HoloLens. Learn more about installing, and uninstalling holographic apps.
ms.assetid: 6bd124c4-731c-4bcc-86c7-23f9b67ff616
ms.date: 07/01/2019
manager: v-miegge
@ -11,12 +11,15 @@ author: mattzmsft
ms.author: mazeller
ms.topic: article
ms.localizationpriority: medium
ms.custom:
- CI 111456
- CSSTroubleshooting
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Install and manage custom applications (non-store)
# Manage custom apps for HoloLens
HoloLens supports many existing applications from the Microsoft Store, as well as new apps built specifically for HoloLens. This article focuses on custom holographic applications.

13
devices/hololens/hololens-commercial-features.md
View File

@ -5,6 +5,9 @@ keywords: HoloLens, commercial, features, mdm, mobile device management, kiosk m
author: scooley
ms.author: scooley
ms.date: 08/26/2019
ms.custom:
- CI 111456
- CSSTroubleshooting
ms.topic: article
audience: ITPro
ms.prod: hololens
@ -40,7 +43,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a
- **Windows Update for Business.** Windows Update for Business provides controlled operating system updates to devices and support for the long-term servicing channel.
- **Data security.** BitLocker data encryption is enabled on HoloLens to provide the same level of security protection as any other Windows device.
- **Work access.** Anyone in your organization can remotely connect to the corporate network through virtual private network (VPN) on a HoloLens. HoloLens can also access Wi-Fi networks that require credentials.
- **Microsoft Store for Business.** Your IT department can also set up an enterprise private store, containing only your companys apps for your specific HoloLens usage. Securely distribute your enterprise software to selected group of enterprise users.
- **Microsoft Store for Business.** Your IT department can also set up an enterprise private store, containing only your company's apps for your specific HoloLens usage. Securely distribute your enterprise software to selected group of enterprise users.
## Feature comparison between editions
@ -48,7 +51,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a
|---|:---:|:---:|:---:|
|Device Encryption (BitLocker) | |✔️ |✔️ |
|Virtual Private Network (VPN) | |✔️ |✔️ |
|[Kiosk mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#kiosk-mode) | |✔️ |✔️ |
|[Kiosk mode](hololens-kiosk.md) | |✔️ |✔️ |
|**Management and deployment** | | | |
|Mobile Device Management (MDM) | |✔️ |✔️ |
|Ability to block unenrollment | |✔️ |✔️ |
@ -67,12 +70,12 @@ HoloLens (1st gen) came with two licensing options, the developer license and a
## Enabling commercial features
Your organization's IT admin can set up commercial features such as Microsoft Store for Business, kiosk mode, and enterprise Wi-Fi access. The [Microsoft HoloLens](https://docs.microsoft.com/hololens) documentation provides step-by-step instructions for enrolling devices and installing apps from Microsoft Store for Business.
Your organization's IT admin can set up commercial features such as Microsoft Store for Business, kiosk mode, and enterprise Wi-Fi access. The [Microsoft HoloLens](index.md) documentation provides step-by-step instructions for enrolling devices and installing apps from Microsoft Store for Business.
## See also
- [Microsoft HoloLens](https://docs.microsoft.com/hololens)
- [Kiosk mode](/windows/mixed-reality/using-the-windows-device-portal.md#kiosk-mode)
- [Microsoft HoloLens](index.md)
- [Kiosk mode](hololens-kiosk.md)
- [CSPs supported in HoloLens devices](/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices)
- [Microsoft Store For Business and line of business applications](https://blogs.technet.microsoft.com/sbucci/2016/04/13/windows-store-for-business-and-line-of-business-applications/)
- [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps)

21
devices/hololens/hololens-faq-security.md
View File

@ -11,15 +11,18 @@ ms.sitesec: library
ms.topic: article
audience: ITPro
ms.localizationpriority: high
ms.custom:
- CI 111456
- CSSTroubleshooting
manager: bradke
appliesto:
- HoloLens 1 (1st gen)
- HoloLens 2
---
# Frequently Asked Security Questions
# Frequently asked questions about HoloLens security
## HoloLens 1st Gen Security Questions
## HoloLens (1st gen) Security Questions
1. **What type of wireless is used?**
1. 802.11ac and Bluetooth 4.1 LE
@ -67,9 +70,9 @@ appliesto:
1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
1. No
1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know its only on that device, unique to that device, and cant be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string thats sent to the client.
1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldnt be verified on a different device, rendering the certs/key unusable on different devices.
1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.
1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
@ -87,7 +90,7 @@ appliesto:
1. **Can the device blacklist or white list specific frequencies?**
1. This is not controllable by the user/device
1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the regions regulatory rules.
1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region's regulatory rules.
1. **What is the duty cycle/lifetime for normal operation?**
1. *Currently unavailable.*
1. **What is transmit and receive behavior when a tool is not in range?**
@ -119,8 +122,8 @@ appliesto:
1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
1. No
1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know its only on that device, unique to that device, and cant be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string thats sent to the client.
1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldnt be verified on a different device, rendering the certs/key unusable on different devices.
1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client.
1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices.
1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.

11
devices/hololens/hololens-identity.md
View File

@ -1,12 +1,15 @@
---
title: Managing user identity and login on HoloLens
description: Manage user identity, security, and login on HoloLens.
title: Manage user identity and sign-in for HoloLens
description: Manage user identity, security, and sign-in for HoloLens.
keywords: HoloLens, user, account, aad, adfs, microsoft account, msa, credentials, reference
ms.assetid: 728cfff2-81ce-4eb8-9aaa-0a3c3304660e
author: scooley
ms.author: scooley
ms.date: 1/6/2019
ms.date: 1/6/2020
ms.prod: hololens
ms.custom:
- CI 111456
- CSSTroubleshooting
ms.topic: article
ms.sitesec: library
ms.topic: article
@ -18,7 +21,7 @@ appliesto:
- HoloLens 2
---
# User identity and signin
# Manage user identity and sign-in for HoloLens
> [!NOTE]
> This article is a technical reference for IT Pros and tech enthusiasts. If you're looking for HoloLens set up instructions, read "[Setting up your HoloLens (1st gen)](hololens1-start.md)" or "[Setting up your HoloLens 2](hololens2-start.md)".

15
devices/hololens/hololens-insider.md
View File

@ -1,11 +1,14 @@
---
title: Insider preview for Microsoft HoloLens (HoloLens)
description: Its simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens.
title: Insider preview for Microsoft HoloLens
description: It's simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens.
ms.prod: hololens
ms.sitesec: library
author: scooley
ms.author: scooley
ms.topic: article
ms.custom:
- CI 111456
- CSSTroubleshooting
ms.localizationpriority: medium
audience: ITPro
ms.date: 1/6/2020
@ -17,13 +20,13 @@ appliesto:
# Insider preview for Microsoft HoloLens
Welcome to the latest Insider Preview builds for HoloLens! Its simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
Welcome to the latest Insider Preview builds for HoloLens! It's simple to get started and provide valuable feedback for our next major operating system update for HoloLens.
## Start receiving Insider builds
On a HoloLens 2 device go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
Then, select **Active development of Windows**, choose whether youd like to receive **Fast** or **Slow** builds, and review the program terms.
Then, select **Active development of Windows**, choose whether you'd like to receive **Fast** or **Slow** builds, and review the program terms.
Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
@ -46,7 +49,7 @@ To opt out of Insider builds:
Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
> [!NOTE]
> Be sure to accept the prompt that asks whether youd like Feedback Hub to access your Documents folder (select **Yes** when prompted).
> Be sure to accept the prompt that asks whether you'd like Feedback Hub to access your Documents folder (select **Yes** when prompted).
## Note for developers
@ -68,7 +71,7 @@ Here's a quick summary of what's new:
- Performance and stability improvements across the product
- More information in settings on HoloLens about the policy pushed to the device
Once youve had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers.
Once you've had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers.
### FIDO 2 support
Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password.

12
devices/hololens/hololens-kiosk.md
View File

@ -1,5 +1,5 @@
---
title: Set up HoloLens in kiosk mode (HoloLens)
title: Set up HoloLens as a kiosk for specific applications
description: Use a kiosk configuration to lock down the apps on HoloLens.
ms.prod: hololens
ms.sitesec: library
@ -8,15 +8,21 @@ ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/13/2018
ms.custom:
- CI 111456
- CSSTroubleshooting
ms.reviewer:
manager: dansimp
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Set up HoloLens in kiosk mode
# Set up HoloLens as a kiosk for specific applications
In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional)
When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they dont need to access.
When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access.
Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings.

19
devices/hololens/hololens-known-issues.md
View File

@ -1,11 +1,14 @@
---
title: HoloLens known issues
title: Known issues for HoloLens
description: This is the list of known issues that may affect HoloLens developers.
keywords: troubleshoot, known issue, help
author: mattzmsft
ms.author: mazeller
ms.date: 8/30/2019
ms.topic: article
ms.custom:
- CI 111456
- CSSTroubleshooting
HoloLens and holograms: Frequently asked questions
manager: jarrettr
ms.prod: hololens
@ -13,7 +16,7 @@ appliesto:
- HoloLens 1
---
# HoloLens known issues
# Known issues for HoloLens
This is the current list of known issues for HoloLens that affect developers. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates.
@ -70,7 +73,7 @@ Our team is currently working on a fix. In the meantime, you can use the followi
1. Select **Build** > **Build Solution**.
1. Open a Command Prompt Window and cd to the folder that contains the compiled .exe file (for example, C:\MyProjects\HoloLensDeploymentFix\bin\Debug)
1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the devices Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1"
1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device's Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1"
1. After the tool has exited without any messages (this should only take a few seconds), you will now be able to deploy and debug from Visual Studio 2017 or newer. Continued use of the tool is not necessary.
@ -84,9 +87,9 @@ We will provide further updates as they become available.
You may experience issues when trying to launch the Microsoft Store and apps on HoloLens. We've determined that the issue occurs when background app updates deploy a newer version of framework packages in specific sequences while one or more of their dependent apps are still running. In this case, an automatic app update delivered a new version of the .NET Native Framework (version 10.0.25531 to 10.0.27413) caused the apps that are running to not correctly update for all running apps consuming the prior version of the framework. The flow for framework update is as follows:
1. The new framework package is downloaded from the store and installed
1. All apps using the older framework are updated to use the newer version
1. All apps using the older framework are 'updated' to use the newer version
If step 2 is interrupted before completion then any apps for which the newer framework wasnt registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue.
If step 2 is interrupted before completion then any apps for which the newer framework wasn't registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue.
Some users have reported that closing hung apps and launching other apps such as Feedback Hub, 3D Viewer or Photos resolves the issue for them—however, this does not work 100% of the time.
@ -112,10 +115,10 @@ If you would not like to take the update, we have released a new version of the
If your device is still unable to load apps, you can sideload a version of the .NET Native Framework and Runtime through the download center by following these steps:
1. Please download [this zip file](https://download.microsoft.com/download/8/5/C/85C23745-794C-419D-B8D7-115FBCCD6DA7/netfx_1.7.zip) from the Microsoft Download Center. Unzipping will produce two files. Microsoft.NET.Native.Runtime.1.7.appx and Microsoft.NET.Native.Framework.1.7.appx
1. Please verify that your device is dev unlocked. If you havent done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal).
1. Please verify that your device is dev unlocked. If you haven't done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal).
1. You then want to get into the Windows Device Portal. Our recommendation is to do this over USB and you would do that by typing http://127.0.0.1:10080 into your browser.
1. After you have the Windows Device Portal up we need you to “side load” the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**.
1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on “Go” under the Deploy section. Then do this for the second APPX file.
1. After you have the Windows Device Portal up we need you to "side load" the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**.
1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on "Go" under the Deploy section. Then do this for the second APPX file.
![Windows Device Portal to Install Side-Loaded app](images/20190322-DevicePortal.png)
1. At this point we believe your applications should start working again and that you can also get to the Store.

13
devices/hololens/hololens-offline.md
View File

@ -5,9 +5,12 @@ keywords: hololens, offline, OOBE
audience: ITPro
ms.date: 07/01/2019
ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301
author: v-miegge
ms.author: v-miegge
manager: v-miegge
author: Teresa-Motiv
ms.author: v-tea
ms.custom:
- CI 111456
- CSSTroubleshooting
manager: jarrettr
ms.topic: article
ms.prod: hololens
ms.sitesec: library
@ -17,9 +20,9 @@ appliesto:
- HoloLens 2
---
# Manage connection endpoints for HoloLens
# Manage connection endpoints for HoloLens
Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional.
Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuration (e.g. proxy or firewall) for those components to be functional.
## Near-offline setup

10
devices/hololens/hololens-provisioning.md
View File

@ -1,8 +1,11 @@
---
title: Configure HoloLens using a provisioning package (HoloLens)
title: Use a provisioning package to configure HoloLens
description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging.
ms.prod: hololens
ms.sitesec: library
ms.custom:
- CI 111456
- CSSTroubleshooting
author: dansimp
ms.author: dansimp
ms.topic: article
@ -10,9 +13,12 @@ ms.localizationpriority: medium
ms.date: 11/13/2018
ms.reviewer:
manager: dansimp
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Configure HoloLens using a provisioning package
# Use a provisioning package to configure HoloLens
[Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages.

37
devices/hololens/hololens-recovery.md
View File

@ -1,5 +1,5 @@
---
title: Reset or recover your HoloLens
title: Restart, reset, or recover HoloLens
ms.reviewer: Both basic and advanced instructions for rebooting or resetting your HoloLens.
description: How to use Advanced Recovery Companion to flash an image to HoloLens 2.
keywords: how-to, reboot, reset, recover, hard reset, soft reset, power cycle, HoloLens, shut down, arc, advanced recovery companion
@ -8,6 +8,9 @@ ms.sitesec: library
author: mattzmsft
ms.author: mazeller
ms.date: 08/30/2019
ms.custom:
- CI 111456
- CSSTroubleshooting
ms.topic: article
ms.localizationpriority: high
manager: jarrettr
@ -18,9 +21,9 @@ appliesto:
# Restart, reset, or recover HoloLens
If youre experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery.
If you're experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery.
Here are some things to try if your HoloLens isnt running well. This article will guide you through the recommended recovery steps in succession.
Here are some things to try if your HoloLens isn't running well. This article will guide you through the recommended recovery steps in succession.
This article focuses on the HoloLens device and software, if your holograms don't look right, [this article](hololens-environment-considerations.md) talks about environmental factors that improve hologram quality.
@ -33,9 +36,9 @@ First, try restarting the device.
The safest way to restart the HoloLens is by using Cortana. This is generally a great first-step when experiencing an issue with HoloLens:
1. Put on your device
1. Make sure its powered on, a user is logged in, and the device is not waiting for a password to unlock it.
1. Say “Hey Cortana, reboot” or "Hey Cortana, restart."
1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say “Yes.”
1. Make sure it's powered on, a user is logged in, and the device is not waiting for a password to unlock it.
1. Say "Hey Cortana, reboot" or "Hey Cortana, restart."
1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say "Yes."
1. The device will now restart.
### Perform a safe restart by using the power button
@ -45,7 +48,7 @@ If you still can't restart your device, you can try to restart it by using the p
1. Press and hold the power button for five seconds.
1. After one second, you will see all five LEDs illuminate, then slowly turn off from right to left.
1. After five seconds, all LEDs will be off, indicating the shutdown command was issued successfully.
1. Note that its important to stop pressing the button immediately after all the LEDs have turned off.
1. Note that it's important to stop pressing the button immediately after all the LEDs have turned off.
1. Wait one minute for the shutdown to cleanly succeed. Note that the shutdown may still be in progress even if the displays are turned off.
1. Power on the device again by pressing and holding the power button for one second.
@ -66,18 +69,18 @@ If none of the previous methods are able to successfully restart your device, yo
1. Press and hold the power button for at least 10 seconds.
- Its okay to hold the button for longer than 10 seconds.
- Its safe to ignore any LED activity.
- It's okay to hold the button for longer than 10 seconds.
- It's safe to ignore any LED activity.
1. Release the button and wait for two or three seconds.
1. Power on the device again by pressing and holding the power button for one second.
If youre still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device.
If you're still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device.
## Reset to factory settings
> [!NOTE]
> The battery needs at least 40 percent charge to reset.
If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software thats installed on it and returns everything else to factory settings.
If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that's installed on it and returns everything else to factory settings.
If you reset your device, all your personal data, apps, and settings will be erased. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth).
@ -109,10 +112,10 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper
> [!TIP]
> In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion:
1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit.
1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device.
1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit.
1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device.
1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
### HoloLens (1st gen)
@ -120,7 +123,7 @@ If necessary, you can install a completely new operating system on your HoloLens
Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time. When you're done, the latest version of the Windows Holographic software approved for your HoloLens will be installed.
To use the tool, youll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you cant run this tool on a virtual machine.
To use the tool, you'll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can't run this tool on a virtual machine.
To recover your HoloLens
@ -128,4 +131,4 @@ To recover your HoloLens
1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens.
1. Run the Windows Device Recovery Tool and follow the instructions.
If the HoloLens (1st gen) isnt automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode.
If the HoloLens (1st gen) isn't automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode.

17
devices/hololens/hololens-release-notes.md
View File

@ -1,5 +1,5 @@
---
title: What's new in Microsoft HoloLens
title: HoloLens release notes
description: Learn about updates in each new HoloLens release.
author: scooley
ms.author: scooley
@ -9,6 +9,9 @@ ms.sitesec: library
ms.topic: article
ms.localizationpriority: medium
ms.date: 12/02/2019
ms.custom:
- CI 111456
- CSSTroubleshooting
audience: ITPro
appliesto:
- HoloLens 1
@ -16,7 +19,7 @@ appliesto:
---
# HoloLens Release Notes
# HoloLens release notes
## HoloLens 2
@ -57,12 +60,12 @@ appliesto:
| Feature | Details |
|---|---|
| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. <br> See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.<br><br>![sample of the Quick actions menu](images/minimenu.png) |
| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, youll be able to stop recording from the same place. (Dont forget, you can always do this with voice commands too.) |
| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) |
| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if youre in an immersive experience, use the bloom gesture). |
| **HoloLens overlays**<br>(file picker, keyboard, dialogs, etc.) | Youll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens youll see a visual display of the volume level. |
| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—its between the "Hello" message and the Windows boot logo. |
| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). |
| **HoloLens overlays**<br>(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. |
| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. |
| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |

9
devices/hololens/hololens-spaces.md
View File

@ -1,9 +1,12 @@
---
title: Mapping physical spaces with HoloLens
title: Map physical spaces with HoloLens
description: HoloLens learns what a space looks like over time. Users can facilitate this process by moving the HoloLens in certain ways through the space.
ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
author: dorreneb
ms.author: dobrown
ms.custom:
- CI 111456
- CSSTroubleshooting
ms.date: 09/16/2019
keywords: hololens, Windows Mixed Reality, design, spatial mapping, HoloLens, surface reconstruction, mesh, head tracking, mapping
ms.prod: hololens
@ -15,14 +18,14 @@ appliesto:
- HoloLens 2
---
# Mapping physical spaces with HoloLens
# Map physical spaces with HoloLens
HoloLens blends holograms with your physical world. To do that, HoloLens has to learn about the physical world around you and remember where you place holograms within that space.
Over time, the HoloLens builds up a *spatial map* of the environment that it has seen. HoloLens updates the map as the environment changes. As long as you are logged in and the device is turned on, HoloLens creates and updates your spatial maps. If you hold or wear the device with the cameras pointed at a space, the HoloLens tries to map the area. While the HoloLens learns a space naturally over time, there are ways in which you can help HoloLens map your space more quickly and efficiently.
> [!NOTE]
> If your HoloLens cant map your space or is out of calibration, HoloLens may enter Limited mode. In Limited mode, you wont be able to place holograms in your surroundings.
> If your HoloLens can't map your space or is out of calibration, HoloLens may enter Limited mode. In Limited mode, you won't be able to place holograms in your surroundings.
This article explains how HoloLens maps spaces, how to improve spatial mapping, and how to manage the spatial data that HoloLens collects.

11
devices/hololens/hololens-status.md
View File

@ -1,18 +1,21 @@
---
title: HoloLens status
title: Status of the HoloLens services
description: Shows the status of HoloLens online services.
author: todmccoy
ms.author: v-todmc
author: Teresa-Motiv
ms.author: v-tea
ms.reviewer: luoreill
manager: jarrettr
audience: Admin
ms.custom:
- CI 111456
- CSSTroubleshooting
ms.topic: article
ms.prod: hololens
ms.localizationpriority: high
ms.sitesec: library
---
# HoloLens status
# Status of the HoloLens services
✔️ **All services are active**

49
devices/hololens/hololens-troubleshooting.md
View File

@ -1,5 +1,5 @@
---
title: HoloLens troubleshooting
title: Troubleshoot HoloLens issues
description: Solutions for common HoloLens issues.
author: mattzmsft
ms.author: mazeller
@ -11,16 +11,19 @@ audience: ITPro
ms.localizationpriority: medium
keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
manager: jarrettr
ms.custom:
- CI 111456
- CSSTroubleshooting
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Troubleshooting HoloLens issues
# Troubleshoot HoloLens issues
This article describes how to resolve several common HoloLens issues.
## My HoloLens is unresponsive or wont start
## My HoloLens is unresponsive or won't start
If your HoloLens won't start:
@ -35,59 +38,59 @@ If these steps don't work, you can try [recovering your device](hololens-recover
## Holograms don't look good
If your holograms are unstable, jumpy, or dont look right, try:
If your holograms are unstable, jumpy, or don't look right, try:
- Cleaning your device visor and sensor bar on the front of your HoloLens.
- Increasing the light in your room.
- Walking around and looking at your surroundings so that HoloLens can scan them more completely.
- Calibrating your HoloLens for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
## HoloLens doesnt respond to gestures
## HoloLens doesn't respond to gestures
To make sure that HoloLens can see your gestures. Keep your hand in the gesture frame - when HoloLens can see your hand, the cursor changes from a dot to a ring.
Learn more about using gestures on [HoloLens (1st gen)](hololens1-basic-usage.md#use-hololens-with-your-hands) or [HoloLens 2](hololens2-basic-usage.md#the-hand-tracking-frame).
If your environment is too dark, HoloLens might not see your hand, so make sure that theres enough light.
If your environment is too dark, HoloLens might not see your hand, so make sure that there's enough light.
If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently.
## HoloLens doesnt respond to my voice commands
## HoloLens doesn't respond to my voice commands
If Cortana isnt responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
If Cortana isn't responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
## I cant place holograms or see holograms that I previously placed
## I can't place holograms or see holograms that I previously placed
If HoloLens cant map or load your space, it enters Limited mode and you wont be able to place holograms or see holograms that youve placed. Here are some things to try:
If HoloLens can't map or load your space, it enters Limited mode and you won't be able to place holograms or see holograms that you've placed. Here are some things to try:
- Make sure that theres enough light in your environment so HoloLens can see and map the space.
- Make sure that youre connected to a Wi-Fi network. If youre not connected to Wi-Fi, HoloLens cant identify and load a known space.
- Make sure that there's enough light in your environment so HoloLens can see and map the space.
- Make sure that you're connected to a Wi-Fi network. If you're not connected to Wi-Fi, HoloLens can't identify and load a known space.
- If you need to create a new space, connect to Wi-Fi, then restart your HoloLens.
- To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**.
- If the correct space is loaded and youre still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
- If the correct space is loaded and you're still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
## My HoloLens cant tell what space Im in
## My HoloLens can't tell what space I'm in
If your HoloLens cant identify and load the space youre in automatically, check the following factors:
If your HoloLens can't identify and load the space you're in automatically, check the following factors:
- Make sure that youre connected to Wi-Fi
- Make sure that theres plenty of light in the room
- Make sure that there havent been any major changes to the surroundings.
- Make sure that you're connected to Wi-Fi
- Make sure that there's plenty of light in the room
- Make sure that there haven't been any major changes to the surroundings.
You can also load a space manually or manage your spaces by going to **Settings** > **System** > **Spaces**.
## Im getting a “low disk space” error
## I'm getting a "low disk space" error
Youll need to free up some storage space by doing one or more of the following:
You'll need to free up some storage space by doing one or more of the following:
- Delete some unused spaces. Go to **Settings** > **System** > **Spaces**, select a space that you no longer need, and then select **Remove**.
- Remove some of the holograms that youve placed.
- Remove some of the holograms that you've placed.
- Delete some pictures and videos from the Photos app.
- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, and then select **Uninstall**.
## My HoloLens cant create a new space
## My HoloLens can't create a new space
The most likely problem is that youre running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
The most likely problem is that you're running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
## The HoloLens emulators isn't working

7
devices/hololens/hololens-updates.md
View File

@ -1,5 +1,5 @@
---
title: Managing updates to HoloLens
title: Manage HoloLens updates
description: Administrators can use mobile device management to manage updates to HoloLens devices.
ms.prod: hololens
ms.sitesec: library
@ -11,12 +11,15 @@ ms.localizationpriority: high
ms.date: 11/7/2019
ms.reviewer: jarrettr
manager: jarrettr
ms.custom:
- CI 111456
- CSSTroubleshooting
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Managing HoloLens updates
# Manage HoloLens updates
HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the Internet.

85
devices/hololens/hololens-whats-new.md
View File

@ -1,85 +0,0 @@
---
title: What's new in Microsoft HoloLens (HoloLens)
description: Windows Holographic for Business gets new features in Windows 10, version 1809.
ms.prod: hololens
ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/13/2018
ms.reviewer:
manager: dansimp
---
# What's new in Microsoft HoloLens
## Windows 10, version 1809 for Microsoft HoloLens
> **Applies to:** Hololens (1st gen)
### For everyone
| Feature | Details |
|---|---|
| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. <br> See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.<br><br>![sample of the Quick actions menu](images/minimenu.png) |
| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, youll be able to stop recording from the same place. (Dont forget, you can always do this with voice commands too.) |
| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if youre in an immersive experience, use the bloom gesture). |
| **HoloLens overlays**<br>(file picker, keyboard, dialogs, etc.) | Youll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens youll see a visual display of the volume level. |
| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—its between the "Hello" message and the Windows boot logo. |
| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
### For administrators
| Feature | Details |
|---|----|
| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. |
| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. |
| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. |
| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with yourpassword. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. <br>**Note:** You can choose to bypass any PIN/Smartcard options when promptedduring web sign-in. |
| Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer toyour MDM documentationfor feature availability and instructions. |
| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer toyour MDM documentationfor feature availability and instructions. |
### For international customers
Feature | Details
--- | ---
Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English.
[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md)
## Windows 10, version 1803 for Microsoft HoloLens
> **Applies to:** Hololens (1st gen)
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard).
![Provisioning HoloLens devices](images/provision-hololens-devices.png)
- When you create a local account in a provisioning package, the password no longer expires every 42 days.
- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes.
- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens.
- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting.
- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly.
- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report.

7
devices/hololens/index.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft HoloLens
description: Landing page Microsoft HoloLens.
description: Landing page for Microsoft HoloLens.
ms.prod: hololens
ms.sitesec: library
ms.assetid: 0947f5b3-8f0f-42f0-aa27-6d2cad51d040
@ -10,8 +10,11 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 10/14/2019
audience: ITPro
ms.custom:
- CI 111456
- CSSTroubleshooting
appliesto:
- HoloLens 1
- HoloLens (1st gen)
- HoloLens 2
---

11
devices/hololens/scep-whitepaper.md
View File

@ -11,20 +11,23 @@ ms.sitesec: library
ms.topic: article
audience: ITPro
ms.localizationpriority: high
ms.custom:
- CI 111456
- CSSTroubleshooting
appliesto:
- HoloLens 1 (1st gen)
- HoloLens 2
---
# SCEP Whitepaper
# SCEP whitepaper
## High Level
### How the SCEP Challenge PW is secured
We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information weve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes.
We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we've configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes.
We then pass that to the device and then the device generates its CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected.
We then pass that to the device and then the device generates it's CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected.
## Behind the scenes
@ -72,6 +75,6 @@ We then pass that to the device and then the device generates its CSR and pas
1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup.
1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there wont be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet.
1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors' SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won't be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet.
1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications.

77
windows/deployment/update/update-compliance-wd-av-status.md
View File

@ -1,8 +1,8 @@
---
title: Update Compliance - Perspectives
title: Update Compliance - Windows Defender AV Status report
ms.reviewer:
manager: laurawi
description: an overview of Update Compliance Perspectives
description: an overview of the Windows Defender AV Status report
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
@ -14,57 +14,34 @@ ms.collection: M365-analytics
ms.topic: article
---
# Perspectives
# Windows Defender AV Status
> [!IMPORTANT]
> On March 31, 2020, the Perspectives feature of Update Compliance will be removed in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/), which allows finer control over security features and updates.
![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png)
![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png)
Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance.
There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates.
The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered.
The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any).
## Deployment status
The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows:
| State | Description |
| --- | --- |
| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. |
| In Progress | Devices that report they are "In Progress" are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. |
| Deferred | When a device's Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. |
| Progress stalled | Devices that report as "Progress stalled" have been stuck at "In progress" for more than 7 days. |
| Cancelled | The update was canceled. |
| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. |
| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. |
| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. |
| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). |
## Detailed deployment status
The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report:
| State | Description |
| --- | --- |
| Update deferred | When a device's Windows Update for Business policy dictates the update is deferred. |
| Update paused | The device's Windows Update for Business policy dictates the update is paused from being offered. |
| Update offered | The device has been offered the update, but has not begun downloading it. |
| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. |
| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
| Download Started | The update has begun downloading on the device. |
| Download Succeeded | The update has successfully completed downloading. |
| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. |
| Install Started | Installation of the update has begun. |
| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed.
| Reboot Pending | The device has a scheduled reboot to apply the update. |
| Reboot Initiated | The scheduled reboot has been initiated. |
| Update Completed/Commit | The update has successfully installed. |
The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection this percentage only considers devices using Windows Defender Antivirus.
> [!NOTE]
> Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking "Not configured (-1)" devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar.
> Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx).
## Windows Defender AV Status sections
The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query.
The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation.
Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance:
* **Signature out of date** devices are devices with a signature older than 14 days.
* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection.
* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days.
* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team.
* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared.
## Windows Defender data latency
Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days.
## Related topics
- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites)

42
windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
View File

@ -22,40 +22,42 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
Central access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS), and they can be monitored just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than other network objects. However, it is important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced.
This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](https://technet.microsoft.com/library/hh846167.aspx).
> [!NOTE]
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
**To configure settings to monitor changes to central access policy and rule definitions**
**Configure settings to monitor central access policy and rule definition changes**
1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**.
4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
2. In Server Manager, point to **Tools** and select **Group Policy Management**.
3. In the console tree, right-click the default domain controller Group Policy Object, and then select **Edit**.
4. Double-click **Computer Configuration** and select **Security Settings**. Expand **Advanced Audit Policy Configuration** and **System Audit Policies**, select **DS Access**, and then double-click **Audit directory service changes**.
5. Select the **Configure the following audit events** and **Success** check boxes (and the **Failure** check box, if you want). Then select **OK**.
6. Close the Group Policy Management Editor.
7. Open the Active Directory Administrative Center.
8. Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**.
9. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes.
9. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab.
10. Select **Add**, add a security auditing setting for the container, and then close all the security properties dialog boxes.
After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored.
**To verify that changes to central access policy and rule definitions are monitored**
**Verify that central access policy and rule definition changes are monitored**
1. Sign in to your domain controller by using domain administrator credentials.
2. Open the Active Directory Administrative Center.
3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then click **Properties**.
4. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab.
5. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes.
6. In the **Central Access Policies** container, add a new central access policy (or select one that exists), click **Properties** in the **Tasks** pane, and then change one or more attributes.
7. Click **OK**, and then close the Active Directory Administrative Center.
8. In Server Manager, click **Tools**, and then click **Event Viewer**.
9. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log.
3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then select **Properties**.
4. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab.
5. Select **Add**, add a security auditing setting for the container, and then close all security properties dialog boxes.
6. In the **Central Access Policies** container, add a new central access policy (or select one that already exists). Select **Properties** in the **Tasks** pane, and then change one or more attributes.
7. Select **OK**, and then close the Active Directory Administrative Center.
8. In Server Manager, select **Tools** and then **Event Viewer**.
9. Expand **Windows Logs**, and then select **Security**. Verify that event 4819 appears in the security log.
### Related resource
### Related topics
- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)

342
windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
View File

@ -1,7 +1,8 @@
---
title: Planning and deploying advanced security audit policies (Windows 10)
description: Learn which options to consider and tasks to complete, to deploy an effective security audit policy in a network that includes advanced security audit policies.
title: Plan and deploy advanced security audit policies (Windows 10)
description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies.
ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442
ms.reviewer:
ms.author: dansimp
ms.prod: w10
@ -17,150 +18,153 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
# Planning and deploying advanced security audit policies
# Plan and deploy advanced security audit policies
**Applies to**
- Windows 10
This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit
policies.
This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them.
Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them.
To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements.
To be well-defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In many organizations, it must also provide proof that IT operations comply with corporate and regulatory requirements.
Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an organization as vulnerable as not enough monitoring.
No organization has unlimited resources to monitor every resource and activity on a network. If you don't plan well, you'll likely have gaps in your auditing strategy. But if you try to audit every resource and activity, you may gather too much monitoring data, including thousands of benign audit entries that an analyst will have to sift through to identify the narrow set of entries that warrant closer examination. Such volume could delay or prevent auditors from identifying suspicious activity. Too much monitoring can leave an organization as vulnerable as not enough.
Here are some features that can help you focus your effort:
- **Advanced audit policy settings**. You can apply and manage detailed audit policy settings through Group Policy.
- **"Reason for access" auditing**. You can specify and identify the permissions that were used to generate a particular object access security event.
- **Global object access auditing**. You can define system access control lists (SACLs) for an entire computer file system or registry.
- **Advanced audit policy settings:** You can apply and manage detailed audit policy settings through Group Policy.
- **"Reason for access" auditing:** You can specify and identify the permissions that were used to generate a particular object access security event.
- **Global object access auditing:** You can define system access control lists (SACLs) for an entire computer file system or registry.
To deploy these features and plan an effective security auditing strategy, you need to:
- Identify your most critical resources and the most important activities that need to be tracked.
- Identify the audit settings that can be used to track these activities.
- Identify your most critical resources and the most important activities that you need to track.
- Identify the audit settings that you can use to track these activities.
- Assess the advantages and potential costs associated with each.
- Test these settings to validate your choices.
- Develop plans for deploying and managing your audit policy.
## About this guide
This document will guide you through the steps needed to plan a security auditing policy that uses Windows auditing features. This policy must identify and address vital business needs, including:
This article guides you through the steps to plan a security auditing policy that uses Windows auditing features. The policy must address vital business needs, including:
- Network reliability
- Regulatory requirements
- Protection of the organization's data and intellectual property
- Protection of data and intellectual property
- Users, including employees, contractors, partners, and customers
- Client computers and applications
- Servers and the applications and services running on those servers
The audit policy also must identify processes for managing audit data after it has been logged, including:
The audit policy also must identify processes for managing audit data after it's been logged, including:
- Collecting, evaluating, and reviewing audit data
- Storing and (if required) disposing of audit data
- Collecting, evaluating, and reviewing data
- Storing and (if necessary) disposing of data
By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs.
## Understanding the security audit policy design process
## Understand the security audit policy design process
The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document:
Designing and deploying a Windows security audit policy involves the following tasks, which are described in this document:
- [Identifying your Windows security audit policy deployment goals](#bkmk-1)
- [Identify your Windows security audit policy deployment goals](#bkmk-1)
This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing.
This section helps define the business objectives that will guide your Windows security audit policy. It also helps define the resources, users, and computers that will be the focus of your auditing.
- [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2)
- [Map your security audit policy to groups of users, computers, and resources](#bkmk-2)
This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings.
This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. It also explains when to use basic audit policy settings and when to use advanced security audit policy settings.
- [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3)
- [Map your security auditing goals to a security audit policy configuration](#bkmk-3)
This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios.
This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings to address auditing scenarios.
- [Planning for security audit monitoring and management](#bkmk-4)
- [Plan for security audit monitoring and management](#bkmk-4)
This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored.
This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you audit, your Windows event logs can fill up quickly. This section also explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also covers how to address storage requirements.
- [Deploying the security audit policy](#bkmk-5)
- [Deploy the security audit policy](#bkmk-5)
This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs.
This section provides guidelines for effective deployment of a Windows security audit policy. Deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you've selected will produce the audit data that you need. But only a carefully staged pilot and incremental deployment based on your domain and organizational unit (OU) structure will confirm that the audit data you generate can be monitored and meets your needs.
## <a href="" id="bkmk-1"></a>Identifying your Windows security audit policy deployment goals
## <a href="" id="bkmk-1"></a>Identify your Windows security audit policy deployment goals
A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework.
A security audit policy must support and be an integrated aspect of an organization's overall security framework.
Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which assets, resources, and users provide the strongest justification for the focus of a security audit.
Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which provide the strongest justification for the focus of a security audit.
To create your Windows security audit plan, begin by identifying:
- The overall network environment, including the domains, OUs, and security groups.
- The resources on the network, the users of those resources, and how those resources are being used.
- Regulatory requirements.
- The overall network environment, including the domains, OUs, and security groups
- The resources on the network, the users of those resources, and how those resources are used
- Regulatory requirements
### Network environment
An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document.
An organization's domain and organizational unit (OU) structure provide a fundamental starting point for thinking about how to apply a security audit policy. They likely provide a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. Your domain and OU structure probably already provide logical groups of users, resources, and activities that justify the resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources](#bkmk-2) later in this document.
In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats.
In addition to your domain model, determine whether your organization maintains a systematic threat model. A good threat model can help identify threats to key components in your infrastructure. Then you can apply audit settings that enhance your ability to identify and counter those threats.
>**Important:**  Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.
For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](https://go.microsoft.com/fwlink/p/?LinkId=163432).
> [!IMPORTANT]
> Including auditing in your organization's security plan also helps you budget resources to the areas where auditing can achieve the best results.
### Data and resources
For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of these data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you will be able to manage.
For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of your data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance your existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you can manage.
You can record if these resources have high business impact, medium business impact, or low business impact, the cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different levels of risk to an organization.
You can record if these resources have high, medium, or low business impact; the cost to the organization if these data resources are accessed by unauthorized users; and the risks that such access can pose to the organization. The type of access by users (such as *read*, *modify*, or *copy*) can also pose different levels of risk.
Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information.
Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss of credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information.
The following table provides an example of a resource analysis for an organization.
| Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements |
| - | - | - | - | - |
| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1<br/>Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
| Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2<br/>Lab Assistants: Write only on MedRec-2<br/>Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1<br/>Public: Read only on Web-Ext-1| Low| Public education and corporate image|
| Payroll data| Corp-Finance-1| Accounting: Read/write on Corp-Finance-1<br/>Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2<br/>Lab Assistants: Write only on MedRec-2<br/>Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1<br/>Public: Read only on Web-Ext-1| Low| Public education and corporate image|
### Users
Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate.
Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate.
Organizations can create distinctions based on the type of rights and permissions needed by users to perform their jobs. For example, under the classification Administrators, larger organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all users in an organization or as few as a subset of the employees in a given department.
Organizations can create distinctions based on the type of rights and permissions that users need to do their jobs. Under the classification *administrators*, for example, large organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under *users*, permissions and Group Policy settings can apply to all users in an organization or as few as a subset of employees in a given department.
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you are complying with these requirements.
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you're complying with these requirements.
To effectively audit user activity, begin by listing the different types of users in your organization and the types of data they need access to—in addition to the data they should not have access to.
To effectively audit user activity, begin by listing the different types of users in your organization, the types of data they need access to, and the data they shouldn't have access to.
Also, if external users can access any of your organization's data, be sure to identify them, including if they belong to a business partner, customer, or general user, the data they have access to, and the permissions they have to access that data.
Also, if external users can access your organization's data, be sure to identify them. Determine whether they're a business partner, customer, or general user; the data they have access to; and the permissions they have to access that data.
The following table illustrates an analysis of users on a network. Although our example contains a single column titled "Possible auditing considerations," you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use.
The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use.
| Groups | Data | Possible auditing considerations |
| - | - | - |
| Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
| Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.|
| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.|
### Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
- If the computers are servers, desktop computers, or portable computers.
- The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager.
- Whether the computers are servers, desktop computers, or portable computers
- The important applications that the computers run, such as Microsoft Exchange Server, SQL Server, or Forefront Identity Manager
>**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
> [!NOTE]
> For more information about auditing:
> - In Exchange Server, see [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052).
> - In SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434).
> - In SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
- The operating system versions.
- The operating system versions
>**Note:**  The operating system version determines which auditing options are available and the volume of audit event data.
> [!NOTE]
> The operating system version determines which auditing options are available and the volume of audit event data.
- The business value of the data.
- The business value of the data
For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network.
For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network.
The following table illustrates an analysis of computers in an organization.
@ -173,137 +177,150 @@ The following table illustrates an analysis of computers in an organization.
### Regulatory requirements
Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations.
Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance.
For more info, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx).
For more information, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx).
## <a href="" id="bkmk-2"></a>Mapping the security audit policy to groups of users, computers, and resources in your organization
## <a href="" id="bkmk-2"></a>Map your security audit policy to groups of users, computers, and resources
By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the
following considerations for using Group Policy to apply security audit policy settings:
By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings:
- The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
- For every policy setting that you select, you need to decide whether it should be enforced across the organization, or whether it should apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers.
- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite inherited policies.
- Decide whether every policy setting that you select should be enforced across the organization or apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers.
- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that's linked at a lower level can overwrite inherited policies.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing).
For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of additional settings. To do this, you can link a second GPO to that specific lower-level OU. Then, a logon audit setting that's applied at the OU level will override a conflicting logon audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing.
- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a security group that contains only the users you specify.
- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to *computer* OUs, not to *user* OUs. But in most cases, you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This functionality enables auditing for a security group that contains only the users you specify.
For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
For example, you could configure a SACL for a folder called *Payroll Data* on Accounting Server 1. You can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. But, because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder will generate audit events.
- Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy.
- Advanced security audit policy settings were introduced in Windows Server 2008 R2 and Windows 7. These advanced audit policies can only be applied to those operating systems and later versions by using Group Policy.
>**Important:**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
> [!IMPORTANT]
> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
The following are examples of how audit policies can be applied to an organization's OU structure:
The following examples show how you can apply audit policies to an organization's OU structure:
- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more precise audit policy to these servers.
- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs based on the department they work in, consider configuring and applying more detailed security permissions on critical resources that are accessed by employees who work in more sensitive areas, such as network administrators or the legal department.
- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain sensitive data, consider putting them in a separate OU. Then you can configure and apply a more precise audit policy to these servers.
- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs by department, consider applying more-detailed security permissions on critical resources that are accessed by employees who work in more-sensitive areas, such as network administrators or the legal department.
- Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers.
## <a href="" id="bkmk-3"></a>Mapping your security auditing goals to a security audit policy configuration
## <a href="" id="bkmk-3"></a>Map your security auditing goals to a security audit policy configuration
After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data.
After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of:
- Computers that need to be monitored
- Activities that you want to audit
- Audit events that your audit configuration will generate
- Administrators available to analyze and act upon audit data
To create your audit policy configuration, you need to:
1. Explore all of the audit policy settings that can be used to address your needs.
2. Choose the audit settings that will most effectively address the audit requirements identified in the previous section.
3. Confirm that the settings you choose are compatible with the operating systems running on the computers that you want to monitor.
4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit settings.
5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production environment to ensure that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data.
1. Explore all the audit policy settings that can be used to address your needs.
1. Choose the audit settings that will most effectively address the audit requirements there were identified in the previous section.
1. Confirm that the settings that you choose are compatible with the operating systems running on the computers that you want to monitor.
1. Decide which configuration options (*success*, *failure*, or both *success* and *failure*) you want to use for the audit settings.
1. Deploy the audit settings in a lab or test environment to verify that they meet your desired results for volume, supportability, and comprehensiveness. Then, deploy the audit settings in a pilot production environment to check that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data.
### Exploring audit policy options
### Explore audit policy options
Security audit policy settings in the supported versions of Windows can be viewed and configured in the following locations:
You can view and configure security audit policy settings in the supported versions of Windows in the following locations:
- **Security Settings\\Local Policies\\Audit Policy**.
- **Security Settings\\Local Policies\\Security Options**.
- **Security Settings\\Advanced Audit Policy Configuration**. For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
- *Security Settings\\Local Policies\\Audit Policy*
- *Security Settings\\Local Policies\\Security Options*
- *Security Settings\\Advanced Audit Policy Configuration*
For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md).
### Choosing audit settings to use
### Choose audit settings to use
Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under **Security Settings\\Advanced Audit Policy Configuration** can be used to monitor the following types of activity:
Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under *Security Settings\\Advanced Audit Policy Configuration* can be used to monitor the following types of activity:
- Data and resources
- Users
- Network
>**Important:**  Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network.
> [!IMPORTANT]
> Settings that are described in the reference might also provide valuable information about activity audited by another setting. For example, the settings that you use to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status and potentially for how well you're managing the activities of users on the network.
### Data and resource activity
For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be
protected against any breach, the following settings can provide extremely valuable monitoring and forensic data:
Compromise to an organization's data resources can cause tremendous financial losses, lost prestige, and legal liability. If your organization has critical data resources that must be protected, the following settings can provide valuable monitoring and forensic data:
- Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share.
- Object Access\\[Audit File System](audit-file-system.md). This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects (such as files and folders) that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and the account that is making the request match the settings in the SACL.
- **Object Access\\[Audit File Share](audit-file-share.md)**: This policy setting enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated with this setting will vary depending on the number of client computers that try to access the file share. On a file server or domain controller, volume may be high because of SYSVOL access by client computers for policy processing. If you don't need to record routine access by client computers on the file share, you may want to log audit events only for failed attempts to access the file share.
- **Object Access\\[Audit File System](audit-file-system.md)**: This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects, such as files and folders, that have configured SACLs, and only if the type of access requested (such as *write*, *read*, or *modify*) and the account that's making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored.
If *success* auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If *failure* auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that you configured to be monitored.
>**Note:**  To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
> [!NOTE]
> To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL.
- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes.
Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes.
- **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented.
- **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented.
>**Important:**  The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
> [!IMPORTANT]
> The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
### User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources.
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers.
In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate activities. The following are a few important settings that you should evaluate to track user activity on your network:
In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track a variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network:
- Account Logon\\[Audit Credential Validation](audit-credential-validation.md). This is an extremely important policy setting because it enables you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will eventually be successful. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
- Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md). These policy settings can enable you to monitor the applications that a user opens and closes on a computer.
- DS Access\\[Audit Directory Service Access](audit-directory-service-access.md) and DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md). These policy settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although domain administrators should be among an organization's most trusted employees, the use of **Audit Directory Service Access** and **Audit Directory Service Changes** settings allow you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
- Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md). Another common security scenario occurs when a user attempts to log on with an account that has been locked out. It is important to identify these events and to determine whether the attempt to use an account that has been locked out is malicious.
- Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated.
- **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful logon attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use a variety of credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
- **Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md)**: These policy settings enable you to monitor the applications that a user opens and close on a computer.
- **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enable you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers.
- **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to log on with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious.
- **Logon/Logoff\\[Audit Logoff](audit-logoff.md)** and **Logon/Logoff\\[Audit Logon](audit-logon.md)**: Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated.
>**Note:**  There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated.
> [!NOTE]
> There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated.
- Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](https://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base.
- Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed.
- Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section.
- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting and its role in providing "reason for access" audit data is described in the previous section.
- Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
- **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons.
- **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done.
- **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section.
- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting and its role in providing "reason for access" audit data is described in the previous section.
- **Object Access\\[Audit Registry](audit-registry.md)**: Monitoring for changes to the registry is one of the best ways for administrators to ensure that malicious users don't make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs and only if the type of access that's requested, such as *write*, *read*, or *modify*, and the account making the request match the settings in the SACL.
>**Important:**  On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked.
> [!IMPORTANT]
> On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer.
- Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
- **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
- **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
### Network activity
The following network activity policy settings allow you to monitor security-related issues that are not necessarily covered in the data or user activity categories, but that can be equally important for network status and protection.
The following network activity policy settings enable you to monitor security-related issues that aren't necessarily covered in the data or user-activity categories but that can be important for network status and protection.
- **Account Management**. The policy settings in this category can be used to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the user activity and data activity sections.
- Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets.
- **Account Management**: Use the policy settings in this category to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the [User activity](#user-activity) and [Data and resource activity](#data-and-resource-activity) sections.
- **Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)**: Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting enables you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting enables you to monitor the use of Kerberos service tickets.
>**Note:**  **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed.
>[!NOTE]
>**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed.
- Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers.
- Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md), Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md), and Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md). Many networks support large numbers of external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the Internet by enabling network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
- Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md). Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is attempting to circumvent these protections.
- **Policy Change**. These policy settings and events allow you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, any changes or attempts to change these policies can be an important aspect of security management for a network.
- Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md). This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network cannot be detected.
- Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md). This policy setting can be used to monitor a large variety of changes to an organization's IPsec policies.
- Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md). This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
- **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
- **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers.
- **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
- **Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md)**: Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is trying to circumvent these protections.
- **Policy Change**: These policy settings and events enable you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, monitoring any changes or attempted changes to these policies can be an important aspect of security management for a network.
- **Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md)**: This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network can't be detected.
- **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor a variety of changes to an organization's IPsec policies.
- **Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)**: This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it's protected against network attacks.
### Confirm operating system version compatibility
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and manage these settings. For more info, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md).
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to manage these settings. For more information, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md).
The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization.
The audit policy settings under **Local Policies\\Audit Policy** overlap with the audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories enable you to focus your auditing efforts on critical activities while reducing the amount of audit data that's less important to your organization.
For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events.
For example, **Local Policies\\Audit Policy** contains a single setting called **[Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx)**. When this setting is configured, it generates at least 10 types of audit events.
In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing:
@ -312,49 +329,50 @@ In comparison, the Account Logon category under **Security Settings\\Advanced Au
- Kerberos Service Ticket Operations
- Other Account Logon Events
These settings allow you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible.
These settings enable you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible.
### Success, failure, or both
### *Success*, *failure*, or both
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the answer will be based on the criticality of the event and the implications of the decision on event volume.
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This is an important question. The answer depends on the criticality of the event and the implications of the decision for event volume.
For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an event only when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. And in this instance, logging successful attempts to access the server would quickly fill the event log with benign events.
For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events.
On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource.
But if the file share has sensitive information, such as trade secrets, you may want to log every access attempt so that you have an audit trail of every user who tries to access the resource.
## <a href="" id="bkmk-4"></a>Planning for security audit monitoring and management
## <a href="" id="bkmk-4"></a>Plan for security audit monitoring and management
Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data.
Networks may contain hundreds of servers that run critical services or store critical data, all of which need to be monitored. There may be tens or even hundreds of thousands of computers on the network. These numbers may not be an issue if the ratio of servers or client computers per administrator is low. And even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how the administrator will obtain event data to review. Following are some options for obtaining the event data.
- Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the administrator needs to have physical or remote access to the Event Viewer on each client computer or server, and the remote access and firewall settings on each client computer or server need to be configured to enable this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the size of the audit log so that critical information is not deleted if the log reaches its maximum capacity.
- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012, which can be used to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this can make it more difficult to detect clusters of related events that can occur on a single computer.
- Will you keep event data on a local computer until an administrator logs on to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity.
- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer.
In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what should happen when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and click **Properties**. You can configure the following properties:
In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what happens when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and select **Properties**. You can configure the following properties:
- **Overwrite events as needed (oldest events first)**. This is the default option, which is an acceptable solution in most situations.
- **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough.
- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached.
- **Overwrite events as needed (oldest events first)**: This is the default option, which is acceptable in most situations.
- **Archive the log when full, do not overwrite events**: This option can be used when all log data needs to be saved. But the scenario suggests that you may not be reviewing audit data frequently enough.
- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you don't want to lose any audit data, don't want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached.
You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer
You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following location in the GPMC: **Computer
Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include:
- **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes.
- **Maximum Log Size (KB)**: This policy setting specifies the maximum size of the log files. In the Local Group Policy Editor and Event Viewer, you can enter values as large as 2 TB. If this setting isn't configured, event logs have a default maximum size of 20 megabytes.
- **Log Access**. This policy setting determines which user accounts have access to log files and what usage rights are granted.
- **Retain old events**. This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events.
- **Backup log automatically when full**. This policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable or do not configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded and the old events are retained.
- **Log Access**: This policy setting determines which user accounts have access to log files and what usage rights are granted.
- **Retain old events**: This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events aren't written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events.
- **Backup log automatically when full**: This policy setting controls event log behavior when the log file reaches its maximum size. It takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it's full. A new log file is then started. If you disable or don't configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded, and the old events are retained.
In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435).
Many organizations are now required to store archived log files for a number of years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435).
## <a href="" id="bkmk-5"></a>Deploying the security audit policy
## <a href="" id="bkmk-5"></a>Deploy the security audit policy
Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured.
The first step in assessing your audit policy deployment is to create a test environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the audit settings you have selected are configured correctly and generate the type of results you intend.
Before deploying the audit policy in a production environment, it's critical that you determine the effects of the policy settings that you've configured.
However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot provide you with accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve:
The first step in assessing your audit policy deployment is to create a test environment in a lab. Use it to simulate the various use scenarios that you identified to confirm that the audit settings you selected are configured correctly and generate the type of results you want.
- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location.
- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**.
- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings.
However, unless you can run fairly realistic simulations of network usage patterns, a lab setup can't provide accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve:
After you have successfully completed one or more limited deployments, you should confirm that the audit data that is collected is manageable with your management tools and administrators. When you have confirmed that the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until the production deployment is complete.
- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location
- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**
- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings
After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until production deployment is complete.

19
windows/security/threat-protection/intelligence/criteria.md
View File

@ -18,11 +18,22 @@ search.appverid: met150
# How Microsoft identifies malware and potentially unwanted applications
Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. When you download, install, and run software, you have access to information and tools to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. That information is then compared against criteria described in this article.
Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you are protected against known threats and warned about software that is unknown to us.
You can participate in this process by [submitting software for analysis](submission-guide.md) to ensure undesirable software is covered by our security solutions.
You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)
Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
The next sections provide an overview of the classifications we use for applications and the types of behaviors that lead to that classification.
>[!NOTE]
> New forms of malware and potentially unwanted applications are being developed and distributed rapidly. The following list may not be comprehensive, and Microsoft reserves the right to adjust, expand, and update these without prior notice or announcement.
## Unknown Unrecognized software
No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates. With almost 2 billion websites on the internet and software continuously being updated and released, it's impossible to have information about every single site and program.
You can think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware, as there is generally a delay from the time new malware is released until it is identified. Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Warnings for unknown software are not blocks, and users can choose to download and run the application normally if they wish to.
Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software.
## Malware
@ -48,7 +59,7 @@ Microsoft classifies most malicious software into one of the following categorie
* **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove.
* **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md).

2
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -2,7 +2,7 @@
title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK)
ms.reviewer:
description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis.
keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, next generation protection
keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library

28
windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
View File

@ -1,6 +1,6 @@
---
title: Optimize ASR rule deployment and detections
description: Ensure your attack surface reduction (ASR) rules are fully optimized to identify and prevent typical actions taken by malware during the exploitation phase.
description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits.
keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -23,33 +23,31 @@ ms.topic: article
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
![Attack surface management card](images/secconmgmt_asr_card.png)<br>
*Attack surface management card*
The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to:
* Understand how ASR rules are currently deployed in your organization
* Review ASR detections and identify possible incorrect detections
* Analyze the impact of exclusions and generate the list of file paths to exclude
* Understand how ASR rules are currently deployed in your organization.
* Review ASR detections and identify possible incorrect detections.
* Analyze the impact of exclusions and generate the list of file paths to exclude.
Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)<br>
*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center*
> [!NOTE]
> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions).
For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections).
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics
**Related topics**
* [Ensure your machines are configured properly](configure-machines.md)
* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)

50
windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
View File

@ -1,6 +1,6 @@
---
title: Interactive logon Prompt user to change password before expiration (Windows 10)
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Prompt user to change password before expiration.
title: Interactive log-on prompt user to change password before expiration (Windows 10)
description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration.
ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9
ms.reviewer:
ms.author: dansimp
@ -17,52 +17,52 @@ ms.topic: conceptual
ms.date: 04/19/2017
---
# Interactive logon: Prompt user to change password before expiration
# Interactive log on: Prompt the user to change passwords before expiration
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting.
This article describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting.
## Reference
The **Interactive logon: Prompt user to change password before expiration** policy setting determines how many days in advance users are warned that their passwords are about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong.
This policy setting determines when users are warned that their passwords are about to expire. This warning gives users time to select a strong password before their current password expires to avoid losing system access.
### Possible values
- A user-defined number of days from 0 through 999.
- Not defined.
- A user-defined number of days from 0 through 999
- Not defined
### Best practices
1. Configure user passwords to expire periodically. Users will need warning that their passwords are going to expire, or they might inadvertently get locked out of the system. This could lead to confusion for users who access the network locally, or make it impossible for users who access the network through dial-up or virtual private network (VPN) connections to log on.
2. Set **Interactive logon: Prompt user to change password before expiration** to 5 days. When their password expiration date is 5 or fewer days away, users will see a dialog box each time they log on to the domain.
3. Do not set the value to 0, which results in displaying the password expiration warning every time the user logs on.
- Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system.
- Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain.
- Don't set the value to zero, which displays the password expiration warning every time the user logs on.
### Location
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options
*Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options*
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
The following table lists the default values for this policy. Default values are also listed on the policys property page.
| Server type or GPO | Default value |
| Server type or Group Policy Object | Default value |
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | 5 days|
| DC Effective Default Settings | 5 days |
| Member Server Effective Default Settings| 5 days |
| Client Computer Effective Default Settings | 5 days|
| Stand-Alone Server Default Settings | Five days|
| DC Effective Default Settings | Five days |
| Member Server Effective Default Settings| Five days |
| Client Computer Effective Default Settings | Five days|
## Policy management
This section describes features and tools that are available to help you manage this policy.
This section describes features and tools that you can use to manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
### Policy conflict considerations
@ -70,24 +70,24 @@ None.
### Group Policy
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
Configure this policy setting by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, it can be configured on the local computer through the Local Security Policy snap-in.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and possible negative consequences of the countermeasure.
### Vulnerability
If user passwords are configured to expire periodically in your organization, users need to be warned when this is about to happen, or they may be locked out of the device inadvertently when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections.
If user passwords are configured to expire periodically in your organization, users need to be warned before expiration. Otherwise, they may get locked out of the devices inadvertently.
### Countermeasure
Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days.
Configure the **Interactive logon: Prompt user to change password before expiration** setting to five days.
### Potential impact
Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
Users see a dialog-box that prompts them to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
## Related topics
- [Security Options](security-options.md)
- [Security options](security-options.md)

44
windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft network client Digitally sign communications (always) (Windows 10)
description: Best practices, security considerations and more for the security policy setting, Microsoft network client Digitally sign communications (always).
description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting.
ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
ms.reviewer:
manager: dansimp
@ -20,46 +20,46 @@ ms.date: 06/28/2018
- Windows 10
- Windows Server
Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
This article describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
## Reference
The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets.
The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports digital signing of SMB packets.
Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data access failure.
Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." Misuse of these policy settings is a common error that can cause data access failure.
Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
Beginning with SMBv2 clients and servers, signing can be either *required* or *not required*. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md).
There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
Negotiation occurs between the SMB client and the SMB server to decide whether signing will be used. The following table shows the effective behavior for SMBv3 and SMBv2.
| | Server Required | Server Not Required |
| | Server required | Server not required |
|---------------------------|---------------------|------------------------|
| **Client Required** | Signed | Signed |
| **Client Not Required** | Signed <sup>1</sup> | Not Signed<sup>2</sup> |
| **Client required** | Signed | Signed |
| **Client not required** | Signed <sup>1</sup> | Not signed<sup>2</sup> |
</br>
<sup>1</sup> Default for domain controller SMB traffic</br>
<sup>2</sup> Default for all other SMB traffic
Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact).
Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact).
### Possible values
- Enabled
- Disabled
### Best practices
### Best practice
Enable **Microsoft network client: Digitally sign communications (always)**.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options*
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
The following table lists the default values for this policy. Default values are also listed on the policys property page.
| Server type or GPO | Default value |
| - | - |
@ -72,33 +72,33 @@ The following table lists the actual and effective default values for this polic
## Policy management
This section describes features and tools that are available to help you manage this policy.
This section describes features and tools that you can use to manage this policy.
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
### Vulnerability
Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data.
Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it to make the server perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data.
SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place.
SMB is the resource-sharing protocol that's supported by many versions of the Windows operating system. It's the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't happen.
### Countermeasure
Enable **Microsoft network client: Digitally sign communications (always)**.
>[!NOTE]
>An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
> [!NOTE]
> An alternative countermeasure that could protect all network traffic is to implement digital signatures through IPsec. There are hardware-based accelerators for IPsec encryption and signing that can be used to minimize the performance impact on servers. No such accelerators are available for SMB signing.
### Potential impact
Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.
Storage speeds affect performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage for signing. If you're using a 1-Gb Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater.
## Related topics
- [Security Options](security-options.md)
- [Security options](security-options.md)

44
windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
View File

@ -1,6 +1,6 @@
---
title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10)
description: Best practices and more for the security policy setting, Network Security Allow PKU2U authentication requests to this computer to use online identities.
description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting.
ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926
ms.reviewer:
ms.author: dansimp
@ -22,45 +22,41 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting.
This article describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting.
## Reference
Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs.
Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs.
When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
> [!Note]
> The ability to link online IDs can be performed by anyone with an account that has standard users credentials through **Credential Manager**.
> [!NOTE]
> Linking online IDs can be performed by anyone who has an account that has standard users credentials through Credential Manager.
This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later.
This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later.
### Possible values
- **Enabled**
- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
> [!NOTE]
> KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server.
> [!Note]
> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server.
- **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
- **Disabled**
This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship.
- Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices
- ***Not set***: Not configuring this policy prevents online IDs from being used to authenticate the user. This option is the default on domain-joined devices.
### Best practices
Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate.
Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate.
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options*
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.
The following table lists the effective default values for this policy. Default values are also listed on the policys property page.
| Server type or Group Policy Object (GPO) | Default value |
| - | - |
@ -73,20 +69,20 @@ The following table lists the actual and effective default values for this polic
## Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure.
### Vulnerability
Enabling this policy setting allows a users account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies.
Enabling this policy setting allows a users account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies.
### Countermeasure
Set this policy to Disabled or do not configure this security policy for domain-joined devices.
Set this policy to *Disabled* or don't configure this security policy for domain-joined devices.
### Potential impact
If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices
If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices.
## Related topics
- [Security Options](security-options.md)
- [Security options](security-options.md)