Contents

Threat protection
Overview
What is Microsoft Defender Advanced Threat Protection?
Overview of Microsoft Defender ATP capabilities
Threat & Vulnerability Management
Next-generation capabilities
Supported operating systems and platforms
What's in the dashboard and what it means for my organization
Exposure score
Configuration score
Security recommendation
Remediation and exception
Software inventory
Weaknesses
Scenarios
Attack surface reduction
Overview of attack surface reduction
Hardware-based isolation
Hardware-based isolation in Windows 10
Application isolation
Application guard overview
System requirements
System integrity
Application control
Exploit protection
Network protection
Web protection
Web protection overview
Monitor web security
 Respond to web threats
Controlled folder access
Attack surface reduction
Network firewall
Next generation protection
Better together: Windows Defender Antivirus and Microsoft Defender ATP
Endpoint detection and response
Endpoint detection and response overview
Security operations dashboard
Incidents queue
View and organize the Incidents queue
Manage incidents
Investigate incidents
Alerts queue
View and organize the Alerts queue
Manage alerts
Investigate alerts
Investigate files
Investigate machines
Investigate an IP address
Investigate a ___domain
Investigate connection events that occur behind forward proxies
Investigate a user account
Machines list
View and organize the Machines list
Manage machine group and tags
Take response actions
Take response actions on a machine
Response actions on machines
Manage tags
Initiate Automated investigation
Initiate Live Response session
 Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machines from the network
Consult a threat expert
Check activity details in Action center
Take response actions on a file
Response actions on files
Stop and quarantine files in your network
Restore file from quarantine
Add indicators to block or allow a file
Consult a threat expert
Check activity details in Action center
Download or collect file
Deep analysis
Submit files for analysis
View deep analysis reports
Troubleshoot deep analysis
Investigate entities using Live response
Investigate entities on machines
Live response command examples
Automated investigation and remediation
Automated investigation and remediation overview
Learn about the automated investigation and remediation dashboard
Manage actions related to automated investigation and remediation
Secure score
Threat analytics
Advanced hunting
Advanced hunting overview
Learn the query language
Use shared queries
Advanced hunting schema reference
 Understand the schema
AlertEvents
DeviceFileEvents
DeviceImageLoadEvents
DeviceLogonEvents
DeviceInfo
DeviceNetworkInfo
DeviceEvents
DeviceNetworkEvents
DeviceProcessEvents
DeviceRegistryEvents
DeviceTvmSoftwareInventoryVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
DeviceTvmSecureConfigurationAssessment
DeviceTvmSecureConfigurationAssessmentKB
Apply query best practices
Stream advanced hunting events to Azure Event Hubs
Custom detections
Understand custom detection rules
Create and manage custom detections rules
Management and APIs
Overview of management and APIs
Understand threat intelligence concepts
Managed security service provider support
Integrations
Microsoft Defender ATP integrations
Protect users, data, and devices with conditional access
Microsoft Cloud App Security integration overview
Information protection in Windows overview
Windows integration
Use sensitivity labels to prioritize incident response
Microsoft Threat Experts
 Portal overview
Microsoft Defender ATP for US Government Community Cloud High customers
Get started
What's new in Microsoft Defender ATP
Minimum requirements
Validate licensing and complete setup
Evaluation lab
Preview features
Data storage and privacy
Assign user access to the portal
Evaluate Microsoft Defender ATP
Attack surface reduction and next-generation capability evaluation
Attack surface reduction and nex-generation evaluation overview
Hardware-based isolation
Application control
Exploit protection
Network Protection
Controlled folder access
Attack surface reduction
Network firewall
Evaluate next generation protection
Access the Windows Defender Security Center Community Center
Configure and manage capabilities
Configure attack surface reduction
Attack surface reduction configuration settings
Hardware-based isolation
System isolation
Application isolation
Install Windows Defender Application Guard
Application control
Device control
Control USB devices
 Device Guard
Code integrity
Memory integrity
Exploit protection
Enable exploit protection
Import/export configurations
Network protection
Controlled folder access
Attack surface reduction controls
Enable attack surface reduction rules
Customize attack surface reduction
Network firewall
Configure next generation protection
Configure Windows Defender Antivirus features
Utilize Microsoft cloud-delivered protection
Enable cloud-delivered protection
Specify the cloud-delivered protection level
Configure and validate network connections
Prevent security settings changes with tamper protection
Enable Block at first sight
Configure the cloud block timeout period
Configure behavioral, heuristic, and real-time protection
Configuration overview
Detect and block Potentially Unwanted Applications
Enable and configure always-on protection and monitoring
Antivirus on Windows Server 2016
Antivirus compatibility
Compatibility charts
Use limited periodic antivirus scanning
Deploy, manage updates, and report on antivirus
Preparing to deploy
Deploy and enable antivirus
 Deployment guide for VDI environments
Report on antivirus protection
Review protection status and alerts
Troubleshoot antivirus reporting in Update Compliance
Manage updates and apply baselines
Learn about the different kinds of updates
Manage protection and security intelligence updates
Manage when protection updates should be downloaded and applied
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
Customize, initiate, and review the results of scans and remediation
Configuration overview
Configure and validate exclusions in antivirus scans
Exclusions overview
Configure and validate exclusions based on file name, extension, and folder
___location
Configure and validate exclusions for files opened by processes
Configure antivirus exclusions Windows Server 2016
Configure scanning antivirus options
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage antivirus in your business
Management overview
Use Group Policy settings to configure and manage antivirus
Use System Center Configuration Manager and Microsoft Intune to configure
and manage antivirus
Use PowerShell cmdlets to configure and manage antivirus
Use Windows Management Instrumentation (WMI) to configure and manage
 antivirus
Use the mpcmdrun.exe commandline tool to configure and manage antivirus
Manage scans and remediation
Management overview
Configure and validate exclusions in antivirus scans
Exclusions overview
Configure and validate exclusions based on file name, extension, and folder
___location
Configure and validate exclusions for files opened by processes
Configure antivirus exclusions on Windows Server 2016
Configure scanning options
Configure remediation for scans
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of an offline scan
Restore quarantined files
Manage next generation protection in your business
Management overview
Use Microsoft Intune and System Center Configuration Manager to manage next
generation protection
Use Group Policy settings to manage next generation protection
Use PowerShell cmdlets to manage next generation protection
Use Windows Management Instrumentation (WMI) to manage next generation
protection
Use the mpcmdrun.exe command line tool to manage next generation protection
Microsoft Defender Advanced Threat Protection for Mac
What's New
Deploy
Microsoft Intune-based deployment
JAMF-based deployment
Deployment with a different Mobile Device Management (MDM) system
 Manual deployment
Update
Configure
Configure and validate exclusions
Set preferences
Detect and block Potentially Unwanted Applications
Troubleshoot
Troubleshoot performance issues
Troubleshoot kernel extension issues
Privacy
Resources
Configure Secure score dashboard security controls
Configure and manage Microsoft Threat Experts capabilities
Management and API support
Onboard devices to the service
Onboard machines to Microsoft Defender ATP
Onboard previous versions of Windows
Onboard Windows 10 machines
Onboarding tools and methods
Onboard machines using Group Policy
Onboard machines using System Center Configuration Manager
Onboard machines using Mobile Device Management tools
Onboard machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Onboard servers
Onboard non-Windows machines
Onboard machines without Internet access
Run a detection test on a newly onboarded machine
Run simulated attacks on machines
Configure proxy and Internet connectivity settings
Create an onboarding or offboarding notification rule
Troubleshoot onboarding issues
 Troubleshoot issues during onboarding
Troubleshoot subscription and portal access issues
Microsoft Defender ATP API
Microsoft Defender ATP API license and terms
Get started with Microsoft Defender ATP APIs
Introduction
Hello World
Get access with application context
Get access with user context
Get partner application access
APIs
Supported Microsoft Defender ATP APIs
Advanced Hunting
Alert
Machine
Machine Action
Indicators
Domain
File
IP
User
How to use APIs - Samples
Microsoft Flow
Power BI
Advanced Hunting using Python
Advanced Hunting using PowerShell
Using OData Queries
Windows updates (KB) info
Get KbInfo collection
Common Vulnerabilities and Exposures (CVE) to KB map
Get CVE-KB map
Pull detections to your SIEM tools
 Learn about different ways to pull detections
Enable SIEM integration
Configure Splunk to pull detections
Configure HP ArcSight to pull detections
Microsoft Defender ATP detection fields
Pull detections using SIEM REST API
Troubleshoot SIEM tool integration issues
Reporting
Power BI - How to use API - Samples
Create and build Power BI reports using Microsoft Defender ATP data
connectors (deprecated)
Threat protection reports
Machine health and compliance reports
Partners & APIs
Partner applications
Connected applications
API explorer
Manage machine configuration
Ensure your machines are configured properly
Monitor and increase machine onboarding
Increase compliance to the security baseline
Optimize ASR rule deployment and detections
Role-based access control
Manage portal access using RBAC
Create and manage roles
Create and manage machine groups
Using machine groups
Create and manage machine tags
Configure managed security service provider (MSSP) support
Configure Microsoft threat protection integration
Configure conditional access
Configure Microsoft Cloud App Security integration
Configure information protection in Windows
 Configure portal settings
Set up preferences
General
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Windows Defender Security center
data
Enable Secure score security controls
Configure advanced features
Permissions
Use basic permissions to access the portal
Manage portal access using RBAC
Create and manage roles
Create and manage machine groups
APIs
Enable Threat intel (Deprecated)
Enable SIEM integration
Rules
Manage suppression rules
Manage indicators
Manage automation file uploads
Manage automation folder exclusions
Machine management
Onboarding machines
Offboarding machines
Configure Microsoft Defender Security Center time zone settings
Troubleshoot Microsoft Defender ATP
Troubleshoot sensor state
Check sensor state
Fix unhealthy sensors
Inactive machines
Misconfigured machines
Review sensor events and errors on machines with Event Viewer
 Troubleshoot Microsoft Defender ATP service issues
Troubleshoot service issues
Check service health
Troubleshoot live response issues
Troubleshoot issues related to live response
Troubleshoot attack surface reduction
Network protection
Attack surface reduction rules
Troubleshoot next generation protection
Security intelligence
Understand malware & other threats
Prevent malware infection
Malware names
Coin miners
Exploits and exploit kits
Fileless threats
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Industry antivirus tests
Industry collaboration programs
Virus information alliance
Microsoft virus initiative
 Coordinated malware eradication
Information for developers
Software developer FAQ
Software developer resources
Windows Certifications
FIPS 140 Validations
Common Criteria Certifications
More Windows 10 security
The Windows Security app
Customize the Windows Security app for your organization
Hide Windows Security app notifications
Manage Windows Security app in Windows 10 in S mode
Virus and threat protection
Account protection
Firewall and network protection
App and browser control
Device security
Device performance and health
Family options
Windows Defender SmartScreen
Windows Defender SmartScreen Group Policy and mobile device management
(MDM) settings
Set up and use Windows Defender SmartScreen on individual devices
Windows Defender Device Guard: virtualization-based security and WDAC
Control the health of Windows 10-based devices
Mitigate threats by using Windows 10 security features
Override Process Mitigation Options to help enforce app-related security policies
Use Windows Event Forwarding to help with intrusion detection
Block untrusted fonts in an enterprise
Security auditing
Basic security audit policies
Create a basic audit policy for an event category
Apply a basic audit policy on a file or folder
 View the security event log
Basic security audit policy settings
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Advanced security audit policies
Planning and deploying advanced security audit policies
Advanced security auditing FAQ
Which editions of Windows support advanced audit policy configuration
How to list XML elements in \<EventData>
Using advanced security auditing options to monitor dynamic access control
objects
Advanced security audit policy settings
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Audit DPAPI Activity
Audit PNP Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Audit Account Lockout
Audit User/Device Claims
Audit Group Membership
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
 Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Sensitive Privilege Use
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Other Events
Appendix A: Security monitoring recommendations for many audit events
Registry (Global Object Access Auditing)
File System (Global Object Access Auditing)
Security policy settings
Administer security policy settings
Network List Manager policies
Configure security policy settings
Security policy settings reference
Account Policies
Password Policy
Account Lockout Policy
Kerberos Policy
Audit Policy
Security Options
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
 Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category settings
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language
(SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language
(SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Don't display last signed-in
Interactive logon: Don't display username at sign-in
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case ___domain
controller is not available)
 Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock
workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
SMBv1 Microsoft network client: Digitally sign communications (always)
SMBv1 Microsoft network client: Digitally sign communications (if server
agrees)
Microsoft network client: Send unencrypted password to third-party SMB
servers
Microsoft network server: Amount of idle time required before suspending
session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
SMBv1 Microsoft network server: Digitally sign communications (always)
SMBv1 Microsoft network server: Digitally sign communications (if client
agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Network access: Do not allow storage of passwords and credentials for network
authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict clients allowed to make remote calls to SAM
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
 Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use
online identities
Network security: Configure encryption types allowed for Kerberos
Network security: Do not store LAN Manager hash value on next password
change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM
authentication
Network security: Restrict NTLM: Add server exceptions in this ___domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Network security: Restrict NTLM: Audit NTLM authentication in this ___domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this ___domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the
computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing,
and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g.
Symbolic Links)
System settings: Optional subsystems
 System settings: Use certificate rules on Windows executables for Software
Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator
account
User Account Control: Allow UIAccess applications to prompt for elevation
without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in
secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for
elevation
User Account Control: Virtualize file and registry write failures to per-user
locations
Advanced security audit policy settings
User Rights Assignment
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Add workstations to ___domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
 Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Windows security guidance for enterprises
Windows security baselines
 Security Compliance Toolkit
Get support
MBSA removal and alternatives
Windows 10 Mobile security guide
Change history for Threat protection
 Threat Protection
12/11/2019 • 2 minutes to read • Edit Online

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) is a unified platform for preventative
protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects
endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and
improves security posture.

Microsoft Defender ATP

Attack Next Endpoint Automated Microsoft

Threat & surface generation detection investigation Secure score Threat
Vulnerability reduction protection and response and Experts
Management remediation

Management and APIs

Microsoft Threat Protection

Threat & Vulnerability Management

This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation
of endpoint vulnerabilities and misconfigurations.
Risk-based Threat & Vulnerability Management
Supported operating systems and platforms
What's in the dashboard and what it means for my organization
Exposure score
Configuration score
Security recommendations
Remediation
Software inventory
Weaknesses
Scenarios
Attack surface reduction
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring
configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist
attacks and exploitation.
Hardware based isolation
Application control
Device control
Exploit protection
Network protection, web protection
 Controlled folder access
Network firewall
Attack surface reduction rules
Next generation protection
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation
protection designed to catch all types of emerging threats.
Behavior monitoring
Cloud-based protection
Machine learning
URL Protection
Automated sandbox service
Endpoint detection and response
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion
attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your
proactively find breaches and create custom detections.
Alerts
Historical endpoint data
Response orchestration
Forensic collection
Threat intelligence
Advanced detonation and analysis service
Advanced hunting
Custom detections
Automated investigation and remediation
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic
investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
Automated investigation and remediation
Threat remediation
Manage automated investigation
Analyze automated investigation
Secure score

NOTE
Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be
available for a few weeks. View the Secure score page.

Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your
enterprise network, identify unprotected systems, and take recommended actions to improve the overall security
of your organization.
Asset inventory
Recommended improvement actions
Secure score
Threat analytics
Microsoft Threat Experts
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and
additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond
to threats quickly and accurately.
Targeted attack notification
Experts-on-demand
Configure your Microsoft Threat Protection managed hunting service
Management and APIs
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
Onboarding
API and SIEM integration
Exposed APIs
Role-based access control (RBAC )
Reporting and trends
Integration with Microsoft solutions
Microsoft Defender ATP directly integrates with various Microsoft solutions, including:
Intune
Office 365 ATP
Azure ATP
Azure Security Center
Skype for Business
Microsoft Cloud App Security
Microsoft Threat Protection
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified
pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and
applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
 Microsoft Defender Advanced Threat Protection
12/24/2019 • 3 minutes to read • Edit Online

Want to experience Microsoft Defender ATP? Sign up for a free trial.

For more info about Windows 10 Enterprise Edition features and functionality, see Windows 10 Enterprise
edition.

Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent,
detect, investigate, and respond to advanced threats.
Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's
robust cloud service:
Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral
signals from the operating system and sends this sensor data to your private, isolated, cloud instance of
Microsoft Defender ATP.
Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the
Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals
are translated into insights, detections, and recommended responses to advanced threats.
Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat
intelligence provided by partners, threat intelligence enables Microsoft Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

Microsoft Defender ATP

Threat & Attack Endpoint Automated

Next Microsoft
Vulnerability surface detection investigation
generation Secure score Threat
Management reduction and and
protection Experts
response remediation

Management and APIs

Microsoft Threat Protection

TIP
Learn about the latest enhancements in Microsoft Defender ATP: What's new in Microsoft Defender ATP.
Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.

Threat & Vulnerability Management

This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and
remediation of endpoint vulnerabilities and misconfigurations.
Attack surface reduction
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring
configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist
attacks and exploitation. This set of capabilities also includes network protection and web protection, which
regulate access to malicious IP addresses, domains, and URLs.
Next generation protection
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation
protection designed to catch all types of emerging threats.
Endpoint detection and response
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced
threats that may have made it past the first two security pillars. Advanced hunting provides a query-based threat-
hunting tool that lets you proactively find breaches and create custom detections.
Automated investigation and remediation
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic
investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
Secure score

NOTE
Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be
available for a few weeks. View the Secure score page.

Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your
enterprise network, identify unprotected systems, and take recommended actions to improve the overall security
of your organization.
Microsoft Threat Experts
Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and
additional context and insights that further empower Security operation centers (SOCs) to identify and respond
to threats quickly and accurately.
Management and APIs
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
Integration with Microsoft solutions
Microsoft Defender ATP directly integrates with various Microsoft solutions, including:
Intune
Office 365 ATP
Azure ATP
Azure Security Center
Skype for Business
Microsoft Cloud App Security
Microsoft Threat Protection
With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified
pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and
applications to detect, prevent, investigate and automatically respond to sophisticated attacks.

In this section
To help you maximize the effectiveness of the security platform, you can configure individual capabilities that
surface in Microsoft Defender Security Center.

TOPIC DESCRIPTION

Overview Understand the concepts behind the capabilities in Microsoft

Defender ATP so you take full advantage of the complete
threat protection platform.

Minimum requirements Learn about the requirements of the platform and the initial
steps you need to take to get started with Microsoft
Defender ATP.

Configure and manage capabilities Configure and manage the individual capabilities in Microsoft
Defender ATP.

Troubleshoot Microsoft Defender ATP Learn how to address issues that you might encounter while
using the platform.

Related topic
Microsoft Defender ATP helps detect sophisticated threats
 Overview of Microsoft Defender ATP capabilities
12/11/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the
complete threat protection platform.

TIP
Learn about the latest enhancements in Microsoft Defender ATP: What's new in Microsoft Defender ATP.
Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.

In this section
TOPIC DESCRIPTION

Threat & Vulnerability Management Reduce organizational vulnerability exposure and increase
threat resilience while seamlessly connecting workflows across
security stakeholders—security administrators, security
operations, and IT administrators in remediating threats.

Attack surface reduction Leverage exploit protection, attack surface reduction rules, and
other capabilities to protect the perimeter of your
organization. This set of capabilities also includes network
protection and web protection, which regulate access to
malicious IP addresses, domains, and URLs.

Next generation protection Learn about the antivirus capabilities in Microsoft Defender
ATP so you can protect desktops, portable computers, and
servers.

Endpoint detection and response Understand how Microsoft Defender ATP continuously
monitors your organization for possible attacks against
systems, networks, or users in your organization and the
features you can use to mitigate and remediate threats.

Automated investigation and remediation In conjunction with being able to quickly respond to advanced
attacks, Microsoft Defender ATP offers automatic investigation
and remediation capabilities that help reduce the volume of
alerts in minutes at scale.

Secure score Quickly assess the security posture of your organization, see
machines that require attention, as well as recommendations
for actions to better protect your organization - all in one
place.
TOPIC DESCRIPTION

Microsoft Threat Experts Managed cybersecurity threat hunting service. Learn how you
can get expert-driven insights and data through targeted
attack notification and access to experts on demand.

Advanced hunting Use a powerful query-based threat-hunting tool to proactively

find breach activity and create custom detection rules.

Management and APIs Microsoft Defender ATP supports a wide variety of tools to
help you manage and interact with the platform so that you
can integrate the service into your existing workflows.

Microsoft Threat Protection Microsoft security products work better together. Learn about
other how Microsoft Defender ATP works with other Microsoft
security solutions.

Portal overview Learn to navigate your way around Microsoft Defender

Security Center.
 Threat & Vulnerability Management
11/28/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security
program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for
reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the
need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your
organization, sensitive information on vulnerable devices, and business context.

Next-generation capabilities
Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft
endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase.
It is the first solution in the industry to bridge the gap between security administration and IT administration
during remediation process. It does so by creating a security task or ticket through integration with Microsoft
Intune and Microsoft System Center Configuration Manager (SCCM ).
It provides the following solutions to frequently-cited gaps across security operations, security administration,
and IT administration workflows and communication.
Real-time endpoint detection and response (EDR ) insights correlated with endpoint vulnerabilities
Linked machine vulnerability and security configuration assessment data in the context of exposure
discovery
Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration
Manager
Real-time discovery
To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same
agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and
provides:
Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push
vulnerability and security configuration data to the dashboard.
Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software
changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with
actionable mitigation recommendations for 1st and 3rd party applications.
Application runtime context. Visibility on application usage patterns for better prioritization and decision-
making.
Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are
reported in the dashboard with actionable security recommendations.
Intelligence -driven prioritization
Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the
most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores,
Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that
need attention by fusing its security recommendations with dynamic threat and business context:
Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform,
Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to
focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the
highest risk.
Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and
EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an
active breach within the organization.
Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection
allows Threat & Vulnerability Management to identify the exposed machines with business-critical
applications, confidential data, or high-value users.
Seamless remediation
Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT
administrators to collaborate seamlessly to remediate issues.
Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and
System Center Configuration Manager (SCCM ), security administrators can create a remediation task in
Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT
security management platforms.
Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such
as configuration changes that can reduce risk associated with software vulnerabilities.
Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and
progress of remediation activities across the organization.

Related topics
Supported operating systems and platforms
Threat & Vulnerability Management dashboard overview
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Threat & Vulnerability Management supported
operating systems and platforms
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Before you begin, ensure that you meet the following operating system or platform requisites for Threat &
Vulnerability Management so the activities in your devices are properly accounted for.

OPERATING SYSTEM SECURITY ASSESSMENT SUPPORT

Windows 7 Operating System (OS) vulnerabilities

Windows 8.1 Not supported

Windows 10 1607-1703 Operating System (OS) vulnerabilities

Windows 10 1709+ Operating System (OS) vulnerabilities

Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment

Windows Server 2008R2 Operating System (OS) vulnerabilities

Software product vulnerabilities

Windows Server 2012R2 Operating System (OS) vulnerabilities

Software product vulnerabilities

Windows Server 2016 Operating System (OS) vulnerabilities

Software product vulnerabilities

Windows Server 2019 Operating System (OS) vulnerabilities

Software product vulnerabilities

MacOS Not supported (planned)

Linux Not supported (planned)

Some of the above prerequisites might be different from the Minimum requirements for Microsoft Defender ATP
list.
Related topics
Risk-based Threat & Vulnerability Management
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Threat & Vulnerability Management dashboard
overview
1/2/2020 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security
administrators and security operations teams with unique value, including:
Real-time endpoint detection and response (EDR ) insights correlated with endpoint vulnerabilities
Invaluable machine vulnerability context during incident investigations
Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration
Manager (SCCM )
You can use the Threat & Vulnerability Management capability in Microsoft Defender Security Center to:
View exposure and configuration scores side-by-side with top security recommendations, software
vulnerability, remediation activities, and exposed machines
Correlate EDR insights with endpoint vulnerabilities and process them
Select remediation options, triage and track the remediation tasks
Select exception options and track active exceptions

Threat & Vulnerability Management in Microsoft Defender Security

Center
When you open the portal, you’ll see the main areas of the capability:
 (1) Menu in the navigation pane
(2) Threat & Vulnerability Management icon
(3) Threat & Vulnerability Management dashboard

You can navigate through the portal using the menu options available in all sections. Refer to the following table
for a description of each section.

AREA DESCRIPTION

(1) Menu Select menu to expand the navigation pane and see the
names of the Threat & Vulnerability Management capabilities.

(2) Threat & Vulnerability Management navigation pane Use the navigation pane to move across the Threat and
Vulnerability Management Dashboard, Security
recommendations, Remediation, Software inventory,
and Weaknesses.
AREA DESCRIPTION

Dashboards Get a high-level view of the organization exposure score,

organization configuration score, machine exposure
distribution, top security recommendations, top vulnerable
software, top remediation activities, and top exposed
machines data.

Security recommendations See the list of security recommendations, their related

components, whether software or software versions in your
network have reached their end-of-life, insights, number or
exposed devices, impact, and request for remediation. You
can click each item on the list, a flyout panel opens with
vulnerability details, open the software page, see the
remediation, and exception options. You can also open a
ticket in Intune if your machines are joined through Azure
Active Directory and you have enabled your Intune
connections in Microsoft Defender ATP. See Security
recommendations for more information.

Remediation See the remediation activity, related component, remediation

type, status, due date, option to export the remediation and
process data to CSV, and active exceptions. See Remediation
and exception for more information.

Software inventory See the list of software, versions, weaknesses, whether there’s
an exploit found on the software, whether the software or
software version has reached its end-of-life, prevalence in the
organization, how many were installed, how many exposed
devices are there, and the numerical value of the impact. You
can select each item in the list and opt to open the software
page which shows the associated vulnerabilities,
misconfigurations, affected machine, version distribution
details, and missing KBs or security updates. See Software
inventory for more information.

Weaknesses See the list of common vulnerabilities and exposures, the

severity, its common vulnerability scoring system (CVSS) V3
score, related software, age, when it was published, related
threat alerts, and how many exposed machines are there. You
can select each item in the list and it opens a flyout panel
with the vulnerability description and other details. See
Weaknesses for more information.

(3) Threat & Vulnerability Management dashboard Access the Exposure score, Configuration score, Exposure
distribution, Top security recommendations, Top
vulnerable software, Top remediation activities, and Top
exposed machines.

Selected machine groups (#/#) Filter the Threat & Vulnerability Management data that you
want to see in the dashboard and widgets by machine
groups. What you select in the filter applies throughout the
Threat & Vulnerability management pages only.
AREA DESCRIPTION

Organization Exposure score See the current state of your organization’s device exposure
to threats and vulnerabilities. Several factors affect your
organization’s exposure score: weaknesses discovered in your
devices, likelihood of your devices to be breached, value of
the devices to your organization, and relevant alerts
discovered with your devices. The goal is to lower down the
exposure score of your organization to be more secure. To
reduce the score, you need to remediate the related security
configuration issues listed in the security recommendations.
See Exposure score for more information.

Organization Configuration score See the security posture of the operating system,
applications, network, accounts and security controls of your
organization. The goal is to remediate the related security
configuration issues to increase your configuration score. You
can click the bars and it takes you to the Security
recommendation page for details. See Configuration score
for more information.

Machine exposure distribution See how many machines are exposed based on their exposure
level. You can click the sections in the doughnut chart and it
takes you to the Machines list page where you'll see the
affected machine names, exposure level side by side with risk
level, among other details such as ___domain, operating system
platform, its health state, when it was last seen, and its tags.

Top security recommendations See the collated security recommendations which are sorted
and prioritized based on your organization’s risk exposure
and the urgency that it requires. Useful icons also quickly calls
your attention on possible active alerts , associated
public exploits , and recommendation insights .

Tags also indicates the remediation type required, such as

Configuration change, Software uninstall (if the software
has reached its end-of-life), and Software update (if the
software version has reached its end-of-life, or if the
vulnerable version requires security updates and needs to be
updated to the latest one). You can drill down on the security
recommendation to see the potential risks, list of exposed
machines, and read the insights. Thus, providing you with an
informed decision to either proceed with a remediation
request. Click Show more to see the rest of the security
recommendations in the list.

Top vulnerable software Get real-time visibility into the organizational software
inventory, with stack-ranked list of vulnerable software
installed on your network’s devices and how they impact on
your organizational exposure score. Click each item for details
or Show more to see the rest of the vulnerable software list
in the Software inventory page.

Top remediation activities Track the remediation activities generated from the security
recommendations. You can click each item on the list to see
the details in the Remediation page or click Show more to
see the rest of the remediation activities, and active
exceptions.
 AREA DESCRIPTION

Top exposed machines See the exposed machine names and their exposure level. You
can click each machine name from the list and it will take you
to the machine page where you can view the alerts, risks,
incidents, security recommendations, installed software,
discovered vulnerabilities associated with the exposed
machines. You can also do other EDR-related tasks in it, such
as: manage tags, initiate automated investigations, initiate a
live response session, collect an investigation package, run
antivirus scan, restrict app execution, and isolate machine.
You can also click Show more to see the rest of the exposed
machines list.

NOTE
Machines with no alerts seen in the last 30 days do not count towards the exposure score of Threat & Vulnerability
Management.

See Microsoft Defender ATP icons for more information on the icons used throughout the portal.

Related topics
Supported operating systems and platforms
Risk-based Threat & Vulnerability Management
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Exposure score
1/2/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score
means your machines are less vulnerable from exploitation.
The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives
you a visual indication of a high cybersecurity threat exposure that you can investigate further.

How it works
Several factors affect your organization exposure score:
Weakness discovered on the device
Likelihood of a device getting breached
Value of the device to the organization
Relevant alert discovered on the device
Reduce the exposure score by addressing what needs to be remediated based on the prioritized security
recommendations. See Security recommendations for details.

Related topics
Supported operating systems and platforms
Risk-based Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Configuration score
11/28/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be
available for a few weeks.

The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over
the security posture of your organization based on security best practices. High configuration score means your
endpoints are more resilient from cybersecurity threat attacks.
Your configuration score widget shows the collective security configuration state of your machines across the
following categories:
Application
Operating system
Network
Accounts
Security controls

How it works
NOTE
Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support,
configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator
to verify the actual configuration status in case your organization is using Intune for secure configuration management.

The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery
process aggregated with configuration discovery assessments that continuously:
Compare collected configurations to the collected benchmarks to discover misconfigured assets
Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by
remediating the misconfiguration
Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research
teams)
Collect and monitor changes of security control configuration state from all assets
From the widget, you'd be able to see which security aspect requires attention. You can click the configuration
score categories and it will take you to the Security recommendations page to see more details and
understand the context of the issue. From there, you can act on them based on security benchmarks.

Improve your configuration score

The goal is to remediate the issues in the security recommendations list to improve your configuration score.
You can filter the view based on:
Related component — Accounts, Application, Network, OS, or Security controls
Remediation type — Configuration change or Software update
See how you can improve your security configuration, for details.

IMPORTANT
To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy
them in your network:
19H1 customers | KB 4512941
RS5 customers | KB 4516077
RS4 customers | KB 4516045
RS3 customers | KB 4516071
To download the security updates:
1. Go to Microsoft Update Catalog.
2. Key-in the security update KB number that you need to download, then click Search.

Related topics
Supported operating systems and platforms
Risk-based Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Exposure score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Security recommendation
1/8/2020 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

The cybersecurity weaknesses identified in your organization are mapped to actionable security
recommendations and prioritized by their impact on the security recommendation list. Prioritized
recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
Each security recommendation includes an actionable remediation recommendation which can be pushed into
the IT task queue through a built-in integration with Microsoft Intune and Microsoft System Center
Configuration Manager (SCCM ). It is also dynamic in the sense that when the threat landscape changes, the
recommendation also changes as it continuously collect information from your environment.

The basis of the security recommendation

Each machine in the organization is scored based on three important factors: threat, likelihood to be breached,
and value, to help customers to focus on the right things at the right time.
Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach
history. Based on these factors, the security recommendations shows the corresponding links to active
alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
Breach likelihood - Your organization's security posture and resilience against threats
Business value - Your organization's assets, critical processes, and intellectual properties

Navigate through your security recommendations

You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability
Management menu, dashboard, software page, and machine page, to give you the context that you need, as you
require it.
From the menu, select Security recommendations to get an overview of the running list with its weaknesses,
related components, application, operating system, network, accounts, and security controls, associated breach,
threats, and recommendation insights, exposed machine trends, status, remediation type and activities.
 NOTE
The color of the Exposed machines graph changes as the trend changes. If the number of exposed machines is on the
rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change
into green. This happens per change, which means an increase or decrease of even a single machine will change the
graph's color.

In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-
by-side with your configuration score. The goal is to lower down your organization's exposure from
vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity
threat attacks. The top security recommendations list can help you achieve that goal.
The top security recommendations lists down the improvement opportunities prioritized based on the three
important factors mentioned in the previous section - threat, likelihood to be breached, and value.
You can click on each one of them and see the details, the description, the potential risk if you don't act on or
remediate it, insights, vulnerabilities, other threats found, how many exposed devices are associated with the
security recommendation, and business impact of each security recommendation on the organizational exposure
and configuration score.
From that page, you can do any of the following depending on what you need to do:
Open software page - Drill down and open the software page to get more context of the software details,
prevalence in the organization, weaknesses discovered, version distribution, software or software version
end-of-life, and charts so you can see the exposure trend over time.
Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for
your IT Administrator to pick up and address.
Choose from exception options - Submit an exception, provide justification, and set exception duration if
you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a
false positive.

Report inaccuracy
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security
recommendation information in the machine page.
1. Select the Security recommendation tab.
2. Click : beside the security recommendation that you want to report about, then select Report inaccuracy.
 A flyout pane opens.

3. From the flyout pane, select the inaccuracy category from the drop-down menu.
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
5. Include your machine name for investigation context.

TIP
You can also provide details regarding the inaccuracy you reported in the Tell us more (optional) field to give the
threat and vulnerability management investigators context.

6. Click Submit. Your feedback is immediately sent to the Threat & Vulnerability Management experts with
its context.

Related topics
Supported operating systems and platforms
Risk-based Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Exposure score
Configuration score
Remediation and exception
Software inventory
Weaknesses
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Remediation and exception
12/31/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

NOTE
To use this capability, enable your Microsoft Intune connections. Navigate to Settings > General > Advanced features.
Scroll down and look for Microsoft Intune connection. By default, the toggle is turned off. Turn your Microsoft Intune
connection toggle on.

After your organization's cybersecurity weaknesses are identified and mapped to actionable security
recommendations, you can start creating security tasks through the integration with Microsoft Intune where
remediation tickets are created.
You can lower down your organization's exposure from vulnerabilities and increase your security configuration
by remediating the security recommendations.

Navigate through your remediation options

You can access the remediation page in a few places in the portal:
Security recommendation flyout panel
Remediation in the navigation menu
Top remediation activities widget in the dashboard
Security recommendation flyout page
You'll see your remediation options when you select one of the security recommendation blocks from your Top
security recommendations widget in the dashboard.
1. From the flyout panel, you'll see the security recommendation details including your next steps. Click
Remediation options.
2. In the Remediation options page, select Open a ticket in Intune (for AAD joined devices).

NOTE
If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to
Intune.

3. Select a remediation due date.

4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate
urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is
a part of compliance.
If you want to check how the ticket shows up in Intune, see Use Intune to remediate vulnerabilities identified by
Microsoft Defender ATP for details.
Remediation in the navigation menu
1. Go to the Threat & Vulnerability Management navigation menu and select Remediation to open up the
list of remediation activities and exceptions found in your organization. You can filter your view based on
remediation type, machine remediation progress, and exception justification. If you want to see the
remediation activities of software which have reached their end-of-life, select Software uninstall from
the Remediation type filter. If you want to see the remediation activities of software and software
versions which have reached their end-of-life, select Software update from the Remediation type filter.
Select In progress then click Apply.

2. Select the remediation activity that you need to see or process.

Top remediation activities widget in the dashboard

1. Go to the Threat & Vulnerability Management dashboard and scroll down to the Top remediation
activities widget. The list is sorted and prioritized based on what is listed in the Top security
recommendations.
2. Select the remediation activity that you need to see or process.

How it works
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation
activity.
It creates a security task which will be tracked in Threat & Vulnerability Management Remediation page, and it
also creates a remediation ticket in Microsoft Intune.
The dashboard will show that status of your top remediation activities. Click any of the entries and it will take
you to the Remediation page. You can mark the remediation activity as completed after the IT administration
team remediates the task.

When to file for exception instead of remediating issues

You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores
or secure scores.
When you select a security recommendation, it opens up a flyout screen with details and options for your next
step. You can either Open software page, choose from Remediation options, go through Exception options
to file for exceptions, or Report inaccuracy.
Select Exception options and a flyout screen opens.

Exception justification
If the security recommendation stemmed from a false positive report, or if there are existing business
justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if
there's already a planned remediation grace period, you can file an exception and indicate the reason. The
following list details the justifications behind the exception options:
Compensating/alternate control - A 3rd party control that mitigates this recommendation exists, for
example, if Network Firewall - - prevents access to a machine, third party antivirus
Productivity/business need - Remediation will impact productivity or interrupt business-critical workflow
Accept risk - Poses low risk and/or implementing a compensating control is too expensive
Planned remediation (grace) - Already planned but is awaiting execution or authorization
Other - False positive
Exception visibility
The exceptions you've filed will show up in the Remediation page, in the Exceptions tab. However, you also
have the option to filter your view based on exception justification, type, and status.

Aside from that, there's also an option to Show exceptions at the bottom of the Top security
recommendations card in the dashboard.
Clicking the link opens up to the Security recommendations page, where you can select the item exempted
item with details.

Actions on exceptions
Cancel - You can cancel the exceptions you've filed any time
Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list
 when dynamic environmental factors change, which adversely affect the exposure impact associated with a
recommendation that had previously been excluded
Exception status
Canceled - The exception has been canceled and is no longer in effect
Expired - The exception that you've filed is no longer in effect
In effect - The exception that you've filed is in progress
Exception impact on scores
Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score
(for configurations) of your organization in the following manner:
No impact - Removes the recommendation from the lists (which can be reverse through filters), but will not
affect the scores
Mitigation-like impact - As if the recommendation was mitigated (and scores will be adjusted accordingly)
when you select it as a compensating control.
Hybrid - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score
and Secure Score results out of the exception option that you made
The exception impact shows on both the Security recommendations page column and in the flyout pane.

Related topics
Supported operating systems and platforms
Risk-based Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Exposure score
Configuration score
Security recommendation
Software inventory
Weaknesses
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Software inventory
1/3/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the Software
inventory page. The software inventory includes the name of the product or vendor, the latest version it is in,
and the number of weaknesses and vulnerabilities detected with it.

Navigate through your software inventory

1. Select Software inventory from the Threat & Vulnerability management navigation menu. The Software
inventory page opens with a list of software installed in your network, vendor name, weaknesses found,
threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list
view based on weaknesses found in the software, threats associated with them, and whether the software or
software versions have reached their end-of-life.

2. In the Software inventory page, select the software that you want to investigate and a flyout panel opens
up with the same details mentioned above but in a more compact view. You can either dive deeper into the
investigation and select Open software page or flag any technical inconsistencies by selecting Report
inaccuracy.
3. Select Open software page to dive deeper into your software inventory to see how many weaknesses are
discovered in the software, devices exposed, installed machines, version distribution, and the corresponding
security recommendations for the weaknesses and vulnerabilities identified. From the Version distribution
tab, you can also filter the view by Version EOL if you want to see the software versions that has reached
their end-of-life which needs to be uninstalled, replaced, or updated.
How it works
In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint
detection and response that's responsible for detection, for vulnerability assessment.
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The
engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular
software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's
available.

Report inaccuracy
You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated
software inventory information in the machine page.
1. Select the Software inventory tab.
2. Click : beside the software that you want to report about, and then select Report inaccuracy.

A flyout pane opens.

3. From the flyout pane, select the inaccuracy category from the Software inventory inaccuracy reason
drop-down menu.

4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
5. Include your machine name for investigation context.

NOTE
You can also provide details regarding the inaccuracy you reported in the Tell us more (optional) field to give the
threat and vulnerability management investigators context.

6. Click Submit. Your feedback is immediately sent to the Threat & Vulnerability Management experts with
its context.
Related topics
Supported operating systems and platforms
Risk-based Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Exposure score
Configuration score
Security recommendation
Remediation and exception
Weaknesses
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Weaknesses
12/30/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint
protection to scan and detect vulnerabilities.
The Weaknesses page lists down the vulnerabilities found in the infected software running in your organization,
their severity, Common Vulnerability Scoring System (CVSS ) rating, its prevalence in your organization,
corresponding breach, and threat insights.

IMPORTANT
To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and
deploy them in your network:
19H1 customers | KB 4512941
RS5 customers | KB 4516077
RS4 customers | KB 4516045
RS3 customers | KB 4516071

Navigate through your organization's weaknesses page

You can access the list of vulnerabilities in a few places in the portal:
Global search
Weaknesses option in the navigation menu
Top vulnerable software widget in the dashboard
Discovered vulnerabilities page in the machine page
Vulnerabilities in global search
1. Click the global search drop-down menu.
2. Select Vulnerability and key-in the Common Vulnerabilities and Exposures (CVE ) ID that you are
looking for, then click the search icon. The Weaknesses page opens with the CVE information that you

are looking for.

3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits
available, severity level, CVSS v3 rating, publishing and update dates.
 NOTE
To see the rest of the vulnerabilities in the Weaknesses page, type CVE, then click search.

Weaknesses page in the menu

1. Go to the Threat & Vulnerability Management navigation menu and select Weaknesses to open up the list of
vulnerabilities found in your organization.
2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details,
such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, dates when it was published
and updated, related software, exploit kits available, vulnerability type, link to useful reference, and number of
exposed machines which users can also export.

Top vulnerable software widget in the dashboard

1. Go to the Threat & Vulnerability Management dashboard and scroll down to the Top vulnerable software
widget. You will see the number of vulnerabilities found in each software along with threat information and a
high-level view of the device exposure trend over time.
2. Click the software that you want to investigate and it takes you to the software page. You will see the
weaknesses found in your machine per severity level, in which machines are they installed, version
distribution, and the corresponding security recommendation.
3. Select the Discovered vulnerabilities tab.
4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details,
such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
Discovered vulnerabilities in the machine page
1. Go to the left-hand navigation menu bar, then select the machine icon. The Machines list page opens.

2. In the Machines list page, select the machine that you want to investigate.

A flyout pane opens with machine details and response action options.
3. In the flyout pane, select Open machine page. A page opens with details and response options for the
machine you want to investigate.

4. Select Discovered vulnerabilities.

5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details,
such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.

How it works
When new vulnerabilities are released, you would want to know how many of your assets are exposed. You can
see the list of vulnerabilities and the details in the Weaknesses page.
If the Exposed Machines column shows 0, that means you are not at risk.
If exposed machines exist, that means you need to remediate the vulnerabilities in those machines because they
put the rest of your assets and your organization at risk.
You can also see the related alert and threat insights in the Threat column.
The breach insights icon is highlighted if there is a vulnerability found in your organization. Prioritize an
investigation because it means there might be a breach in your organization.

The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your
organization. It also shows whether the threat is a part of an exploit kit, connected to specific advanced persistent
campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has zero-
day exploitation news, disclosures, or related security advisories.

NOTE
Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the
threat insight icon and breach insight icon.

Report inaccuracy
You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability
information in the machine page.
1. Select the Discovered vulnerabilities tab.
2. Click : beside the vulnerability that you want to report about, and then select Report inaccuracy.

A flyout pane opens.

3. From the flyout pane, select the inaccuracy category from the Discovered vulnerability inaccuracy
reason drop-down menu.
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
5. Include your machine name for investigation context.

NOTE
You can also provide details regarding the inaccuracy you reported in the Tell us more (optional) field to give the
threat and vulnerability management investigators context.

6. Click Submit. Your feedback is immediately sent to the Threat & Vulnerability Management experts with
its context.

Related topics
Supported operating systems and platforms
Risk-based Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Exposure score
Configuration score
Security recommendation
Remediation and exception
Software inventory
Scenarios
Configure data access for Threat & Vulnerability Management roles
 Threat & Vulnerability Management scenarios
1/8/2020 • 8 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Before you begin

Ensure that your machines:
Are onboarded to Microsoft Defender Advanced Threat Protection
Run with Windows 10 1709 (Fall Creators Update) or later

NOTE
Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating
systems and detects vulnerabilities addressed in patch Tuesday.

Have the following mandatory updates installed and deployed in your network to boost your vulnerability
assessment detection rates:

RELEASE SECURITY UPDATE KB NUMBER AND LINK

RS3 customers KB4493441 and KB 4516071

RS4 customers KB4493464 and KB 4516045

RS5 customers KB 4516077

19H1 customers KB 4512941

Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM ). If you are use
SCCM, update your console to the latest May version 1905
Have at least one security recommendation that can be viewed in the machine page
Are tagged or marked as co-managed

Reduce your threat and vulnerability exposure

Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how
exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following
factors:
Weaknesses, such as vulnerabilities discovered on the device
External and internal threats such as public exploit code and security alerts
Likelihood of the device to get breached given its current security posture
Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
0–29: low exposure score
30–69: medium exposure score
70–100: high exposure score
You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each
software has weaknesses that are transformed into recommendations and prioritized based on risk to the
organization.
To lower down your threat and vulnerability exposure:
1. Review the Top security recommendations from your Threat & Vulnerability Management
dashboard, and select the first item on the list. The Security recommendation page opens.
 NOTE
There are two types of recommendations:
Security update which refers to recommendations that require a package installation
Configuration change which refers to recommendations that require a registry or GPO modification Always
prioritize recommendations that are associated with ongoing threats. These recommendations are marked with
the threat insight icon and possible active alert icon.

2. The Security recommendations page shows the list of items to remediate. Select the security
recommendation that you need to investigate. When you select a recommendation from the list, a fly-out
panel will display a description of what you need to remediate, number of vulnerabilities, associated
exploits in machines, number of exposed machines and their machine names, business impact, and a list
of CVEs. Click Open software page option from the flyout panel.

3. Click Installed machines and select the affected machine from the list to open the flyout panel with the
relevant machine details, exposure and risk levels, alert and incident activities.

4. Click Open machine page to connect to the machine and apply the selected recommendation. See
Investigate machines in the Microsoft Defender ATP Machines list for details.
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine Security recommendation tab again. The recommendation you've chosen to
remediate is removed from the security recommendation list, and the exposure score decreases.

Improve your security configuration

NOTE
Secure score is now part of Threat & Vulnerability Management as configuration score. The secure score page is available
for a few weeks. View the secure score page.

You can improve your security configuration when you remediate issues from the security recommendations list.
As you do so, your configuration score improves, which means your organization becomes more resilient
against cybersecurity threats and vulnerabilities.
1. From the Configuration score widget, select Security controls. The Security recommendations page
opens and shows the list of issues related to security controls.
2. Select the first item on the list. The flyout panel will open with a description of the security controls issue,
a short description of the potential risk, insights, configuration ID, exposed machines, and business
impact. Click Remediation options.

3. Read the description to understand the context of the issue and what to do next. Select a due date, add
notes, and select Export all remediation activity data to CSV so you can attach it to the email that you
can send to your IT Administrator for follow -up.
 .

You will see a confirmation message that the remediation task has been created.

4. Save your CSV file.

5. Send a follow -up email to your IT Administrator and allow the time that you have allotted for the
remediation to propagate in the system.
6. Review the machine Configuration score widget again. The number of the security controls issues will
decrease. When you click Security controls to go back to the Security recommendations page, the
 item that you have addressed will not be listed there anymore, and your configuration score should
increase.

Request a remediation
NOTE
To use this capability, enable your Microsoft Intune connections. Navigate to Settings > General > Advanced features.
Scroll down and look for Microsoft Intune connection. By default, the toggle is turned off. Turn your Microsoft Intune
connection toggle on.

The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security
and IT Administrators through the remediation request workflow.
Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the
Security recommendation pages to Intune.
1. Click a security recommendation you would like to request remediation for, and then click Remediation
options.
2. Select Open a ticket in Intune (for AAD joined devices), select a due date, and add optional notes for
the IT Administrator. Click Submit request.
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject
the request and start a package deployment.
4. Go to the Remediation page to view the status of your remediation request.
See Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP for details.

NOTE
If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to
Intune.

File for exception

With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a
remediation request.
There are many reasons why organizations create exceptions for a recommendation. For example, if there's a
business justification that prevents the company from applying the recommendation, the existence of a
compensating or alternative control that provides as much protection than the recommendation would, a false
positive, among other reasons.
Exceptions can be created for both Security update and Configuration change recommendations.
When an exception is created for a recommendation, the recommendation is no longer active. The
recommendation state changes to Exception, and it no longer shows up in the security recommendations list.
1. Navigate to the Security recommendations page under the Threat & Vulnerability Management
section menu.
2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
3. Click Exception options.
4. Select your justification for the exception you need to file instead of remediating the security
recommendation in question. Fill out the justification context, then set the exception duration.

5. Click Submit. A confirmation message at the top of the page indicates that the exception has been
created.
6. Navigate to the Remediation page under the Threat & Vulnerability Management menu and click
the Exceptions tab to view all your exceptions (current and past).

Use advanced hunting query to search for machines with High active
alerts or critical CVE public exploit
1. Go to Advanced hunting from the left-hand navigation pane.
2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
3. Enter the following queries:

// Search for machines with High active alerts or Critical CVE public exploit
DeviceTvmSoftwareInventoryVulnerabilities
| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
| where IsExploitAvailable == 1 and CvssScore >= 7
| summarize NumOfVulnerabilities=dcount(CveId),
DeviceName=any(DeviceName) by DeviceId
| join kind =inner(AlertEvents) on DeviceId
| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
DeviceName=any(DeviceName) by DeviceId, AlertId
| project DeviceName, NumOfVulnerabilities, AlertId
| order by NumOfVulnerabilities desc

Conduct an inventory of software or software versions which have

reached their end-of-life
End-of-life for software or software versions means that they will no longer be supported nor serviced. When
you use software or software versions which have reached their end-of-life, you're exposing your organization to
security vulnerabilities, legal, and financial risks.
It is crucial for you as Security and IT Administrators to work together and ensure that your organization's
software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
To conduct an inventory of software or software versions which have reached their end of life:
1. From the Threat & Vulnerability Management menu, navigate to Security recommendations.
2. Go to the Filters panel and select Software uninstall from Remediation Type options if you want to
see the list of software recommendations associated with software which have reached their end-of-life
(tagged as EOL software). Select Software update from Remediation Type options if you want to see
the list of software recommendations associated with software and software versions which have reached
their end-of-life (tagged as EOL versions installed).
3. Select a software that you'd like to investigate. A fly-out screen opens where you can select Open
software page.
4. In the Software page select the Version distribution tab to know which versions of the software have
reached their end-of-life, and how many vulnerabilities were discovered in it.

After you have identified which software and software versions are vulnerable due to its end-of-life status,
remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See
Remediation and exception for details.

Related topics
Supported operating systems and platforms
Risk-based Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Exposure score
Configuration score
Security recommendations
Remediation and exception
Software inventory
Weaknesses
Advanced hunting overview
All advanced hunting tables
Configure data access for Threat & Vulnerability Management roles
 Overview of attack surface reduction
11/19/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and
attacks. Use the following resources to configure protection for the devices and applications in your organization.

ARTICLE DESCRIPTION

Hardware-based isolation Protect and maintain the integrity of a system as it starts and
while it's running. Validate system integrity through local and
remote attestation. And, use container isolation for Microsoft
Edge to help guard against malicious websites.

Application control Use application control so that your applications must earn
trust in order to run.

Exploit protection Help protect operating systems and apps your organization
uses from being exploited. Exploit protection also works with
third-party antivirus solutions.

Network protection Extend protection to your network traffic and connectivity on

your organization's devices. (Requires Windows Defender
Antivirus)

Controlled folder access Help prevent malicious or suspicious apps (including file-
encrypting ransomware malware) from making changes to
files in your key system folders (Requires Windows Defender
Antivirus)

Attack surface reduction Reduce vulnerabilities (attack surfaces) in your applications

with intelligent rules that help stop malware. (Requires
Windows Defender Antivirus)

Network firewall Prevent unauthorized traffic from flowing to or from your

organization's devices with two-way network traffic filtering.
 Hardware-based isolation in Windows 10
8/9/2019 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender
ATP.

FEATURE DESCRIPTION

Windows Defender Application Guard Application Guard protects your device from advanced attacks
while keeping you productive. Using a unique hardware-based
isolation approach, the goal is to isolate untrusted websites
and PDF documents inside a lightweight container that is
separated from the operating system via the native Windows
Hypervisor. If an untrusted site or PDF document turns out to
be malicious, it still remains contained within Application
Guard’s secure container, keeping the desktop PC protected
and the attacker away from your enterprise data.

Windows Defender System Guard System Guard protects and maintains the integrity of the
system as it starts and after it's running, and validates system
integrity by using attestation.
 Windows Defender Application Guard overview
11/20/2019 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging
attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy
the playbook that attackers use by making current attack methods obsolete.

What is Application Guard and how does it work?

Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted
sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you
define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is
considered untrusted.
If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens
the site in an isolated Hyper-V -enabled container, which is separate from the host operating system. This container
isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't
get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker
can't get to your employee's enterprise credentials.

What types of devices should use Application Guard?

Application Guard has been created to target several types of systems:
Enterprise desktops. These desktops are ___domain-joined and managed by your organization.
Configuration management is primarily done through System Center Configuration Manager or Microsoft
Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate
network.
Enterprise mobile laptops. These laptops are ___domain-joined and managed by your organization.
Configuration management is primarily done through System Center Configuration Manager or Microsoft
 Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate
network.
Bring your own device (BYOD ) mobile laptops. These personally-owned laptops are not ___domain-
joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is
typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a
comparable personal network while at home.
Personal devices. These personally-owned desktops or mobile laptops are not ___domain-joined or managed
by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal
network while at home or a comparable public network while outside.

Related articles
ARTICLE DESCRIPTION

System requirements for Windows Defender Application Specifies the prerequisites necessary to install and use
Guard Application Guard.

Prepare and install Windows Defender Application Guard Provides instructions about determining which mode to use,
either Standalone or Enterprise-managed, and how to install
Application Guard in your organization.

Configure the Group Policy settings for Windows Defender Provides info about the available Group Policy and MDM
Application Guard settings.

Testing scenarios using Windows Defender Application Guard Provides a list of suggested testing scenarios that you can use
in your business or organization to test Application Guard in your organization.

Frequently asked questions - Windows Defender Application Provides answers to frequently asked questions about
Guard Application Guard features, integration with the Windows
operating system, and general configuration.
 System requirements for Windows Defender
Application Guard
11/19/2019 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach
enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure
employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old,
and newly emerging attacks, to help keep employees productive.

NOTE
Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-
production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.

Hardware requirements
Your environment needs the following hardware to run Windows Defender Application Guard.

HARDWARE DESCRIPTION

64-bit CPU A 64-bit computer with minimum 4 cores (logical processors)

is required for hypervisor and virtualization-based security
(VBS). For more info about Hyper-V, see Hyper-V on Windows
Server 2016 or Introduction to Hyper-V on Windows 10. For
more info about hypervisor, see Hypervisor Specifications.

CPU virtualization extensions Extended page tables, also called Second Level Address
Translation (SLAT)

-AND-

One of the following virtualization extensions for VBS:

VT-x (Intel)

-OR-

AMD-V

Hardware memory Microsoft requires a minimum of 8GB RAM

Hard disk 5 GB free space, solid state disk (SSD) recommended

Input/Output Memory Management Unit (IOMMU) support Not required, but strongly recommended

Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
SOFTWARE DESCRIPTION

Operating system Windows 10 Enterprise edition, version 1709 or higher

Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version
1803 or higher
Windows 10 Professional Education edition version 1803 or
higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed
devices; Intune or any other 3rd party mobile device
management (MDM) solutions are not supported with WDAG
for Professional editions.

Browser Microsoft Edge and Internet Explorer

Management system Microsoft Intune

(only for managed devices)
-OR-

System Center Configuration Manager

-OR-

Group Policy

-OR-

Your current company-wide 3rd party mobile device

management (MDM) solution. For info about 3rd party MDM
solutions, see the documentation that came with your
product.
 Windows Defender System Guard: How a hardware-
based root of trust helps protect Windows 10
12/4/2019 • 5 minutes to read • Edit Online

In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the
Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must
be trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof
and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
Protect and maintain the integrity of the system as it starts up
Validate that system integrity has truly been maintained through local and remote attestation

Maintaining the integrity of the system as it starts

Static Root of Trust for Measurement (SRTM )
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often
referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or
during the boot process itself, enabling it to start with the highest level of privilege.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of
trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows
bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the
Unified Extensible Firmware Interface (UEFI). This technique of measuring the static early boot UEFI components
is called the Static Root of Trust for Measurement (SRTM ).
As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there
becomes an incredibly large number of SRTM measurements upon bootup. Two techniques exist to establish trust
here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known
'good' SRTM measurements (also known as a whitelist). Each option has a drawback:
A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an
entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor
change can invalidate the entire chain of trust.
A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be
carefully added, which is slow. In addition, a bug fix for UEFI code can take a long time to design, build, retest,
validate, and redeploy.
Secure Launch—the Dynamic Root of Trust for Measurement (DRTM )
Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate
these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM ). DRTM
lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by
taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of
allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and
measured state.
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a
specific hardware configuration. This means the number of valid code measurements is small, and future updates
can be deployed more widely and quickly.
System Management Mode (SMM ) protection
System Management Mode (SMM ) is a special-purpose CPU mode in x86 microcontrollers that handles power
management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime,
which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible
to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to
late launch, SMM code can potentially access hypervisor memory and change the hypervisor. To defend against
this, two techniques are used:
1. Paging protection to prevent inappropriate access to code and data
2. SMM hardware supervision and attestation
Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This
prevents access to any memory that has not been specifically assigned.
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure
it does not access any part of the address space that it is not supposed to.
SMM protection is built on top of the Secure Launch technology and requires it to function. In the future,
Windows 10 will also measure this SMI Handler’s behavior and attest that no OS -owned memory has been
tampered with.

Validating platform integrity after Windows is running (run time)

While Windows Defender System Guard provides advanced protection that will help protect and maintain the
integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach"
mentality to even our most sophisticated security technologies. We should be able to trust that the technologies
are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their
goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be
compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of
technologies that enable remote analysis of the device’s integrity.
As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using
the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM
versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that
the measurement data is not subject to the type of tampering that could happen if the platform was compromised.
From here, the measurements can be used to determine the integrity of the device’s firmware, hardware
configuration state, and Windows boot-related components, just to name a few.

After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM.
Upon request, a management system like Intune or System Center Configuration Manager can acquire them for
remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management
system can take a series of actions, such as denying the device access to resources.
 Application Control
11/19/2019 • 4 minutes to read • Edit Online

Applies to:
Windows 10
Windows Server 2016
Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—
signature-based detection to fight against malware—provides an inadequate defense against new attacks.
In most organizations, information is the most valuable asset, and ensuring that only approved users have access to
that information is imperative. However, when a user runs a process, that process has the same level of access to
data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the
organization if a user knowingly or unknowingly runs malicious software.
Application control can help mitigate these types of security threats by restricting the applications that users are
allowed to run and the code that runs in the System Core (kernel). Application control policies can also block
unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has
an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an
application trust model where all applications are assumed trustworthy to one where applications must earn trust
in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite
application control as one of the most effective means for addressing the threat of executable file-based malware
(.exe, .dll, etc.).

NOTE
Although application control can significantly harden your computers against malicious code, we recommend that you
continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.

Windows 10 includes two technologies that can be used for application control depending on your organization's
specific scenarios and requirements:
Windows Defender Application Control; and
AppLocker

Windows Defender Application Control

Windows Defender Application Control (WDAC ) was introduced with Windows 10 and allows organizations to
control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a
security feature under the servicing criteria defined by the Microsoft Security Response Center (MSRC ).

NOTE
Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.

WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be
defined based on:
 Attributes of the codesigning certificate(s) used to sign an app and its binaries;
Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and
version, or the hash of the file;
The reputation of the app as determined by Microsoft's Intelligent Security Graph;
The identity of the process that initiated the installation of the app and its binaries (managed installer);
The path from which the app or file is launched (beginning with Windows 10 version 1903);
The process that launched the app or binary.
WDAC System Requirements
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016
and above. They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and
optionally managed via Mobile Device Management (MDM ), such as Microsoft Intune. Group Policy can also be
used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above.

AppLocker
AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are
allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps
end users avoid running unapproved software on their computers.
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be
defined based on:
Attributes of the codesigning certificate(s) used to sign an app and its binaries;
Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and
version, or the hash of the file;
The path from which the app or file is launched (beginning with Windows 10 version 1903).
AppLocker System Requirements
AppLocker policies can only be configured on and applied to computers that are running on the supported versions
and editions of the Windows operating system. For more info, see Requirements to Use AppLocker. AppLocker
policies can be deployed using Group Policy or MDM.

Choose when to use WDAC or AppLocker

Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the
following factors can help you decide when to use each of the technologies.
WDAC is best when:
You are adopting application control primarily for security reasons.
Your application control policy can be applied to all users on the managed computers.
All of the devices you wish to manage are running Windows 10.
AppLocker is best when:
You have a mixed Windows operating system (OS ) environment and need to apply the same policy controls to
Windows 10 and earlier versions of the OS.
You need to apply different policies for different users or groups on a shared computer.
You are using application control to help users avoid running unapproved software, but you do not require a
solution designed as a security feature.
You do not wish to enforce application control on application files such as DLLs or drivers.

When to use both WDAC and AppLocker together

AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device
scenarios where its important to prevent some users from running specific apps. As a best practice, you should
enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-
tune the restrictions to an even lower level.

See also
WDAC design guide
WDAC deployment guide
AppLocker overview
 Protect devices from exploits
1/8/2020 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes
and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016,
version 1803.

TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.

Exploit protection works best with Microsoft Defender Advanced Threat Protection - which gives you detailed
reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.
You can enable exploit protection on an individual machine, and then use Group Policy to distribute the XML file
to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can
customize the notification with your company details and contact information. You can also enable the rules
individually to customize what techniques the feature monitors.
You can also use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) have been included in Exploit
protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See
Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection for more information on how
Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on
Windows 10.

IMPORTANT
If you are currently using EMET you should be aware that EMET reached end of support on July 31, 2018. You should
consider replacing EMET with exploit protection in Windows 10. You can convert an existing EMET configuration file into
exploit protection to make the migration easier and keep your existing settings.

WARNING
Some security mitigation technologies may have compatibility issues with some applications. You should test exploit
protection in all target use scenarios by using audit mode before deploying the configuration across a production
environment or the rest of your network.

Review exploit protection events in the Microsoft Security Center

Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation
scenarios.
You can query Microsoft Defender ATP data by using Advanced hunting. If you're using audit mode, you can use
advanced hunting to see how exploit protection settings could affect your environment.
Here is an example query:

DeviceEvents
| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'

Review exploit protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an
app:

PROVIDER/SOURCE EVENT ID DESCRIPTION

Security-Mitigations 1 ACG audit

Security-Mitigations 2 ACG enforce

Security-Mitigations 3 Do not allow child processes audit

Security-Mitigations 4 Do not allow child processes block

Security-Mitigations 5 Block low integrity images audit

Security-Mitigations 6 Block low integrity images block

Security-Mitigations 7 Block remote images audit

Security-Mitigations 8 Block remote images block

Security-Mitigations 9 Disable win32k system calls audit

Security-Mitigations 10 Disable win32k system calls block

Security-Mitigations 11 Code integrity guard audit

Security-Mitigations 12 Code integrity guard block

Security-Mitigations 13 EAF audit

Security-Mitigations 14 EAF enforce

Security-Mitigations 15 EAF+ audit

Security-Mitigations 16 EAF+ enforce

Security-Mitigations 17 IAF audit

Security-Mitigations 18 IAF enforce

Security-Mitigations 19 ROP StackPivot audit

 PROVIDER/SOURCE EVENT ID DESCRIPTION

Security-Mitigations 20 ROP StackPivot enforce

Security-Mitigations 21 ROP CallerCheck audit

Security-Mitigations 22 ROP CallerCheck enforce

Security-Mitigations 23 ROP SimExec audit

Security-Mitigations 24 ROP SimExec enforce

WER-Diagnostics 5 CFG Block

Win32K 260 Untrusted Font

Mitigation comparison
The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows
Server 2016 (starting with version 1803), under Exploit protection.
The table in this section indicates the availability and support of native mitigations between EMET and exploit
protection.

MITIGATION AVAILABLE UNDER EXPLOIT PROTECTION AVAILABLE IN EMET

Arbitrary code guard (ACG)

As "Memory Protection Check"

Block remote images

As "Load Library Check"

Block untrusted fonts

Data Execution Prevention (DEP)

Export address filtering (EAF)

Force randomization for images

(Mandatory ASLR)

NullPage Security Mitigation

Included natively in Windows 10
See Mitigate threats by using Windows
10 security features for more
information

Randomize memory allocations

(Bottom-Up ASLR)

Simulate execution (SimExec)

Validate API invocation (CallerCheck)

 MITIGATION AVAILABLE UNDER EXPLOIT PROTECTION AVAILABLE IN EMET

Validate exception chains (SEHOP)

Validate stack integrity (StackPivot)

Certificate trust (configurable certificate Windows 10 provides enterprise

pinning) certificate pinning

Heap spray allocation Ineffective against newer browser-

based exploits; newer mitigations
provide better protection
See Mitigate threats by using Windows
10 security features for more
information

Block low integrity images

Code integrity guard

Disable extension points

Disable Win32k system calls

Do not allow child processes

Import address filtering (IAF)

Validate handle usage

Validate heap integrity

Validate image dependency integrity

NOTE
The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET
advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
See the Mitigation threats by using Windows 10 security features for more information on how Windows 10 employs
existing EMET technology.

Related articles
Protect devices from exploits
Evaluate exploit protection
Enable exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
Troubleshoot exploit protection
 Protect your network
1/8/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents
employees from using any application to access dangerous domains that may host phishing scams, exploits, and
other malicious content on the Internet.
Network protection expands the scope of Windows Defender SmartScreen to block all outbound HTTP (s) traffic
that attempts to connect to low -reputation sources (based on the ___domain or hostname).
Network protection is supported beginning with Windows 10, version 1709.

TIP
You can visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and
see how it works.

Network protection works best with Microsoft Defender Advanced Threat Protection, which gives you detailed
reporting into Windows Defender EG events and blocks as part of the usual alert investigation scenarios.
When network protection blocks a connection, a notification will be displayed from the Action Center. You can
customize the notification with your company details and contact information. You can also enable the rules
individually to customize what techniques the feature monitors.
You can also use audit mode to evaluate how Network protection would impact your organization if it were
enabled.

Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.

WINDOWS 10 VERSION WINDOWS DEFENDER ANTIVIRUS

Windows 10 version 1709 or later Windows Defender AV real-time protection and cloud-
delivered protection must be enabled

Review network protection events in the Microsoft Defender ATP

Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation
scenarios.
You can query Microsoft Defender ATP data by using Advanced hunting. If you're using audit mode, you can use
advanced hunting to see how network protection settings would affect your environment if they were enabled.
Here is an example query
 DeviceEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')

Review network protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when network protection blocks (or audits)
access to a malicious IP or ___domain:
1. Copy the XML directly.
2. Click OK.
3. This will create a custom view that filters to only show the following events related to network protection:

EVENT ID DESCRIPTION

5007 Event when settings are changed

1125 Event when network protection fires in audit mode

1126 Event when network protection fires in block mode

Related articles
Evaluate network protection | Undertake a quick scenario that demonstrate how the feature works, and
what events would typically be created.
Enable network protection | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network
protection in your network.
 Protect your organization against web threats
10/31/2019 • 2 minutes to read • Edit Online

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Web protection in Microsoft Defender ATP uses network protection to secure your machines against web threats.
By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection
stops web threats without a web proxy and can protect machines while they are away or on premises. Web
protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low -reputation sites, as well
as sites that you have blocked in your custom indicator list.

NOTE
It can take up to an hour for machines to receive new customer indicators.

With web protection, you also get:

Comprehensive visibility into web threats affecting your organization
Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs
and the machines that access these URLs
A full set of security features that track general access trends to malicious and unwanted websites

Prerequisites
Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web
browsers.
To turn on network protection on your machines:
Edit the Microsoft Defender ATP security baseline under Web & Network Protection to enable network
protection before deploying or redeploying it. Learn about reviewing and assigning the Microsoft Defender
ATP security baseline
Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution.
Read more about enabling network protection

NOTE
If you set network protection to Audit only, blocking will be unavailable. Also, you will be able to detect and log attempts to
access malicious and unwanted websites on Microsoft Edge only.

In this section
TOPIC DESCRIPTION

Monitor web security Monitor attempts to access malicious and unwanted websites.
TOPIC DESCRIPTION

Respond to web threats Investigate and manage alerts related to malicious and
unwanted websites. Understand how end users are notified
whenever a web threat is blocked.
 Monitor web browsing security
10/31/2019 • 2 minutes to read • Edit Online

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Web protection lets you monitor your organization’s web browsing security through reports under Reports >
Web protection in the Microsoft Defender Security Center. The report contains cards that provide web threat
detection statistics.
Web threat protection detections over time — this trending card displays the number of web threats
detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)

Web threat protection summary — this card displays the total web threat detections in the past 30 days,
showing distribution across the different types of web threats. Selecting a slice opens the list of the domains
that were found with malicious or unwanted websites.

NOTE
It can take up to 12 hours before a block is reflected in the cards or the ___domain list.

Types of web threats

Web protection categorizes malicious and unwanted websites as:
Phishing — websites that contain spoofed web forms and other phishing mechanisms designed to trick users
 into divulging credentials and other sensitive information
Malicious — websites that host malware and exploit code
Custom indicator — websites whose URLs or domains you've added to your custom indicator list for
blocking

View the ___domain list

Select a specific web threat category in the Web threat protection summary card to open the Domains page
and display the list of the domains under that threat category. The page provides the following information for
each ___domain:
Access count — number of requests for URLs in the ___domain
Blocks — number of times requests were blocked
Access trend — change in number of access attempts
Threat category — type of web threat
Machines — number of machines with access attempts
Select a ___domain to view the list of machines that have attempted to access URLs in that ___domain as well as the list
of URLs.

Related topics
Web protection overview
Respond to web threats
 Respond to web threats
10/31/2019 • 2 minutes to read • Edit Online

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to
malicious websites and websites in your custom indicator list.

View web threat alerts

Microsoft Defender ATP generates the following alerts for malicious or suspicious web activity:
Suspicious connection blocked by network protection — this alert is generated when an attempt to
access a malicious website or a website in your custom indicator list is stopped by network protection in block
mode
Suspicious connection detected by network protection — this alert is generated when an attempt to
access a malicious website or a website in your custom indicator list is detected by network protection in audit
only mode
Each alert provides the following information:
Machine that attempted to access the blocked website
Application or program used to send the web request
Malicious URL or URL in the custom indicator list
Recommended actions for responders

NOTE
To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat detections for the same ___domain on the
same machine each day to a single alert. Only one alert is generated and counted into the web protection report.
Inspect website details
You can dive deeper by selecting the URL or ___domain of the website in the alert. This opens a page about that
particular URL or ___domain with various information, including:
Machines that attempted to access website
Incidents and alerts related to the website
How frequent the website was seen in events in your organization

Learn more about URL or ___domain entity pages

Inspect the machine

You can also check the machine that attempted to access a blocked URL. Selecting the name of the machine on the
alert page opens a page with comprehensive information about the machine.
Learn more about machine entity pages

Web browser and Windows notifications for end users

With web protection in Microsoft Defender ATP, your end users will be prevented from visiting malicious or
unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by network protection,
they will see a generic error from the web browser. They will also see a notification from Windows.
Web threat blocked on Microsoft Edge

Web threat blocked on Chrome

Related topics
Web protection overview
Monitor web security
 Protect important folders with controlled folder
access
1/7/2020 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It
protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on
Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from
the System Center Configuration Manager (SCCM ) and Intune, for managed devices. Controlled folder access
works best with Microsoft Defender Advanced Threat Protection, which gives you detailed reporting into
controlled folder access events and blocks as part of the usual alert investigation scenarios.
Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of
trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files
inside protected folders.
Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent
throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and
automatically added to the list.
Apps can also be manually added to the trusted list via SCCM and Intune. Additional actions, such as adding a file
indicator for the app, can be performed from the Security Center Console.
Controlled folder access is especially useful in helping to protect your documents and information from
ransomware that can attempt to encrypt your files and hold them hostage.
With Controlled folder access in place, a notification will appear on the computer where the app attempted to
make changes to a protected folder. You can customize the notification with your company details and contact
information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can add additional folders. You can also allow or
whitelist apps to give them access to the protected folders.
You can use audit mode to evaluate how controlled folder access would impact your organization if it were
enabled. You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the
feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.

Requirements
Controlled folder access requires enabling Windows Defender Antivirus real-time protection.

Review controlled folder access events in the Microsoft Defender ATP

Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation
scenarios.
You can query Microsoft Defender ATP data by using Advanced hunting. If you're using audit mode, you can use
advanced hunting to see how controlled folder access settings would affect your environment if they were
enabled.
Here is an example query

DeviceEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')

Review controlled folder access events in Windows Event Viewer

You can review the Windows event log to see events that are created when controlled folder access blocks (or
audits) an app:
1. Download the Evaluation Package and extract the file cfa -events.xml to an easily accessible ___location on the
machine.
2. Type Event viewer in the Start menu to open the Windows Event Viewer.
3. On the left panel, under Actions, click Import custom view....
4. Navigate to where you extracted cfa -events.xml and select it. Alternatively, copy the XML directly.
5. Click OK.
This will create a custom view that filters to only show the following events related to controlled folder access:

EVENT ID DESCRIPTION

5007 Event when settings are changed

1124 Audited controlled folder access event

1123 Blocked controlled folder access event

In this section
TOPIC DESCRIPTION

Evaluate controlled folder access Use a dedicated demo tool to see how controlled folder
access works, and what events would typically be created.

Enable controlled folder access Use Group Policy, PowerShell, or MDM CSPs to enable and
manage controlled folder access in your network

Customize controlled folder access Add additional protected folders, and allow specified apps to
access protected folders.
 Reduce attack surfaces with attack surface reduction
rules
1/8/2020 • 12 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious
code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or
later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
To use the entire feature set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a
Windows E5 license you get advanced management capabilities including monitoring, analytics, and workflows
available in Microsoft Defender Advanced Threat Protection, as well as reporting and configuration capabilities in
the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can use
Event Viewer to review attack surface reduction rule events.
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect
computers, including:
Executable files and scripts used in Office apps or web mail that attempt to download or run files
Obfuscated or otherwise suspicious scripts
Behaviors that apps don't usually initiate during normal day-to-day work
You can use audit mode to evaluate how attack surface reduction rules would impact your organization if they
were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-
business applications. Many line-of-business applications are written with limited security concerns, and they
may perform tasks similar to malware. By monitoring audit data and adding exclusions for necessary
applications, you can deploy attack surface reduction rules without impacting productivity.
Triggered rules display a notification on the device. You can customize the notification with your company details
and contact information. The notification also displays in the Microsoft Defender Security Center and in the
Microsoft 365 security center.
For information about configuring attack surface reduction rules, see Enable attack surface reduction rules.

Review attack surface reduction events in the Microsoft Defender

Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation
scenarios.
You can query Microsoft Defender ATP data by using Advanced hunting. If you're using audit mode, you can use
advanced hunting to understand how attack surface reduction rules could affect your environment.
Here is an example query:

DeviceEvents
| where ActionType startswith 'Asr'

Review attack surface reduction events in Windows Event Viewer

You can review the Windows event log to view events that are created when attack surface reduction rules fire:
1. Download the Evaluation Package and extract the file cfa -events.xml to an easily accessible ___location on the
machine.
2. Type Event Viewer in the Start menu to open the Windows Event Viewer.
3. Click Import custom view... on the left panel, under Actions.
4. Select the file cfa -events.xml from where it was extracted. Alternatively, copy the XML directly.
5. Click OK.
This will create a custom view that filters to only show the following events related to controlled folder access:

EVENT ID DESCRIPTION

5007 Event when settings are changed

1121 Event when rule fires in Block-mode

1122 Event when rule fires in Audit-mode

The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP,
not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all
machines with Windows 10 installed.

Attack surface reduction rules

The following sections describe each of the 15 attack surface reduction rules. This table shows their
corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use
System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:

RULE NAME GUID FILE & FOLDER EXCLUSIONS

Block executable content from email BE9BA2D9-53EA-4CDC-84E5- Supported

client and webmail 9B1EEEE46550

Block all Office applications from D4F940AB-401B-4EFC-AADC- Supported

creating child processes AD5F3C50688A

Block Office applications from creating 3B576869-A4EC-4529-8536- Supported

executable content B80A7769E899

Block Office applications from injecting 75668C1F-73B5-4CF0-BB93- Supported

code into other processes 3ECF5CB7CC84
 RULE NAME GUID FILE & FOLDER EXCLUSIONS

Block JavaScript or VBScript from D3E037E1-3EB8-44C8-A917- Not supported

launching downloaded executable 57927947596D
content

Block execution of potentially 5BEB7EFE-FD9A-4556-801D- Supported

obfuscated scripts 275E5FFC04CC

Block Win32 API calls from Office 92E97FA1-2EDF-4476-BDD6- Supported

macro 9DD0B4DDDC7B

Block executable files from running 01443614-cd74-433a-b99e- Supported

unless they meet a prevalence, age, or 2ecdc07bfc25
trusted list criterion

Use advanced protection against c1db55ab-c21a-4637-bb3f- Supported

ransomware a12568109d35

Block credential stealing from the 9e6c4e1f-7d60-472f-ba1a- Supported

Windows local security authority a39ef669e4b2
subsystem (lsass.exe)

Block process creations originating d1e49aac-8f56-4280-b9ba- Not supported

from PSExec and WMI commands 993a6d77406c

Block untrusted and unsigned b2b3f03d-6a65-4f7b-a9c7- Supported

processes that run from USB 1c7ef74a9ba4

Block Office communication application 26190899-1602-49e8-8b27- Supported

from creating child processes eb1d0a1ce869

Block Adobe Reader from creating child 7674ba52-37eb-4a4f-a9a1- Supported

processes f0f9a1619a2c

Block persistence through WMI event e6db77e5-3df2-4cf1-b95a- Not supported

subscription 636979351e5b

Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps
apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack
surface reduction rules don't apply to any other Office apps.
Block executable content from email client and webmail
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and
other popular webmail providers:
Executable files (such as .exe, .dll, or .scr)
Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client)
(no exceptions)
SCCM name: Block executable content from email client and webmail
GUID: BE9BA2D9-53EA-4CDC -84E5-9B1EEEE46550
Block all Office applications from creating child processes
This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and
Access.
This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and
exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications
might also use behaviors like this, including spawning a command prompt or using PowerShell to configure
registry settings.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Office apps launching child processes
SCCM name: Block Office application from creating child processes
GUID: D4F940AB -401B -4EFC -AADC -AD5F3C50688A
Block Office applications from creating executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save
malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious
code from being written to disk.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Office apps/macros creating executable content
SCCM name: Block Office applications from creating executable content
GUID: 3B576869-A4EC -4529-8536-B80A7769E899
Block Office applications from injecting code into other processes
Attackers might attempt to use Office apps to migrate malicious code into other processes through code
injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office
apps into other processes. There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Office apps injecting code into other processes (no exceptions)
SCCM name: Block Office applications from injecting code into other processes
GUID: 75668C1F -73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content
Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload
from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious
use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-
business applications sometimes use scripts to download and launch installers.

IMPORTANT
File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
SCCM name: Block JavaScript or VBScript from launching downloaded executable content
GUID: D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide
intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated
script.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Obfuscated js/vbs/ps/macro code
SCCM name: Block execution of potentially obfuscated scripts.
GUID: 5BEB7EFE -FD9A-4556-801D -275E5FFC04CC
Block Win32 API calls from Office macros
Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't
use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using
Win32 APIs in VBA macros, which reduces the attack surface.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Win32 imports from Office macro code
SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF -4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or
they're in a trusted list or exclusion list:
Executable files (such as .exe, .dll, or .scr)

NOTE
You must enable cloud-delivered protection to use this rule.

IMPORTANT
The rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion with GUID
01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered
protection to update its trusted list regularly.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which
rules or exclusions apply to.

This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system
to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from
running, unless they're in a trusted list or exclusion list.

NOTE
You must enable cloud-delivered protection to use this rule.

This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Advanced ransomware protection
SCCM name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe )
Local Security Authority Subsystem Service (LSASS ) authenticates users who log in to a Windows computer.
Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from
LSASS. However, some organizations can't enable Credential Guard on all of their computers because of
compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority
(LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from
LSASS. This rule helps mitigate that risk by locking down LSASS.

NOTE
In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This
rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise.
If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry
doesn't necessarily indicate a malicious threat.

This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Flag credential stealing from the Windows local security authority subsystem
SCCM name: Block credential stealing from the Windows local security authority subsystem
GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution
that can spread malware attacks.

IMPORTANT
File and folder exclusions do not apply to this attack surface reduction rule.
 WARNING
Only use this rule if you're managing your devices with Intune or another MDM solution. This rule is incompatible with
management through System Center Configuration Manager because this rule blocks WMI commands the SCCM client
uses to function correctly.

This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
Intune name: Process creation from PSExec and WMI commands
SCCM name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable
drives, including SD cards. Blocked file types include:
Executable files (such as .exe, .dll, or .scr)
Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Untrusted and unsigned processes that run from USB
SCCM name: Block untrusted and unsigned processes that run from USB
GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication application from creating child processes
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and
prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of
additional payload while still allowing legitimate Outlook functions. It also protects against Outlook rules and
forms exploits that attackers can use when a user's credentials are compromised.

NOTE
This rule applies to Outlook and Outlook.com only.

This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
Intune name: Process creation from Office communication products (beta)
SCCM name: Not yet available
GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes
Through social engineering or exploits, malware can download and launch additional payloads and break out of
Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
Intune name: Process creation from Adobe Reader (beta)
SCCM name: Not yet available
GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block persistence through WMI event subscription
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic
execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule,
admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
This rule was introduced in: Windows 10 1903, Windows Server 1903
Intune name: Block persistence through WMI event subscription
SCCM name: Not yet available
GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b

Related topics
Enable attack surface reduction rules
Evaluate attack surface reduction rules
Compatibility of Microsoft Defender with other antivirus/antimalware
 Windows Defender Firewall with Advanced Security
11/19/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS ) and Internet Protocol
security (IPsec) features.

Feature description
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing
host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized
network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network
Awareness so that it can apply security settings appropriate to the types of networks to which the device is
connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated
into a single Microsoft Management Console (MMC ) named Windows Defender Firewall, so Windows Defender
Firewall is also an important part of your network’s isolation strategy.

Practical applications
To help address your organizational network security challenges, Windows Defender Firewall offers the following
benefits:
Reduces the risk of network security threats. Windows Defender Firewall reduces the attack surface of
a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a
device increases manageability and decreases the likelihood of a successful attack.
Safeguards sensitive data and intellectual property. With its integration with IPsec, Windows
Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It
provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and
optionally helping to protect the confidentiality of the data.
Extends the value of existing investments. Because Windows Defender Firewall is a host-based
firewall that is included with the operating system, there is no additional hardware or software required.
Windows Defender Firewall is also designed to complement existing non-Microsoft network security
solutions through a documented application programming interface (API).

In this section
TOPIC DESCRIPTION

Isolating Microsoft Store Apps on Your Network You can customize your Windows Defender Firewall
configuration to isolate the network access of Microsoft Store
apps that run on devices.

Securing End-to-End IPsec Connections by Using IKEv2 You can use IKEv2 to help secure your end-to-end IPSec
connections.
TOPIC DESCRIPTION

Windows Defender Firewall with Advanced Security Learn more about using Windows PowerShell to manage the
Administration with Windows PowerShell Windows Defender Firewall.

Windows Defender Firewall with Advanced Security Design Learn how to create a design for deploying Windows
Guide Defender Firewall with Advanced Security.

Windows Defender Firewall with Advanced Security Learn how to deploy Windows Defender Firewall with
Deployment Guide Advanced Security.
 Next-generation protection in Windows 10 and
Windows Server 2016
12/18/2019 • 2 minutes to read • Edit Online

Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )
Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced
Threat Protection (Microsoft Defender ATP ). Next-generation protection brings together machine learning,
big-data analysis, in-depth threat resistance research, and cloud infrastructure to protect devices in your
enterprise organization. Next-generation protection services include:
Behavior-based, heuristic, and real-time antivirus protection. This includes always-on scanning using file
and process behavior monitoring and other heuristics (also known as "real-time protection"). It also
includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware.
Cloud-delivered protection. This includes near-instant detection and blocking of new and emerging
threats.
Dedicated protection and product updates. This includes updates related to keeping Windows Defender
Antivirus up to date.

TIP
Visit the Microsoft Defender ATP demo website to confirm the following protection features are working and explore
them using demo scenarios:
Cloud-delivered protection
Block at first sight (BAFS) protection
Potentially unwanted applications (PUA) protection

Minimum system requirements

Windows Defender Antivirus is your main vehicle for next-generation protection, and it has the same
hardware requirements as of Windows 10. For more information, see:
Minimum hardware requirements
Hardware component guidelines

Configure next-generation protection services

For information on how to configure next-generation protection services, see Configure Windows Defender
Antivirus features.

NOTE
Configuration and management is largely the same in Windows Server 2016, while running Windows Defender
Antivirus; however, there are some differences. To learn more, see Windows Defender Antivirus on Windows Server
2016.
Related topics
Full version history for Microsoft Defender Advanced Threat Protection
Windows Defender Antivirus management and configuration
Evaluate Windows Defender Antivirus protection
Enable cloud protection
Configure real-time protection
Enable block at first sight
Detect and block potentially unwanted applications
Create and deploy cloud-protected antimalware policies
 Better together: Windows Defender Antivirus and
Microsoft Defender Advanced Threat Protection
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat
Protection (Microsoft Defender ATP ).
Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to
using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender
Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP
capabilities, such as endpoint detection and response and automated investigation and remediation, you get better
protection that's coordinated across products and services.

10 reasons to use Windows Defender Antivirus together with Microsoft

Defender ATP
ADVANTAGE WHY IT MATTERS

1 Antivirus signal sharing Microsoft applications and services

share signals across your enterprise
organization, providing a stronger
single platform. See Insights from the
MITRE ATT&CK-based evaluation of
Windows Defender ATP.

2 Threat analytics and your secure score Windows Defender Antivirus collects
underlying system data used by threat
analytics and secure score. This provides
your organization's security team with
more meaningful information, such as
recommendations and opportunities to
improve your organization's security
posture.

3 Performance Microsoft Defender ATP is designed to

work with Windows Defender Antivirus,
so you get better performance when
you use these offerings together.
Evaluate Windows Defender Antivirus
and Microsoft Defender ATP.

4 Details about blocked malware More details and actions for blocked
malware are available with Windows
Defender Antivirus and Microsoft
Defender ATP. Understand malware &
other threats.
 ADVANTAGE WHY IT MATTERS

5 Network protection Your organization's security team can

protect your network by blocking
specific URLs and IP addresses. Protect
your network.

6 File blocking Your organization's security team can

block specific files. Stop and quarantine
files in your network.

7 Auditing events Auditing event signals are available in

endpoint detection and response
capabilities. (These signals are not
available with non-Microsoft antivirus
solutions.)

8 Geographic data Compliant with ISO 270001 and data

retention, geographic data is provided
according to your organization's
selected geographic sovereignty. See
Compliance offerings: ISO/IEC
27001:2013 Information Security
Management Standards.

9 File recovery via OneDrive If you are using Windows Defender

Antivirus together with Office 365, and
your device is attacked by ransomware,
your files are protected and recoverable.
OneDrive Files Restore and Windows
Defender take ransomware protection
one step further.

10 Technical support By using Microsoft Defender ATP

together with Windows Defender
Antivirus, you have one company to call
for technical support. Troubleshoot
service issues and review event logs and
error codes with Windows Defender
Antivirus.

Learn more
Microsoft Defender Advanced Threat Protection
Threat & Vulnerability Management
 Overview of endpoint detection and response
10/9/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are
near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of
a breach, and take response actions to remediate threats.
When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack
techniques or attributed to the same attacker are aggregated into an entity called an incident. Aggregating alerts
in this manner makes it easy for analysts to collectively investigate and respond to threats.
Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber
telemetry. This includes process information, network activities, deep optics into the kernel and memory manager,
user login activities, registry and file system changes, and others. The information is stored for six months,
enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and
approach an investigation through multiple vectors.
The response capabilities give you the power to promptly remediate threats by acting on the affected entities.

In this section
TOPIC DESCRIPTION

Security operations dashboard Explore a high level overview of detections, highlighting where
response actions are needed.

Incidents queue View and organize the incidents queue, and manage and
investigate alerts.

Alerts queue View and organize the machine alerts queue, and manage
and investigate alerts.

Machines list Investigate machines with generated alerts and search for
specific events over time.

Take response actions Learn about the available response actions and apply them to
machines and files.
 Microsoft Defender Security Center Security
operations dashboard
9/20/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The Security operations dashboard is where the endpoint detection and response capabilities are surfaced. It
provides a high level overview of where detections were seen and highlights where response actions are needed.
The dashboard displays a snapshot of:
Active alerts
Machines at risk
Sensor health
Service health
Daily machines reporting
Active automated investigations
Automated investigations statistics
Users at risk
Suspicious activities

You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities
occurred in your network to help you understand the context they appeared in.
From the Security operations dashboard you will see aggregated events to facilitate the identification of
significant events or behaviors on a machine. You can also drill down into granular events and low -level indicators.
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a
detailed view of the corresponding overview.

Active alerts
You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are
grouped into New and In progress.

Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts
inside each alert ring to see a sorted view of that category's queue (New or In progress).
For more information see, Alerts overview.
Each row includes an alert severity category and a short description of the alert. You can click an alert to see its
detailed view. For more information see, Investigate Microsoft Defender Advanced Threat Protection alerts and
Alerts overview.

Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each
machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far
end of the tile (hover over each severity bar to see its label).
Click the name of the machine to see details about that machine. For more information see, Investigate machines
in the Microsoft Defender Advanced Threat Protection Machines list.
You can also click Machines list at the top of the tile to go directly to the Machines list, sorted by the number of
active alerts. For more information see, Investigate machines in the Microsoft Defender Advanced Threat
Protection Machines list.

Sensor health
The Sensor health tile provides information on the individual machine’s ability to provide sensor data to the
Microsoft Defender ATP service. It reports how many machines require attention and helps you identify
problematic machines.

There are two status indicators that provide information on the number of machines that are not reporting
properly to the service:
Misconfigured – These machines might partially be reporting sensor data to the Microsoft Defender ATP
service and might have configuration errors that need to be corrected.
Inactive - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven
days in the past month.
When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more
information, see Check sensor state and Investigate machines.

Service health
The Service health tile informs you if the service is active or if there are issues.
For more information on the service health, see Check the Microsoft Defender ATP service health.

Daily machines reporting

The Daily machines reporting tile shows a bar graph that represents the number of machines reporting daily in
the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each
day.

Active automated investigations

You can view the overall number of automated investigations from the last 30 days in your network from the
Active automated investigations tile. Investigations are grouped into Pending action, Waiting for machine,
and Running.

Automated investigations statistics

This tile shows statistics related to automated investigations in the last 30 days. It shows the number of
investigations completed, the number of successfully remediated investigations, the average pending time it takes
for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts
investigated, and the number of hours of automation saved from a typical manual investigation.

You can click on Automated investigations, Remidated investigations, and Alerts investigated to navigate
to the Investigations page, filtered by the appropriate category. This lets you see a detailed breakdown of
investigations in context.

Users at risk
The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high,
medium, or low alerts.

Click the user account to see details about the user account. For more information see Investigate a user account.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Understand the Microsoft Defender Advanced Threat Protection portal
Portal overview
View the Secure Score dashboard and improve your secure score
View the Threat analytics dashboard and take recommended mitigation actions
 View and organize the Microsoft Defender Advanced
Threat Protection Incidents queue
10/9/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
The Incidents queue shows a collection of incidents that were flagged from machines in your network. It helps
you sort through incidents to prioritize and create an informed cybersecurity response decision.
By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of
the list, helping you see the most recent incidents first.
There are several options you can choose from to customize the Incidents queue view.
On the top navigation you can:
Customize columns to add or remove columns
Modify the number of items to view per page
Select the items to show per page
Batch-select the incidents to assign
Navigate between pages
Apply filters

Sort and filter the incidents queue

You can apply the following filters to limit the list of incidents and get a more focused view.
Severity
INCIDENT SEVERITY DESCRIPTION

High Threats often associated with advanced persistent threats

(Red) (APT). These incidents indicate a high risk due to the severity
of damage they can inflict on machines.
 INCIDENT SEVERITY DESCRIPTION

Medium Threats rarely observed in the organization, such as

(Orange) anomalous registry change, execution of suspicious files, and
observed behaviors typical of attack stages.

Low Threats associated with prevalent malware and hack-tools that

(Yellow) do not necessarily indicate an advanced threat targeting the
organization.

Informational Informational incidents are those that might not be

(Grey) considered harmful to the network but might be good to keep
track of.

Assigned to
You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
Category
Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view
helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on
context.
Status
You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
Data sensitivity
Use this filter to show incidents that contain sensitivity labels.

Related topics
Incidents queue
Manage incidents
Investigate incidents
 Manage Microsoft Defender ATP incidents
10/22/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting
an incident from the Incidents queue or the Incidents management pane.
Selecting an incident from the Incidents queue brings up the Incident management pane where you can open
the incident page for details.

You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep
track of their progress.
Assign incidents
If an incident has not been assigned yet, you can select Assign to me to assign the incident to yourself. Doing so
assumes ownership of not just the incident, but also all the alerts associated with it.

Set status and classification

Incident status
You can categorize incidents (as Active, or Resolved) by changing their status as your investigation progresses.
This helps you organize and manage how your team can respond to incidents.
For example, your SoC analyst can review the urgent Active incidents for the day, and decide to assign them to
himself for investigation.
Alternatively, your SoC analyst might set the incident as Resolved if the incident has been remediated.
Classification
You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps
the team see patterns and learn from them.
Add comments
You can add comments and view historical events about an incident to see previous changes made to it.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.

Related topics
Incidents queue
View and organize the Incidents queue
Investigate incidents
 Investigate incidents in Microsoft Defender ATP
10/9/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
When you investigate an incident, you'll see:
Incident details
Incident comments and actions
Tabs (alerts, machines, investigations, evidence, graph)

Analyze incident details

Click an incident to see the Incident pane. Select Open incident page to see the incident details and related
information (alerts, machines, investigations, evidence, graph).

Alerts
You can investigate the alerts and see how they were linked together in an incident. Alerts are grouped into
incidents based on the following reasons:
Automated investigation - The automated investigation triggered the linked alert while investigating the
original alert
File characteristics - The files associated with the alert have similar characteristics
Manual association - A user manually linked the alerts
Proximate time - The alerts were triggered on the same machine within a certain timeframe
Same file - The files associated with the alert are exactly the same
Same URL - The URL that triggered the alert is exactly the same
You can also manage an alert and see alert metadata along with other information. For more information, see
Investigate alerts.
Machines
You can also investigate the machines that are part of, or related to, a given incident. For more information, see
Investigate machines.

Investigations
Select Investigations to see all the automatic investigations launched by the system in response to the incident
alerts.

Going through the evidence

Microsoft Defender Advanced Threat Protection automatically investigates all the incidents' supported events and
suspicious entities in the alerts, providing you with auto-response and information about the important files,
processes, services, and more. This helps quickly detect and block potential threats in the incident. Each of the
analyzed entities will be marked as infected, remediated, or suspicious.
Visualizing associated cybersecurity threats
Microsoft Defender Advanced Threat Protection aggregates the threat information into an incident so you can see
the patterns and correlations coming in from various data points. You can view such correlation through the
incident graph.
Incident graph
The Graph tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which
indicator of compromise or activity was observed on which machine. etc.

You can click the circles on the incident graph to view the details of the malicious files, associated file detections,
how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many
instances.
Related topics
Incidents queue
Investigate incidents in Microsoft Defender ATP
Manage Microsoft Defender ATP incidents
 View and organize the Microsoft Defender
Advanced Threat Protection Alerts queue
9/20/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The Alerts queue shows a list of alerts that were flagged from machines in your network. By default, the queue
displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the
list, helping you see the most recent alerts first.
There are several options you can choose from to customize the alerts queue view.
On the top navigation you can:
Select grouped view or list view
Customize columns to add or remove columns
Select the items to show per page
Navigate between pages
Apply filters

Sort, filter, and group the alerts queue

You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
Severity
ALERT SEVERITY DESCRIPTION

High Threats often associated with advanced persistent threats

(Red) (APT). These alerts indicate a high risk due to the severity of
damage they can inflict on machines.

Medium Threats rarely observed in the organization, such as

(Orange) anomalous registry change, execution of suspicious files, and
observed behaviors typical of attack stages.
 ALERT SEVERITY DESCRIPTION

Low Threats associated with prevalent malware and hack-tools

(Yellow) that do not necessarily indicate an advanced threat targeting
the organization.

Informational Informational alerts are those that might not be considered

(Grey) harmful to the network but might be good to keep track of.

Understanding alert severity

It is important to understand that the Windows Defender Antivirus (Windows Defender AV ) and Microsoft
Defender ATP alert severities are different because they represent different scopes.
The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and
is assigned based on the potential risk to the individual machine, if infected.
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the
machine but more importantly the potential risk to the organization.
So, for example:
The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was
completely prevented and did not infect the machine is categorized as "Informational" because there was no
actual damage incurred.
An alert about a commercial malware was detected while executing, but blocked and remediated by
Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual
machine but poses no organizational threat.
An alert about malware detected while executing which can pose a threat not only to the individual machine
but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or
"High" following the same organizational threat considerations.
Understanding alert categories
We've redefined the alert categories to align to the enterprise attack tactics in the MITRE ATT&CK matrix. New
category names apply to all new alerts. Existing alerts will retain the previous category names.
The table below lists the current categories and how they generally map to previous categories.

DETECTED THREAT ACTIVITY OR

NEW CATEGORY PREVIOUS CATEGORIES COMPONENT

Collection - Locating and collecting data for

exfiltration

Command and control CommandAndControl Connecting to attacker-controlled

network infrastructure to relay data or
receive commands

Credential access CredentialTheft Obtaining valid credentials to extend

control over devices and other
resources in the network

Defense evasion - Avoiding security controls by, for

example, turning off security apps,
deleting implants, and running rootkits
 DETECTED THREAT ACTIVITY OR
NEW CATEGORY PREVIOUS CATEGORIES COMPONENT

Discovery Reconnaissance, WebFingerprinting Gathering information about

important devices and resources, such
as administrator computers, ___domain
controllers, and file servers

Execution Delivery, MalwareDownload Launching attacker tools and malicious

code, including RATs and backdoors

Exfiltration Exfiltration Extracting data from the network to an

external, attacker-controlled ___location

Exploit Exploit Exploit code and possible exploitation

activity

Initial access SocialEngineering, WebExploit, Gaining initial entry to the target

DocumentExploit network, usually involving password-
guessing, exploits, or phishing emails

Lateral movement LateralMovement, Moving between devices in the target

NetworkPropagation network to reach critical resources or
gain network persistence

Malware Malware, Backdoor, Trojan, Backdoors, trojans, and other types of

TrojanDownloader, CredentialStealing, malicious code
Weaponization, RemoteAccessTool

Persistence Installation, Persistence Creating autostart extensibility points

(ASEPs) to remain active and survive
system restarts

Privilege escalation PrivilegeEscalation Obtaining higher permission levels for

code by running it in the context of a
privileged process or account

Ransomware Ransomware Malware that encrypts files and extorts

payment to restore access

Suspicious activity General, None, NotApplicable, Atypical activity that could be malware
EnterprisePolicy, activity or part of an attack
SuspiciousNetworkTraffic

Unwanted software UnwantedSoftware Low-reputation apps and apps that

impact productivity and the user
experience; detected as potentially
unwanted applications (PUAs)

Status
You can choose to limit the list of alerts based on their status.
Investigation state
Corresponds to the automated investigation state.
Category
You can choose to filter the queue to display specific types of malicious activity.
Assigned to
You can choose between showing alerts that are assigned to you or automation.
Detection source
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter
and see detections from the new threat experts managed hunting service.

NOTE
The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default
real-time protection antimalware product.

OS platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
Machine group
If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to
limit the alerts queue view to display just those machine groups.
Associated threat
Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile
threats in Threat analytics.

Related topics
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a ___domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
 Manage Microsoft Defender Advanced Threat
Protection alerts
9/20/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through
alerts. A summary of new alerts is displayed in the Security operations dashboard, and you can access all
alerts in the Alerts queue.
You can manage alerts by selecting an alert in the Alerts queue, or the Alerts tab of the Machine page for an
individual device.
Selecting an alert in either of those places brings up the Alert management pane.

Link to another incident

You can create a new incident from the alert or link to an existing incident.

Assign alerts
If an alert is not yet assigned, you can select Assign to me to assign the alert to yourself.

Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security
Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be
innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not
affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that
satisfy the conditions set after the rule is created.
There are two contexts for a suppression rule that you can choose from:
Suppress alert on this machine
Suppress alert in my organization
The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts
are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a suppression rule:

CONTEX T DEFINITION EXAMPLE SCENARIOS

Suppress alert on this machine Alerts with the same alert title and on A security researcher is
that specific machine only will be investigating a malicious script
suppressed. that has been used to attack
other machines in your
All other alerts on that machine will not organization.
be suppressed. A developer regularly creates
PowerShell scripts for their
team.

Suppress alert in my organization Alerts with the same alert title on any A benign administrative tool is
machine will be suppressed. used by everyone in your
organization.

Suppress an alert and create a new suppression rule:

Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an
alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the
context, you’ll be able to configure the action and scope on the alert.
1. Select the alert you'd like to suppress. This brings up the Alert management pane.
2. Select Create a suppression rule.
You can create a suppression condition using these attributes. An AND operator is applied between each
condition, so suppression occurs only if all conditions are met.
File SHA1
File name - wildcard supported
Folder path - wildcard supported
IP address
URL - wildcard supported
Command line - wildcard supported
3. Select the Trigerring IOC.
4. Specify the action and scope on the alert.
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will
appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed
from the entire system, both on the machine's associated alerts and from the dashboard. You can also
specify to suppress the alert on a specific machine group.
5. Enter a rule name and a comment.
6. Click Save.
View the list of suppression rules
1. In the navigation pane, select Settings > Alert suppression.
2. The list of suppression rules shows all the rules that users in your organization have created.
For more information on managing suppression rules, see Manage suppression rules

Change the status of an alert

You can categorize alerts (as New, In Progress, or Resolved) by changing their status as your investigation
progresses. This helps you organize and manage how your team can respond to alerts.
For example, a team leader can review all New alerts, and decide to assign them to the In Progress queue for
further analysis.
Alternatively, the team leader might assign the alert to the Resolved queue if they know the alert is benign,
coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt
with through an earlier alert.

Alert classification
You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. It's important
to provide the classification of true positive/false positive. This classification is used to monitor alert quality, and
make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification.

Add comments and view the history of an alert

You can add comments and view historical events about an alert to see previous changes made to the alert.
Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
Added comments instantly appear on the pane.

Related topics
Manage suppression rules
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a ___domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
 Investigate Microsoft Defender Advanced Threat
Protection alerts
9/20/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
Click an alert to see the alert details view and the various tiles that provide information about the alert.
From the alert details view, you can manage an alert and see alert data such as severity, category, technique,
along with other information that can help you make better decisions on how to approach them.
The techniques reflected in the card are based on MITRE enterprise techniques.
You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take
you to the Automated investigations view. For more information, see Automated investigations.

The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on
the icon beside the name or user account to bring up the machine or user details pane. The alert details view
also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of
recommended actions which you can expand.
For more information about managing alerts, see Manage alerts.
The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted
automatically, and the timeline will display the appearance of the alert and its evidence in the Machine
timeline. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the
Machine timeline.
Alerts attributed to an adversary or actor display a colored tile with the actor's name.

Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor,
their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed
worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.

The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools,
and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions
you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker
or campaign for offline reading.

Alert process tree

The Alert process tree takes alert triage and investigation to the next level, displaying the aggregated alert and
surrounding evidence that occurred within the same execution context and time period. This rich triage and
investigation context is available on the alert page.
The Alert process tree expands to display the execution path of the alert and related evidence that occurred
around the same period. Items marked with a thunderbolt icon should be given priority during investigation.

NOTE
The alert process tree might not be available in some alerts.

Clicking in the circle immediately to the left of the indicator displays its details.
The alert details pane helps you take a deeper look at the details about the alert. It displays rich information
about the execution details, file details, detections, observed worldwide, observed in organization, and other
details taken from the entity's page – while remaining on the alert page, so you never leave the current context
of your investigation.

Incident graph
The Incident Graph provides a visual representation of the organizational footprint of the alert and its
evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical
mapping from the original machine and evidence expanding to show other machines in the organization where
the triggering evidence was also observed.
The Incident Graph supports expansion by File, Process, command line, or Destination IP Address, as
appropriate.
The Incident Graph expansion by destination IP Address, shows the organizational footprint of
communications with this IP Address without having to change context by navigating to the IP Address page.
You can click the full circles on the incident graph to expand the nodes and view the expansion to other
machines where the matching criteria were observed.

Artifact timeline
The Artifact timeline feature provides an additional view of the evidence that triggered the alert on the
machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it
was observed on the machine. This can help in understanding if the evidence was first observed at the time of
the alert, or whether it was observed on the machine earlier - without triggering an alert.
Selecting an alert detail brings up the Details pane where you'll be able to see more information about the
alert such as file details, detections, instances of it observed worldwide, and in the organization.

Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a ___domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
 Investigate a file associated with a Microsoft
Defender ATP alert
12/10/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file
exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
There are many ways to access the detailed profile page of a specific file. For example, you can use the search
feature, click on a link from the Alert process tree, Incident graph, Artifact timeline, or select an event listed
in the Machine timeline.
Once on the detailed profile page, you can switch between the new and old page layouts by toggling new File
page. The rest of this article describes the newer page layout.
You can get information from the following sections in the file view:
File details, Malware detection, File prevalence
Deep analysis
Alerts
Observed in organization
Deep analysis
File names
You can also take action on a file from this page.

File actions
Along the top of the profile page, above the file information cards. Actions you can perform here include:
Stop and quarantine
Add/edit indicator
Download file
Consult a threat expert
Action center
For more information on these actions, see Take response action on a file.

File details, Malware detection, and File prevalence

The file details, incident, malware detection, and file prevalence cards display various attributes about the file.
You'll see details such as the file’s MD5, the Virus Total detection ratio, and Windows Defender AV detection if
available, and the file’s prevalence, both worldwide and within your organizations.

Alerts
The Alerts tab provides a list of alerts that are associated with the file. This list covers much of the same
information as the Alerts queue, except for the machine group, if any, the affected machine belongs to. You can
choose what kind of information is shown by selecting Customize columns from the toolbar above the column
headers.

Observed in organization
The Observed in organization tab allows you to specify a date range to see which devices have been observed
with the file.

NOTE
This tab will show a maximum number of 100 machines. To see all devices with the file, export the tab to a CSV file, by
selecting Export from the action menu above the tab's column headers.
Use the slider or the range selector to quickly specify a time period that you want to check for events involving
the file. You can specify a time window as small as a single day. This will allow you to see only files that
communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.

Deep analysis
The Deep analysis tab allows you to submit the file for deep analysis, to uncover more details about the file's
behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis
report will appear in this tab once results are available. If deep analysis did not find anything, the report will be
empty and the results space will remain blank.

File names
The File names tab lists all names the file has been observed to use, within your organizations.

Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a ___domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Take response actions on a file
 Investigate machines in the Microsoft Defender ATP
Machines list
12/6/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might
be related to the alert or the potential scope of the breach.
You can click on affected machines whenever you see them in the portal to open a detailed report about that
machine. Affected machines are identified in the following areas:
Machines list
Alerts queue
Security operations dashboard
Any individual alert
Any individual file details view
Any IP address or ___domain details view
When you investigate a specific machine, you'll see:
Machine details
Response actions
Cards (active alerts, logged on users, security assessment)
Tabs (alerts, timeline, security recommendations, software inventory, discovered vulnerabilities)

Machine details
The machine details section provides information such as the ___domain, OS, and health state of the machine. If
there's an investigation package available on the machine, you'll see a link that allows you to download the
package.

Response actions
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate automated investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center
You can take response actions in the Action center, in a specific machine page, or in a specific file page.
For more information on how to take action on a machine, see Take response action on a machine.
For more information, see Investigate user entities.

Cards
Active alerts
The Azure Advanced Threat Protection card will display a high-level overview of alerts related to the
machine and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More
information is available in the "Alerts" drill down.

NOTE
You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft
Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.

Logged on users
The Logged on users card shows how many users have logged on in the past 30 days, along with the most
and least frequent users. Selecting the "See all users" link opens the details pane, which displays information
such as user type, log on type, and when the user was first and last seen. For more information, see Investigate
user entities.
Security assessments
The Security assessments card shows the overall exposure level, security recommendations, installed
software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of
its pending security recommendations.

Tabs
The five tabs under the cards section show relevant security and threat prevention information related to the
machine. In each tab, you can customize the columns that are shown by selecting Customize columns from
the bar above the column headers.
Alerts
The Alerts section provides a list of alerts that are associated with the machine. This list is a filtered version of
the Alerts queue, and shows a short description of the alert, severity (high, medium, low, informational), status
in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state,
category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the
alert and view more details such as incident number and related machines. Multiple alerts can be selected at a
time.
To see a full page view of an alert including incident graph and process tree, select the title of the alert.
Timeline
The Timeline section provides a chronological view of the events and associated alerts that have been
observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the
machine.
The timeline also enables you to selectively drill down into events that occurred within a given time period. You
can view the temporal sequence of events that occurred on a machine over a selected time period. To further
control your view, you can filter by event groups or customize the columns.

NOTE
For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall
covers the following events
5025 - firewall service stopped
5031 - application blocked from accepting incoming connections on the network
5157 - blocked connection

Some of the functionality includes:

Search for specific events
Use the search bar to look for specific timeline events.
Filter events from a specific date
Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days,
or custom range. By default, the machine timeline is set to display the events from the past 30 days.
Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the
timeline pinpoint automated investigations
Export detailed machine timeline events
Export the machine timeline for the current date or a specified date range up to seven days.
More details about certain events are provided in the Additional information section. These details vary
depending on the type of event, for example:
Contained by Application Guard - the web browser event was restricted by an isolated container
 Active threat detected - the threat detection occurred while the threat was running
Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed
Remediation successful - the detected threat was stopped and cleaned
Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by
a user
Suspicious script detected - a potentially malicious script was found running
The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for
example) is provided
You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific
machine.
Security recommendations
Security recommendations are generated from Microsoft Defender ATP's Threat & Vulnerability
Management capability. Selecting a recommendation will show a panel where you can view relevant details
such as description of the recommendation and the potential risks associated with not enacting it. See Security
recommendation for details.

Software inventory
The Software inventory section lets you view software on the device, along with any weaknesses or threats.
Selecting the name of the software will take you to the software details page where you can view security
recommendations, discovered vulnerabilities, installed machines, and version distribution. See Software
inventory for details

Discovered vulnerabilities
The Discovered vulnerabilities section shows the name, severity, and threat insights of discovered
vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.

Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a ___domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
Security recommendation
Software inventory
 Investigate an IP address associated with a Microsoft
Defender ATP alert
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Examine possible communication between your machines and external internet protocol (IP ) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address,
such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and
infected machines.
You can find information from the following sections in the IP address view:
IP worldwide
Reverse DNS names
Alerts related to this IP
IP in organization
Prevalence

IP Worldwide and Reverse DNS names

The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.

Alerts related to this IP

The Alerts related to this IP section provides a list of alerts that are associated with the IP.

IP in organization
The IP in organization section provides details on the prevalence of the IP address in the organization.

Prevalence
The Prevalence section displays how many machines have connected to this IP address, and when the IP was
first and last seen. You can filter the results of this section by time period; the default period is 30 days.

Most recent observed machines with IP

The Most recent observed machines with IP section provides a chronological view on the events and
associated alerts that were observed on the IP address.
Investigate an external IP:
1. Select IP from the Search bar drop-down menu.
2. Enter the IP address in the Search field.
3. Click the search icon or press Enter.
Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example,
domains), prevalence of machines in the organization that communicated with this IP Address (during selectable
time period), and the machines in the organization that were observed communicating with this IP address.

NOTE
Search results will only be returned for IP addresses observed in communication with machines in the organization.

Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed
results of all machines in the organization observed communicating with the IP address, the file associated with
the communication and the last date observed.
Clicking any of the machine names will take you to that machine's view, where you can continue investigate
reported alerts, behaviors, and events.

Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate a ___domain associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
 Investigate a ___domain associated with a Microsoft
Defender ATP alert
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Investigate a ___domain to see if machines and servers in your enterprise network have been communicating with a
known malicious ___domain.
You can investigate a ___domain by using the search feature or by clicking on a ___domain link from the Machine
timeline.
You can see information from the following sections in the URL view:
URL details, Contacts, Nameservers
Alerts related to this URL
URL in organization
Most recent observed machines with URL

URL worldwide
The URL Worldwide section lists the URL, a link to further details at Whois, the number of related open
incidents, and the number of active alerts.

Incident
The Incident card displays a bar chart of all active alerts in incidents over the past 180 days.

Prevalence
The Prevalence card provides details on the prevalence of the URL within the organization, over a specified
period of time.
Although the default time period is the past 30 days, you can customize the range by selecting the downward-
pointing arrow in the corner of the card. The shortest range available is for prevalence over the past day, while
the longest range is over the past 6 months.

Alerts
The Alerts tab provides a list of alerts that are associated with the URL. The table shown here is a filtered version
of the alerts visible on the Alert queue screen, showing only alerts associated with the ___domain, their severity,
status, the associated incident, classification, investigation state, and more.
The Alerts tab can be adjusted to show more or less information, by selecting Customize columns from the
action menu above the column headers. The number of items displayed can also be adjusted, by selecting items
per page on the same menu.
Observed in organization
The Observed in organization tab provides a chronological view on the events and associated alerts that were
observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time,
machine, and a brief description of what happened.
You can view events from different periods of time by entering the dates into the text fields above the table
headers. You can also customize the time range by selecting different areas of the timeline.
Investigate a ___domain:
1. Select URL from the Search bar drop-down menu.
2. Enter the URL in the Search field.
3. Click the search icon or press Enter. Details about the URL are displayed. Note: search results will only be
returned for URLs observed in communications from machines in the organization.
4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the
displayed results of all machines in the organization observed communicating with the URL, the file
associated with the communication and the last date observed.
5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate
reported alerts, behaviors, and events.

Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a user account in Microsoft Defender ATP
 Investigate connection events that occur behind
forward proxies
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A
challenging case is when the network uses a forward proxy as a gateway to the Internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the
connections with the proxy which is correct but has lower investigation value.
Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on,
a new type of event is surfaced which exposes the real target ___domain names.

Use network protection to monitor network connection behind a

firewall
Monitoring network connection behind a forward proxy is possible due to additional network events that originate
from network protection. To see them on a machine timeline, turn network protection on (at the minimum in audit
mode).
Network protection can be controlled using the following modes:
Block
Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in
Windows Defender Security Center.
Audit
Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this
activity in Microsoft Defender Security Center.
If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You
will not see any network activity in Microsoft Defender Security Center.
If you do not configure it, network blocking will be turned off by default.
For more information, see Enable network protection.

Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing
the proxy, while the real target address shows up.
Additional events triggered by the network protection layer are now available to surface the real ___domain names
even behind a proxy.
Event's information:

Hunt for connection events using advanced hunting

All new connection events are available for you to hunt on through advanced hunting as well. Since these events
are connection events, you can find them under the DeviceNetworkEvents table under the ConnecionSuccess action
type.
Using this simple query will show you all the relevant events:

DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| take 10

You can also filter out events that are related to connection to the proxy itself.
Use the following query to filter out the connections to the proxy:

DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10

Related topics
Applying network protection with GP - policy CSP
Protect your network
 Investigate a user account in Microsoft Defender
ATP
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Investigate user account entities

Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate
cases of potential compromised credentials, or pivot on the associated user account when investigating an alert
or machine to identify possible lateral movement between machines with that user account.
You can find user account information in the following views:
Dashboard
Alert queue
Machine details page
A clickable user account link is available in these views, that will take you to the user account details page where
more details about the user account are shown.
When you investigate a user account entity, you'll see:
User account details, Azure Advanced Threat Protection (Azure ATP ) alerts, and Logged on machines
Alerts related to this user
Observed in organization (machines logged on to)

The user account details, Azure ATP alerts, and logged on machines cards display various attributes about the
user account.
User details
The User details card provides information about the user, such as when the user was first and last seen.
Depending on the integration features you've enabled, you'll see other details. For example, if you enable the
Skype for business integration, you'll be able to contact the user from the portal.
Azure Advanced Threat Protection
The Azure Advanced Threat Protection card will contain a link that will take you to the Azure ATP page, if
you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will
provide more information about the alerts. This card also provides details such as the last AD site, total group
memberships, and login failure associated with the user.

NOTE
You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft
Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced
features, see Turn on advanced features.

Logged on machines
The Logged on machines card shows a list of the machines that the user has logged on to. You can expand
these to see details of the log-on events for each machine.

Alerts related to this user

The Alerts related to this user section provides a list of alerts that are associated with the user account. This
list is a filtered view of the Alert queue, and shows alerts where the user context is the selected user account, the
date when the last activity was detected, a short description of the alert, the machine associated with the alert,
the alert's severity, the alert's status in the queue, and who is assigned the alert.

Observed in organization
The Observed in organization section allows you to specify a date range to see a list of machines where this
user was observed logged on to, the most frequent and least frequent logged on user account for each of these
machines, and total observed users on each machine.
Selecting an item on the Observed in organization table will expand the item, revealing more details about the
machine. Directly selecting a link within an item will send you to the corresponding page.

Search for specific user accounts

1. Select User from the Search bar drop-down menu.
2. Enter the user account in the Search field.
3. Click the search icon or press Enter.
A list of users matching the query text is displayed. You'll see the user account's ___domain and name, when the
user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
You can filter the results by the following time periods:
1 day
3 days
7 days
 30 days
6 months

Related topics
View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
Manage Microsoft Defender Advanced Threat Protection alerts
Investigate Microsoft Defender Advanced Threat Protection alerts
Investigate a file associated with a Microsoft Defender ATP alert
Investigate machines in the Microsoft Defender ATP Machines list
Investigate an IP address associated with a Microsoft Defender ATP alert
Investigate a ___domain associated with a Microsoft Defender ATP alert
 View and organize the Microsoft Defender ATP
Machines list
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The Machines list shows a list of the machines in your network where alerts were generated. By default, the
queue displays machines with alerts seen in the last 30 days.
At a glance you'll see information such as ___domain, risk level, OS platform, and other details for easy identification
of machines most at risk.
There are several options you can choose from to customize the machines list view. On the top navigation you can:
Add or remove columns
Export the entire list in CSV format
Select the number of items to show per page
Apply filters
During the onboarding process, the Machines list is gradually populated with machines as they begin to report
sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete
endpoint list as a CSV file for offline analysis.

NOTE
If you export the machine list, it will contain every machine in your organization. It might take a significant amount of time to
download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered
manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.

Sort and filter the machine list

You can apply the following filters to limit the list of alerts and get a more focused view.
Risk level
The risk level reflects the overall risk assessment of the machine based on a combination of factors, including the
types and severity of active alerts on the machine. Resolving active alerts, approving remediation activities, and
suppressing subsequent alerts can lower the risk level.
Exposure level
The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending
security recommendations.
OS Platform
Select only the OS platforms you're interested in investigating.
Health state
Filter by the following machine health states:
Active – Machines that are actively reporting sensor data to the service.
Inactive – Machines that have completely stopped sending signals for more than 7 days.
Misconfigured – Machines that have impaired communications with service or are unable to send sensor
data. Misconfigured machines can further be classified to:
No sensor data
Impaired communications
For more information on how to address issues on misconfigured machines see, Fix unhealthy sensors.
Security state
Filter by machines that are well configured or require attention based on the security controls that are enabled in
your organization. Applies to active Windows 10 machines only.
Well configured - Machines have the security controls well configured.
Requires attention - Machines where improvements can be made to increase the overall security posture of
your organization.
For more information, see View the Secure Score dashboard.
Threat mitigation status
To view machines that may be affected by a certain threat, select the threat from the dropdown menu, and then
select what vulnerability aspect needs to be mitigated.
To learn more about certain threats, see Threat analytics. For mitigation information, see Threat & Vulnerability
Management.
Windows 10 version
Select only the Windows 10 versions you're interested in investigating.
Tags & Groups
Filter the list based on the grouping and tagging that you've added to individual machines. See Create and manage
machine tags and Create and manage machine groups.

Related topics
Investigate machines in the Microsoft Defender ATP Machines list
 Create and manage machine tags
12/30/2019 • 2 minutes to read • Edit Online

Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
Tags can be used as a filter in Machines list view, or to group machines. For more information on machine
grouping, see Create and manage machine groups.
You can add tags on machines using the following ways:
Using the portal
Setting a registry key value

NOTE
There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine
page.

To add machine tags using API, see Add or remove machine tags API.

Add and manage machine tags using the portal

1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active
alerts section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Select Manage Tags from the row of Response actions.

3. Type to find or create tags

Tags are added to the machine view and will also be reflected on the Machines list view. You can then use the Tags
filter to see the relevant list of machines.

NOTE
Filtering might not work on tag names that contain parenthesis.

You can also delete tags from this view.

Add machine tags by setting a registry key value

NOTE
Applicable only on the following machines:
Windows 10, version 1709 or later
Windows Server, version 1803 or later
Windows Server 2016
Windows Server 2012 R2
Windows Server 2008 R2 SP1
Windows 8.1
Windows 7 SP1

Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (REG_SZ ): Group
Registry key data: Name of the tag you want to set

NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to
restart the endpoint that would transfer a new machine information report.
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation is
running, any other alert generated from the machine will be added to an ongoing Automated investigation until
that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added
to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This
gives you the power to do in-depth investigative work and take immediate response actions to promptly contain
identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand the
tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find the
specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or remote
connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have

been compromised or suspicious systems on the network that
night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from the
local Hosts file and any recently obtained resource records for
name queries resolved by the computer. This can help in
identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-up
connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the files
recently used in the system and find traces for applications
that might have been deleted but can still be found in the
prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to download
a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a chosen
machine to look for suspicious code which was set to run
automatically.

Security event log Contains the security event log which contains records of login
or logout activity, or other security-related events specified by
the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no temp
directory for this user, and might be because the user didn’t
log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection, it

contains the list of data points, the command used to extract
the data, the execution status, and the error code in case of
failure. You can use this report to track if the package includes
all the expected data and identify if there were any errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows
Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information,
see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting that
a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced
during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent
subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change
to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted
from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine
from the network. This action can help prevent the attacker from controlling the compromised machine and
performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also
choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say
Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The Action
center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the
machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a machine
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking
action on machines, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Manage tags
Initiate Automated Investigation
Initiate Live Response Session
Collect investigation package
Run antivirus scan
Restrict app execution
Isolate machine
Consult a threat expert
Action center

You can find machine pages from any of the following views:
Security operations dashboard - Select a machine name from the Machines at risk card.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the heading of the machine name from the machines list.
Search box - Select Machine from the drop-down menu and enter the machine name.

IMPORTANT
These response actions are only available for machines on Windows 10, version 1703 or later.
For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party
capabilities.

Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see Create and manage machine tags.

Initiate Automated Investigation

You can start a new general purpose automated investigation on the machine if needed. While an investigation
is running, any other alert generated from the machine will be added to an ongoing Automated investigation
until that investigation is completed. In addition, if the same threat is seen on other machines, those machines
are added to the investigation.
For more information on automated investigations, see Overview of Automated investigations.

Initiate Live Response Session

Live response is a capability that gives you instantaneous access to a machine using a remote shell connection.
This gives you the power to do in-depth investigative work and take immediate response actions to promptly
contain identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see Investigate entities on machines using live response

Collect investigation package from machines

As part of the investigation or response process, you can collect an investigation package from a machine. By
collecting the investigation package, you can identify the current state of the machine and further understand
the tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
1. Select Collect investigation package from the row of response actions at the top of the machine page.
2. Specify in the text box why you want to perform this action. Select Confirm.
3. The zip file will download
Alternate way:
1. Select Action center from the response actions section of the machine page.

2. In the Action center fly-out, select Package collection package available to download the zip file.
The package contains the following folders:

FOLDER DESCRIPTION

Autoruns Contains a set of files that each represent the content of the
registry of a known auto start entry point (ASEP) to help
identify attacker’s persistency on the machine.
NOTE: If the registry key is not found, the file will contain the
following message: “ERROR: The system was unable to find
the specified registry key or value.”

Installed programs This .CSV file contains the list of installed programs that can
help identify what is currently installed on the machine. For
more information, see Win32_Product class.
FOLDER DESCRIPTION

Network connections This folder contains a set of data points related to the
connectivity information which can help in identifying
connectivity to suspicious URLs, attacker’s command and
control (C&C) infrastructure, any lateral movement, or
remote connections.
- ActiveNetConnections.txt – Displays protocol statistics and
current TCP/IP network connections. Provides the ability to
look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol

(ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that

have been compromised or suspicious systems on the
network that night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client

resolver cache, which includes both entries preloaded from
the local Hosts file and any recently obtained resource
records for name queries resolved by the computer. This can
help in identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all

adapters. Adapters can represent physical interfaces, such as
installed network adapters, or logical interfaces, such as dial-
up connections.

- FirewassExecutionLog.txt and pfirewall.log

Prefetch files Windows Prefetch files are designed to speed up the

application startup process. It can be used to track all the
files recently used in the system and find traces for
applications that might have been deleted but can still be
found in the prefetch file list.
- Prefetch folder – Contains a copy of the prefetch files from
%SystemRoot%\Prefetch . NOTE: It is suggested to
download a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files

which can be used to track if there were any copy failures to
the prefetch folder.

Processes Contains a .CSV file listing the running processes which

provides the ability to identify current processes running on
the machine. This can be useful when identifying a suspicious
process and its state.

Scheduled tasks Contains a .CSV file listing the scheduled tasks which can be
used to identify routines performed automatically on a
chosen machine to look for suspicious code which was set to
run automatically.

Security event log Contains the security event log which contains records of
login or logout activity, or other security-related events
specified by the system's audit policy.
NOTE: Open the event log file using Event viewer.

Services Contains a .CSV file which lists services and their states.
 FOLDER DESCRIPTION

Windows Server Message Block (SMB) sessions Lists shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network.
This can help identify data exfiltration or lateral movement.
Contains files for SMBInboundSessions and
SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll

get a text file which tell you that there are no SMB sessions
found.

System Information Contains a SystemInformation.txt file which lists system

information such as OS version and network cards.

Temp Directories Contains a set of text files that lists the files located in
%Temp% for every user in the system.
This can help to track suspicious files that an attacker may
have dropped on the system.

NOTE: If the file contains the following message: “The system

cannot find the path specified”, it means that there is no
temp directory for this user, and might be because the user
didn’t log in to the system.

Users and Groups Provides a list of files that each represent a group and its
members.

WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab

CollectionSummaryReport.xls This file is a summary of the investigation package collection,

it contains the list of data points, the command used to
extract the data, the execution status, and the error code in
case of failure. You can use this report to track if the package
includes all the expected data and identify if there were any
errors.

Run Windows Defender Antivirus scan on machines

As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and
remediate malware that might be present on a compromised machine.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether
Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more
information, see Windows Defender Antivirus compatibility.

One you have selected Run antivirus scan, select the scan type that you'd like to run (quick or full) and add a
comment before confirming the scan.
The Action center will show the scan information and the machine timeline will include a new event, reflecting
that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that
surfaced during the scan.

Restrict app execution

In addition to containing an attack by stopping malicious processes, you can also lock down a device and
prevent subsequent attempts of potentially malicious programs from running.

IMPORTANT
This action is available for machines on Windows 10, version 1709 or later.
This feature is available if your organization uses Windows Defender Antivirus.
This action needs to meet the Windows Defender Application Control code integrity policy formats and signing
requirements. For more information, see Code integrity policy formats and signing.

To restrict an application from running, a code integrity policy is applied that only allows files to run if they are
signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling
compromised machines and performing further malicious activities.

NOTE
You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will
change to say Remove app restrictions, and then you take the same steps as restricting app execution.

Once you have selected Restrict app execution on the machine page, type a comment and select Confirm.
The Action center will show the scan information and the machine timeline will include a new event.
Notification on machine user:
When an app is restricted, the following notification is displayed to inform the user that an app is being
restricted from running:

Isolate machines from the network

Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the
machine from the network. This action can help prevent the attacker from controlling the compromised machine
and performing further activities such as data exfiltration and lateral movement.

IMPORTANT
Full isolation is available for machines on Windows 10, version 1703.
Selective isolation is available for machines on Windows 10, version 1709 or later.

This machine isolation feature disconnects the compromised machine from the network while retaining
connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can
also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

NOTE
You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to
say Release from isolation, and then you take the same steps as isolating the machine.

Once you have selected Isolate machine on the machine page, type a comment and select Confirm. The
Action center will show the scan information and the machine timeline will include a new event.
 NOTE
The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've
chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while
the machine is isolated.

Notification on machine user:

When a machine is being isolated, the following notification is displayed to inform the user that the machine is
being isolated from the network:

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft
Defender Security Center for timely and accurate response. Experts provide insights not just regarding a
potentially compromised machine, but also to better understand complex threats, targeted attack notifications
that you get, or if you need more information about the alerts, or a threat intelligence context that you see on
your portal dashboard.
See Consult a Microsoft Threat Expert for details.

Check activity details in Action center

The Action center provides information on actions that were taken on a machine or file. You’ll be able to view
the following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.
Related topic
Take response actions on a file
Report inaccuracy
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files,
you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new
and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete,
you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep
analysis and read past reports by selecting the Deep analysis tab. It's located below the file information cards.
Some actions require certain permissions. The following table describes what action certain permissions can take
on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file where it
was observed.
 IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last
30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use
the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from. This
can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed to
see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run
the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled.
For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the
web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over
time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in
your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile page.
This action will be visible in the same position that the Add Indicator action was, before you added the indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area by
their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file will
be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights not just regarding a potentially
compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or
if you need more information about the alerts, or a threat intelligence context that you see on your portal
dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view the
following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that
are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich
the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results
show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications,
and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE ) files
(including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to
display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for
any other reason where you suspect malicious behavior. This feature is available within the Deep analysis tab, on
the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not observed on
a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between
file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication
to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view the
report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–
submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was
conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable programs
or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary
connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is
configured, then verify the policy setting allows sample collection before submitting the file again. When
sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with Group
Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Take response actions on a file
12/10/2019 • 11 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on
files, you can check activity details in the Action center.
Response actions are available on a file's detailed profile page. Once on this page, you can switch between the
new and old page layouts by toggling new File page. The rest of this article describes the newer page layout.
Response actions run along the top of the file page, and include:
Stop and Quarantine File
Add Indicator
Download file
Consult a threat expert
Action center
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is
complete, you'll get a detailed report that provides information about the behavior of the file. You can submit
files for deep analysis and read past reports by selecting the Deep analysis tab. It's located below the file
information cards.
Some actions require certain permissions. The following table describes what action certain permissions can
take on portable executable (PE ) and non-PE files:

PERMISSION PE FILES NON-PE FILES

View data X X

Alerts investigation ☑ X

Live response basic X X

Live response advanced ☑ ☑

For more information on roles, see Create and manage roles for role-based access control.

Stop and quarantine files in your network

You can contain an attack in your organization by stopping the malicious process and quarantining the file
where it was observed.

IMPORTANT
You can only take this action if:
The machine you're taking the action on is running Windows 10, version 1703 or later
The file does not belong to trusted third-party publishers or not signed by Microsoft
Windows Defender Antivirus must at least be running on Passive mode. For more information, see Windows Defender
Antivirus compatibility.

The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting
persistent data, such as any registry keys.
This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the
last 30 days.

NOTE
You’ll be able to restore the file from quarantine at any time.

Stop and quarantine files

1. Select the file you want to stop and quarantine. You can select a file from any of the following views or
use the Search box:
Alerts - click the corresponding links from the Description or Details in the Artifact timeline
Search box - select File from the drop–down menu and enter the file name

NOTE
The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of
machines, see Add indicator to block or allow file.

2. Go to the top bar and select Stop and Quarantine File.

3. Specify a reason, then click Confirm.

 The Action center shows the submission information:

Submission time - Shows when the action was submitted.

Success - Shows the number of machines where the file has been stopped and quarantined.
Failed - Shows the number of machines where the action failed and details about the failure.
Pending - Shows the number of machines where the file is yet to be stopped and quarantined from.
This can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select Failed
to see where the action failed.
Notification on machine user:
When the file is being removed from a machine, the following notification is shown:

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined.
For files that widely used throughout an organization, a warning is shown before an action is implemented, to
validate that the operation is intended.

Restore file from quarantine

You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation.
Run the following command on each machine where the file was quarantined.
1. Open an elevated command–line prompt on the machine:
a. Go to Start and type cmd.
b. Right–click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All

NOTE
Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.

Add indicator to block or allow a file

You can prevent further propagation of an attack in your organization by banning potentially malicious files or
suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.

IMPORTANT
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is
enabled. For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from
the web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be
extended over time.
This response action is available for machines on Windows 10, version 1703 or later.
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action.
 NOTE
The PE file needs to be in the machine timeline for you to be able to take this action.
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Enable the block file feature

To start blocking files, you first need to turn the Block or allow feature on in Settings.
Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a
machine in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.
See manage indicators for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the Edit Indicator action on the file's profile
page. This action will be visible in the same position that the Add Indicator action was, before you added the
indicator.
You can also edit indicators from the Settings page, under Rules > Indicators. Indicators are listed in this area
by their file's hash.

Download or collect file

Selecting Download file from the response actions allows you to download a local, password-protected .zip
archive containing your file.

When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are
downloading the file. You can also set a password to open the file.
If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a Collect
file button in the same ___location. If a file has not been seen in the organization in the past 30 days, Collect file
will be disabled.

Consult a threat expert

You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or
already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft
Defender Security Center for timely and accurate response. Experts provide insights not just regarding a
potentially compromised machine, but also to better understand complex threats, targeted attack notifications
that you get, or if you need more information about the alerts, or a threat intelligence context that you see on
your portal dashboard.
See Consult a Microsoft Threat Expert for details.
Check activity details in Action center
The Action center provides information on actions that were taken on a machine or file. You’ll be able to view
the following details:
Investigation package collection
Antivirus scan
App restriction
Machine isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action
succeeded or failed.

Deep analysis
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files
that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To
enrich the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis
results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry
modifications, and communication with IPs. Deep analysis currently supports extensive analysis of portable
executable (PE ) files (including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will
update to display the date and time of the latest results available, as well as a summary of the report itself.
The Deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity,
and observables, including contacted IPs and files created on the disk. If nothing was found, these sections will
simply display a brief message.
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate
alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or
for any other reason where you suspect malicious behavior. This feature is available within the Deep analysis
tab, on the file's profile page.
Submit for deep analysis is enabled when the file is available in the Microsoft Defender ATP backend sample
collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis.

NOTE
Only files from Windows 10 can be automatically collected.

You can also manually submit a sample through the Microsoft Security Center Portal if the file was not
observed on a Windows 10 machine, and wait for Submit for deep analysis button to become available.

NOTE
Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency
between file submission and availability of the deep analysis feature in Microsoft Defender ATP.

When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a
detailed report of observed behaviors and associated artifacts, such as files dropped on machines,
communication to IPs, and registry modifications.
Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the
following views:
Alerts - click the file links from the Description or Details in the Artifact timeline
Machines list - click the file links from the Description or Details in the Machine in organization
section
Search box - select File from the drop–down menu and enter the file name
2. In the Deep analysis tab of the file view, click Submit.

Note Only PE files are supported, including .exe and .dll files

A progress bar is displayed and provides information on the different stages of the analysis. You can then view
the report when the analysis is done.

NOTE
Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The
collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can
re–submit files for deep analysis to get fresh data on the file.

View deep analysis reports

View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that
was conducted on the file you submitted. This feature is available in the file view context.
You can view the comprehensive report that provides details on the following sections:
Behaviors
Observables
The details provided can help you investigate if there are indications of a potential attack.
1. Select the file you submitted for deep analysis.
2. Select the Deep analysis tab. If there are any previous reports, the report summary will appear in this
tab.

Troubleshoot deep analysis

If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have .exe or .dll extensions (executable
programs or applications).
2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a
temporary connection or communication error.
4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If
it is configured, then verify the policy setting allows sample collection before submitting the file again.
When sample collection is configured, then check the following registry value:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

Name: AllowSampleCollection
Type: DWORD
Hexadecimal value :
Value = 0 – block sample collection
Value = 1 – allow sample collection

5. Change the organizational unit through the Group Policy. For more information, see Configure with
Group Policy.
6. If these steps do not resolve the issue, contact [email protected].
Related topics
Take response actions on a machine
Investigate files
 Investigate entities on machines using live response
12/24/2019 • 8 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Live response is a capability that gives you instantaneous access to a machine using a remote shell connection.
This gives you the power to do in-depth investigative work and take immediate response actions to promptly
contain identified threats – real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send
suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
With live response, analysts will have the ability to:
Run basic and advanced commands to do investigative work
Download files such as malware samples and outcomes of PowerShell scripts
Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
Take or undo remediation actions

Before you begin

Before you can initiate a session on a machine, make sure you fulfill the following requirements:
Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
Enable live response from the settings page
You'll need to enable the live response capability in the Advanced features settings page.

NOTE
Only users with manage security or global admin roles can edit these settings.

Enable live response unsigned script execution (optional)

WARNING
Allowing the use of unsigned scripts may increase your exposure to threats.

Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If
you must use them however, you'll need to enable the setting in the Advanced features settings page.
Ensure that you have the appropriate permissions
Only users who have been provisioned with the appropriate permissions can initiate a session. For more
information on role assignments see, Create and manage roles.

IMPORTANT
The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The
button is greyed out for users with only delegated permissions.
 Depending on the role that's been granted to you, you can run basic or advanced live response
commands. Users permission are controlled by RBAC custom role.

Live response dashboard overview

When you initiate a live response session on a machine, a dashboard opens. The dashboard provides
information about the session such as:
Who created the session
When the session started
The duration of the session
The dashboard also gives you access to:
Disconnect session
Upload files to the library
Command console
Command log

Initiate a live response session on a machine

1. Log in to Microsoft Defender Security Center.
2. Navigate to the machines list page and select a machine to investigate. The machine page opens.

NOTE
Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.

3. Launch the live response session by selecting Initiate live response session. A command console is
displayed. Wait while the session connects to the machine.
4. Use the built-in commands to do investigative work. For more information see, Live response
commands.
5. After completing your investigation, select Disconnect session, then select Confirm.

Live response commands

Depending on the role that's been granted to you, you can run basic or advanced live response commands. User
permissions are controlled by RBAC custom roles. For more information on role assignments see, Create and
manage roles.
Basic commands
The following commands are available for user roles that's been granted the ability to run basic live response
commands. For more information on role assignments see, Create and manage roles.

COMMAND DESCRIPTION

cd Changes the current directory.

cls Clears the console screen.

connect Initiates a live response session to the machine.

 COMMAND DESCRIPTION

connections Shows all the active connections.

dir Shows a list of files and subdirectories in a directory

drivers Shows all drivers installed on the machine.

fileinfo Get information about a file.

findfile Locates files by a given name on the machine.

help Provides help information for live response commands.

persistence Shows all known persistence methods on the machine.

processes Shows all processes running on the machine.

registry Shows registry values.

scheduledtasks Shows all scheduled tasks on the machine.

services Shows all services on the machine.

trace Sets the terminal's logging mode to debug.

Advanced commands
The following commands are available for user roles that's been granted the ability to run advanced live
response commands. For more information on role assignments see, Create and manage roles.

COMMAND DESCRIPTION

analyze Analyses the entity with various incrimination engines to

reach a verdict.

getfile Gets a file from the machine.

NOTE: This command has a prerequisite command. You can
use the -auto command in conjuction with getfile to
automatically run the prerequisite command.

run Runs a PowerShell script from the library on the machine.

library Lists files that were uploaded to the live response library.

putfile Puts a file from the library to the machine. Files are saved in
a working folder and are deleted when the machine restarts
by default.
 COMMAND DESCRIPTION

remediate Remediates an entity on the machine. The remediation

action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can
use the -auto command in conjuction with remediate to
automatically run the prerequisite command.

undo Restores an entity that was remediated.

Use live response commands

The commands that you can use in the console follow similar principles as Windows Commands.
The advanced commands offer a more robust set of actions that allow you to take more powerful actions such
as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
Get a file from the machine
For scenarios when you'd like get a file from a machine you're investigating, you can use the getfile
command. This allows you to save the file from the machine for further investigation.

NOTE
There is a file size limit of 750mb.

Put a file in the library

Live response has a library where you can put files into. The library stores files (such as scripts) that can be run
in a live response session at the tenant level.
Live response allows PowerShell scripts to run, however you must first put the files into the library before you
can run them.
You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions
with.
To upload a file in the library:
1. Click Upload file to library.
2. Click Browse and select the file.
3. Provide a brief description.
4. Specify if you'd like to overwrite a file with the same name.
5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In
the text field, enter an example and a description.
6. Click Confirm.
7. (Optional) To verify that the file was uploaded to the library, run the library command.
Cancel a command
Anytime during a session, you can cancel a command by pressing CTRL + C.
 WARNING
Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So,
changing operations such as "remediate" may continue, while the command is canceled.

Automatically run prerequisite commands

Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an
error. For example, running the download command without fileinfo will return an error.
You can use the auto flag to automatically run prerequisite commands, for example:

getfile c:\Users\user\Desktop\work.txt -auto

Run a PowerShell script

Before you can run a PowerShell script, you must first upload it to the library.
After uploading the script to the library, use the run command to run the script.
If you plan to use an unsigned script in the session, you'll need to enable the setting in the Advanced features
settings page.

WARNING
Allowing the use of unsigned scripts may increase your exposure to threats.

Apply command parameters

View the console help to learn about command parameters. To learn about an individual command, run:
help <command name>

When applying parameters to commands, note that parameters are handled based on a fixed order:
<command name> param1 param2

When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen
before providing the value:
<command name> -param2_name param2

When using commands that have prerequisite commands, you can use flags:
<command name> -type file -id <file path> - auto or remediate file <file path> - auto .

Supported output types

Live response supports table and JSON format output types. For each command, there's a default output
behavior. You can modify the output in your preferred output format using the following commands:
-output json
-output table
 NOTE
Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON
output command so that more details are shown.

Supported output pipes

Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output
to a file using the following command: [command] > [filename].txt.
Example:

processes > output.txt

View the command log

Select the Command log tab to see the commands used on the machine during a session. Each command is
tracked with full details such as:
ID
Command line
Duration
Status and input or output side bar

Limitations
Live response sessions are limited to 10 live response sessions at a time
Large scale command execution is not supported
A user can only initiate one session at a time
A machine can only be in one session at a time
There is a file size limit of 750mb when downloading files from a machine

Related topic
Live response command examples
 Live response command examples
7/11/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Learn about common commands used in live response and see examples on how they are typically used.
Depending on the role that's been granted to you, you can run basic or advanced live response commands. For
more information on basic and advanced commands, see Investigate entities on machines using live response.

analyze
# Analyze the file malware.txt
analyze file c:\Users\user\Desktop\malware.txt

# Analyze the process by PID

analyze process 1234

connections
# List active connections in json format using parameter name
connections -output json

# List active connections in json format without parameter name

connections json

dir
# List files and sub-folders in the current folder
dir

# List files and sub-folders in a specific folder

dir C:\Users\user\Desktop\

# List files and subfolders in the current folder in json format

dir -output json

fileinfo
# Display information about a file
fileinfo C:\Windows\notepad.exe
findfile
# Find file by name
findfile test.txt

getfile
# Download a file from a machine
getfile c:\Users\user\Desktop\work.txt

# Download a file from a machine, automatically run prerequisite commands

getfile c:\Users\user\Desktop\work.txt -auto

NOTE
The following file types cannot be downloaded using this command from within Live Response:
Reparse point files
Sparse files
Empty files
Virtual files, or files that are not fully present locally
These file types are supported by PowerShell.
Use PowerShell as an alternative, if you have problems using this command from within Live Response.

processes
# Show all processes
processes

# Get process by pid

processes 123

# Get process by pid with argument name

processes -pid 123

# Get process by name

processes -name notepad.exe

putfile
# Upload file from library
putfile get-process-by-name.ps1
 # Upload file from library, overwrite file if it exists
putfile get-process-by-name.ps1 -overwrite

# Upload file from library, keep it on the machine after a restart

putfile get-process-by-name.ps1 -keep

registry
# Show information about the values in a registry key
registry HKEY_CURRENT_USER\Console

# Show information about a specific registry value

registry HKEY_CURRENT_USER\Console\\ScreenBufferSize

remediate
# Remediate file in specific path
remediate file c:\Users\user\Desktop\malware.exe

# Remediate process with specific PID

remediate process 7960

# See list of all remediated entities

remediate list

run
# Run PowerShell script from the library without arguments
run script.ps1

# Run PowerShell script from the library with arguments

run get-process-by-name.ps1 -parameters "-processName Registry"

scheduledtask
# Get all scheduled tasks
scheduledtasks

# Get specific scheduled task by ___location and name

scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition

# Get specific scheduled task by ___location and name with spacing

scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation"
undo
# Restore remediated registry
undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize

# Restore remediated scheduledtask

undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition

# Restore remediated file

undo file c:\Users\user\Desktop\malware.exe
 Overview of automated investigations
1/8/2020 • 4 minutes to read • Edit Online

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) offers a wide breadth of visibility
on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts
generated can be challenging for a typical security operations team to individually address. To address this
challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly
reduce the volume of alerts that must be investigated individually.
The automated investigation feature leverages various inspection algorithms, and processes used by analysts
(such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This
significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats
and other high value initiatives. The Automated investigations list shows all the investigations that were
initiated automatically, and includes details, such as status, detection source, and when the investigation was
initiated.

TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Understand the automated investigation flow

How the automated investigation starts
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an
automated investigation can start. For example, suppose a malicious file resides on a machine. When that file
is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks
to see if the malicious file is present on any other machines in the organization. Details from the investigation,
including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated
investigation.

NOTE
Currently, automated investigation only supports the following OS versions:
Windows Server 2019
Windows 10, version 1709 (OS Build 16299.1085 with KB4493441) or later
Windows 10, version 1803 (OS Build 17134.704 with KB4493464) or later
Later versions of Windows 10

Details of an automated investigation

During and after an automated investigation, you can view details about the investigation. Selecting a
triggering alert brings you to the investigation details view where you can pivot from the Investigation
graph, Alerts, Machines, Evidence, Entities, and Log tabs.

TAB DESCRIPTION

Alerts Shows the alert that started the investigation.

 TAB DESCRIPTION

Machines Shows where the alert was seen.

Evidence Shows the entities that were found to be malicious during

the investigation.

Entities Provides details about each analyzed entity, including a

determination for each entity type (Malicious, Suspicious, or
Clean).

Log Shows the chronological detailed view of all the

investigation actions taken on the alert.

Pending actions If there are pending actions on the investigation, the

Pending actions tab will be displayed where you can
approve or reject actions.

IMPORTANT
Go to the Action center to get an aggregated view all pending actions and manage remediation actions. The Action
center also acts as an audit trail for all automated investigation actions.

How an automated investigation expands its scope

While an investigation is running, any other alerts generated from the machine are added to an ongoing
automated investigation until that investigation is completed. In addition, if the same threat is seen on other
machines, those machines are added to the investigation.
If an incriminated entity is seen in another machine, the automated investigation process will expand its scope
to include that machine, and a general security playbook will start on that machine. If 10 or more machines are
found during this expansion process from the same entity, then that expansion action will require an approval
and will be seen in the Pending actions view.
How threats are remediated
Depending on how you set up the machine groups and their level of automation, the automated investigation
will either require user approval (default) or automatically remediate threats.
You can configure the following levels of automation:

AUTOMATION LEVEL DESCRIPTION

No automated response Machines do not get any automated investigations run on

them.

Semi - require approval for any remediation This is the default automation level.

An approval is needed for any remediation action.

Semi - require approval for non-temp folders remediation An approval is required on files or executables that are not
in temporary folders.

Files or executables in temporary folders, such as the user's

download folder or the user's temp folder, will automatically
be remediated if needed.
 AUTOMATION LEVEL DESCRIPTION

Semi - require approval for core folders remediation An approval is required on files or executables that are in
the operating system directories such as Windows folder
and Program files folder.

Files or executables in all other folders will automatically be

remediated if needed.

Full - remediate threats automatically All remediation actions will be performed automatically.

TIP
For more information on how to configure these automation levels, see Create and manage machine groups.

The default machine group is configured for semi-automatic remediation. This means that any malicious entity
that calls for remediation requires an approval and the investigation is added to the Pending actions section.
This can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the Entities
tab of the investigation.

Next step
Learn about the automated investigations dashboard
 Learn about the automated investigations dashboard
12/26/2019 • 5 minutes to read • Edit Online

By default, the automated investigations list displays investigations initiated in the last week. You can also choose
to select other time ranges from the drop-down menu or specify a custom range.

NOTE
If your organization has implemented role-based access to manage portal access, only authorized users or user groups who
have permission to view the machine or machine group will be able to view the entire investigation.

Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the Export button, specify the number
of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your
preferred criteria.

Filters
You can use the following operations to customize the list of automated investigations displayed:
Triggering alert
The alert the initiated the automated investigation.
Status
An automated investigation can be in one of the following status:

STATUS DESCRIPTION

No threats found No malicious entities found during the investigation.

Failed A problem has interrupted the investigation, preventing it

from completing.
 STATUS DESCRIPTION

Partially remediated A problem prevented the remediation of some malicious

entities.

Pending action Remediation actions require review and approval.

Waiting for machine Investigation paused. The investigation will resume as soon as
the machine is available.

Queued Investigation has been queued and will resume as soon as

other remediation activities are completed.

Running Investigation ongoing. Malicious entities found will be

remediated.

Remediated Malicious entities found were successfully remediated.

Terminated by system Investigation was stopped by the system.

Terminated by user A user stopped the investigation before it could complete.

Partially investigated Entities directly related to the alert have been investigated.
However, a problem stopped the investigation of collateral
entities.

Detection source
Source of the alert that initiated the automated investigation.
Threat
The category of threat detected during the automated investigation.
Tags
Filter using manually added tags that capture the context of an automated investigation.
Machines
You can filter the automated investigations list to zone in a specific machine to see other investigations related to
the machine.
Machine groups
Apply this filter to see specific machine groups that you might have created.
Comments
Select between filtering the list between automated investigations that have comments and those that don't.

Analyze automated investigations

You can view the details of an automated investigation to see information such as the investigation graph, alerts
associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
The progress ring shows two status indicators:
Orange ring - shows the pending portion of the investigation
Green ring - shows the running time portion of the investigation

In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore,
the entire investigation was running for 29 minutes and 27 seconds.
The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for
example, the device might have disconnected from the network) or pending for approval.
From this view, you can also view and add comments and tags about the investigation.
Investigation page
The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
You'll also have access to the following sections that help you see details of the investigation with finer granularity:
Investigation graph
Alerts
Machines
Evidence
Entities
Log
 Pending actions

NOTE
The Pending actions tab is only displayed if there are actual pending actions.

Pending actions history

NOTE
The Pending actions history tab is only displayed when an investigation is complete.

In any of the sections, you can customize columns to further expand to limit the details you see in a section.
Investigation graph
The investigation graph provides a graphical representation of an automated investigation. All investigation
related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the
relevant section where you can view more information.
Alerts
Shows details such as a short description of the alert that initiated the automated investigation, severity, category,
the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is
assigned to.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is
ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the
alert page, manage the alert by changing its status, see alert details, automated investigation details, related
machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
Machines
Shows details the machine name, IP address, group, users, operating system, remediation level, investigation
count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If
10 or more machines are found during this expansion process from the same entity, then that expansion action will
require an approval and will be seen in the Pending actions view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information
such as machine details and logged-on users.
Clicking on an machine name brings you the machine page.
Evidence
Shows details related to threats associated with this investigation.
Entities
Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the
number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious,
or determined to be clean.
Log
Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type,
action, status, machine name, description of the action, comments entered by analysts who may have worked on
the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of
the action and input data.
Pending actions history
This tab is only displayed when an investigation is complete and shows all pending actions taken during the
investigation.

Pending actions
If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.

When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page
from the navigation page by going to automated investigation > Action center. For more information, see
Action center.

Related topic
Investigate Microsoft Defender ATP alerts
Manage actions related to automated investigation and remediation
 Manage actions related to automated investigation
and remediation
12/6/2019 • 2 minutes to read • Edit Online

The Action center aggregates all investigations that require an action for an investigation to proceed or be
completed.

The action center consists of two main tabs:

Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is
presented to the analyst, which they can approve or reject.
History - Acts as an audit log for:
All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this
capability (for example, quarantine file).
All commands ran and remediation actions applied in Live Response with ability to undo actions that
support this capability.
Remediation actions applied by Windows Defender AV with ability to undo actions that support this
capability.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the Export feature, specify the number
of items to show per page, and navigate between pages.

NOTE
The tab will only appear if there are pending actions for that category.

Approve or reject an action

You'll need to manually approve or reject pending actions on each of these categories for the automated actions to
proceed.
Selecting an investigation from any of the categories opens a panel where you can approve or reject the
remediation. Other details such as file or service details, investigation details, and alert details are displayed.
From the panel, you can click on the Open investigation page link to see the investigation details.
You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.

Related topics
Automated investigation and investigation
Learn about the automated investigations dashboard
 Overview of Secure score in Microsoft Defender
Security Center
8/23/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be
available for a few weeks.

The Secure score dashboard expands your visibility into the overall security posture of your organization. From
this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require
attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in
one place. From there you can take action based on the recommended configuration baselines.

IMPORTANT
This feature is available for machines on Windows 10, version 1703 or later.

The Secure score dashboard displays a snapshot of:

Microsoft secure score
Secure score over time
Top recommendations
Improvement opportunities

Microsoft secure score

The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to
the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for
further analysis. You can also improve this score by taking the steps in configuring each of the security controls in
the optimal settings.

Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score
potential and calculated by multiplying the number of supported Microsoft security controls (security controls
pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by
Microsoft. For more information, see Introducing the Office 365 Secure Score.
In the example image, the total points for the security controls and Office 365 add up to 602 points.
You can set the baselines for calculating the security control scores on the Secure score dashboard through the
Settings. For more information, see Enable Secure score security controls.

Secure score over time

You can track the progression of your organizational security posture over time using this tile. It displays the
overall score in a historical trend line enabling you to see how taking the recommended actions increase your
overall security posture.
You can mouse over specific date points to see the total score for that security control is on a specific date.

Top recommendations
Reflects specific actions you can take to significantly increase the security stance of your organization and how
many points will be added to the secure score if you take the recommended action.

Improvement opportunities
Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the
gap between the perfect score and the current score for each control.
Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to
reflect the list of machines where improvements can be made.
Within the tile, you can click on each control to see the recommended optimizations.
Clicking the link under the Misconfigured machines column opens up the Machines list with filters applied to
show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a
target collection and apply relevant policies using a management solution of your choice.

Related topic
Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Exposure score
Configuration score
Security recommendations
Remediation
Software inventory
Weaknesses
Scenarios
Threat analytics
 Track and respond to emerging threats with threat
analytics
7/3/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their
security posture, covering the impact of emerging threats and their organizational resilience.
Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and
outbreaks are identified. The reports help you assess the impact of threats to your environment and identify
actions that can contain them.

View the threat analytics dashboard

The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your
organization. It provides several overviews about the threats covered in the reports:
Latest threats — lists the most recently published threat reports, along with the number of machines with
resolved and unresolved alerts.
High-impact threats — lists the threats that have had the highest impact on the organization in terms of the
number of machines that have had related alerts, along with the number of machines with resolved and
unresolved alerts.
Threat summary — shows the number of threats among the threats reported in threat analytics with actual
alerts.

Select a threat on any of the overviews or on the table to view the report for that threat.

View a threat analytics report

Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used
by the threat. It also provides worldwide impact information, mitigation recommendations, and detection
information. It includes several cards that show dynamic data about how your organization is impacted by the
threat and how prepared it is to stop the threat.

Organizational impact
Each report includes cards designed to provide information about the organizational impact of a threat:
Machines with alerts — shows the current number of distinct machines in your organization that have been
impacted by the threat. A machine is categorized as Active if there is at least 1 alert associated with that
threat and Resolved if all alerts associated with the threat on the machine have been resolved.
Machines with alerts over time — shows the number of distinct machines with Active and Resolved alerts
over time. The number of resolved alerts indicates how quickly your organization responds to alerts
associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
Organizational resilience
Each report also includes cards that provide an overview of how resilient your organization can be against a
given threat:
Mitigation status — shows the number of machines that have and have not applied mitigations for the
threat. Machines are considered mitigated if they have all the measurable mitigations in place.
Vulnerability patching status — shows the number of machines that have applied security updates or
patches that address vulnerabilities exploited by the threat.
Mitigation recommendations — lists specific actionable recommendations to improve your visibility into
the threat and increase your organizational resilience. This card lists only measurable mitigations along with
the number of machines that don't have these mitigations in place.

IMPORTANT
Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a machine has
applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts.
Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions
needed to improve resiliency.
NOTE
Machines are counted as "unavailable" if they have been unable to transmit data to the service.
 Proactively hunt for threats with advanced hunting
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You
can proactively inspect events in your network to locate interesting indicators and entities. The flexible access
to data facilitates unconstrained hunting for both known and potential threats.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to
check for and respond to various events and system states, including suspected breach activity and
misconfigured machines.

Get started with advanced hunting

We recommend going through several steps to quickly get up and running with advanced hunting.

LEARNING GOAL DESCRIPTION RESOURCE

Get a feel for the language Advanced hunting is based on the Query language overview
Kusto query language, supporting the
same syntax and operators. Start
learning the query language by
running your first query.

Understand the schema Get a good, high-level understanding Schema reference

of the tables in the schema and their
columns. This will help you determine
where to look for data and how to
construct your queries.

Use predefined queries Explore collections of predefined Shared queries

queries covering different threat
hunting scenarios.

Learn about custom detections Understand how you can use Custom detections overview
advanced hunting queries to trigger
alerts and apply response actions
automatically.

Get help as you write queries

Take advantage of the following functionality to write queries faster:
Autosuggest — as you write queries, advanced hunting provides suggestions.
Schema reference — a schema reference that includes the list of tables and their columns is provided
next to your working area. For more information, hover over an item. Double-click an item to insert it to
the query editor.
Drilldown from query results
To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query
results, simply click the entity identifier. This opens a detailed profile page for the selected entity in Microsoft
Defender Security Center.

Tweak your queries from the results

Right-click a value in the result set to quickly enhance your query. You can use the options to:
Explicitly look for the selected value ( == )
Exclude the selected value from the query ( != )
Get more advanced operators for adding the value to your query, such as contains , starts with and
ends with

Filter the query results

The filters displayed to the right provide a summary of the result set. Each column has its own section that
lists the distinct values found for that column and the number of instances.
Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.

Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
Related topics
Learn the query language
Use shared queries
Understand the schema
Apply query best practices
Custom detections overview
 Learn the advanced hunting query language
1/8/2020 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Advanced hunting is based on the Kusto query language. You can use Kusto syntax and operators to construct
queries that locate information in the schema specifically structured for advanced hunting. To understand these
concepts better, run your first query.

Try your first query

In Microsoft Defender Security Center, go to Advanced hunting to run your first query. Use the following
example:

// Finds PowerShell execution events that could involve a download.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by Timestamp

This is how it will look like in advanced hunting.

Describe the query and specify the table to search

The query starts with a short comment describing what it is for. This helps if you later decide to save your query
and share it with others in your organization.
 // Finds PowerShell execution events that could involve a download.
DeviceProcessEvents

The query itself will typically start with a table name followed by a series of elements started by a pipe ( | ). In
this example, we start by adding with the table name DeviceProcessEvents and add piped elements as needed.
Set the time range
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow
as possible ensures that queries perform well, return manageable results, and don't time out.

| where Timestamp > ago(7d)

Search for specific executable files

The time range is immediately followed by a search for files representing the PowerShell application.

| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")

Search for specific command lines

Afterwards, the query looks for command lines that are typically used with PowerShell to download files.

| where ProcessCommandLine has "Net.WebClient"

or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"

Select result columns and length

Now that your query clearly identifies the data you want to locate, you can add elements that define what the
results look like. project returns specific columns and top limits the number of results, making the results
well-formatted and reasonably large and easy to process.

| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

| top 100 by Timestamp

Click Run query to see the results. You can expand the screen view so you can focus on your hunting query
and the results.

Learn common query operators for advanced hunting

Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit
and learn some basics. The Kusto query language used by advanced hunting supports a range of operators,
including the following common ones.

OPERATOR DESCRIPTION AND USAGE

where Filter a table to the subset of rows that satisfy a predicate.

summarize Produce a table that aggregates the content of the input

table.
 OPERATOR DESCRIPTION AND USAGE

join Merge the rows of two tables to form a new table by

matching values of the specified column(s) from each table.

count Return the number of records in the input record set.

top Return the first N records sorted by the specified columns.

limit Return up to the specified number of rows.

project Select the columns to include, rename or drop, and insert

new computed columns.

extend Create calculated columns and append them to the result

set.

makeset Return a dynamic (JSON) array of the set of distinct values

that Expr takes in the group.

find Find rows that match a predicate across a set of tables.

To see a live example of these operators, run them from the Get started section of the advanced hunting page.

Understand data types

Data in advanced hunting tables are generally classified into the following data types.

DATA TYPE DESCRIPTION AND QUERY IMPLICATIONS

datetime Data and time information typically representing event

timestamps

string Character string

bool True or false

int 32-bit numeric value

long 64-bit numeric value

Use sample queries

The Get started section provides a few simple queries using commonly used operators. Try running these
queries and making small modifications to them.
 NOTE
Apart from the basic query samples, you can also access shared queries for specific threat hunting scenarios. Explore the
shared queries on the left side of the page or the GitHub query repository.

Access comprehensive query language reference

For detailed information about the query language, see Kusto query language documentation.

Related topics
Advanced hunting overview
Understand the schema
Apply query best practices

TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.
 Use shared queries in advanced hunting
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Advanced hunting queries can be shared among users in the same organization. You can also find queries shared
publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write
queries from scratch.

Save, modify, and share a query

You can save a new or existing query so that it is only accessible to you or shared with other users in your
organization.
1. Type a new query or load an existing one from under Shared queries or My queries.
2. Select Save or Save as from the save options. To avoid overwriting an existing query, choose Save as.
3. Enter a name for the query.
4. Select the folder where you'd like to save the query.
Shared queries — shared to all users in the your organization
My queries — accessible only to you
5. Select Save.

Delete or rename a query

1. Right-click on a query you want to rename or delete.

2. Select Delete and confirm deletion. Or select Rename and provide a new name for the query.

Access queries in the GitHub repository

Microsoft security researchers regularly share advanced hunting queries in a designated public repository on
GitHub. This repository is open to contributions. To contribute, join GitHub for free.
 TIP
Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators
associated with emerging threats. These queries are provided as part of the threat analytics reports in Microsoft Defender
Security Center.

Related topics
Advanced hunting overview
Learn the query language
 Understand the advanced hunting schema
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

The advanced hunting schema is made up of multiple tables that provide either event information or
information about machines and other entities. To effectively build queries that span multiple tables, you need
to understand the tables and the columns in the advanced hunting schema.

Schema tables
The following reference lists all the tables in the advanced hunting schema. Each table name links to a page
describing the column names for that table.
Table and column names are also listed within the Microsoft Defender Security Center, in the schema
representation on the advanced hunting screen.

TABLE NAME DESCRIPTION

AlertEvents Alerts on Microsoft Defender Security Center

DeviceInfo Machine information, including OS information

DeviceNetworkInfo Network properties of machines, including adapters, IP and

MAC addresses, as well as connected networks and
domains

DeviceProcessEvents Process creation and related events

DeviceNetworkEvents Network connection and related events

DeviceFileEvents File creation, modification, and other file system events

DeviceRegistryEvents Creation and modification of registry entries

DeviceLogonEvents Sign-ins and other authentication events

DeviceImageLoadEvents DLL loading events

 TABLE NAME DESCRIPTION

DeviceEvents Multiple event types, including events triggered by security

controls such as Windows Defender Antivirus and exploit
protection

DeviceTvmSoftwareInventoryVulnerabilities Inventory of software on devices as well as any known

vulnerabilities in these software products

DeviceTvmSoftwareVulnerabilitiesKB Knowledge base of publicly disclosed vulnerabilities,

including whether exploit code is publicly available

DeviceTvmSecureConfigurationAssessment Threat & Vulnerability Management assessment events,

indicating the status of various security configurations on
devices

DeviceTvmSecureConfigurationAssessmentKB Knowledge base of various security configurations used by

Threat & Vulnerability Management to assess devices;
includes mappings to various standards and benchmarks

Related topics
Advanced hunting overview
Learn the query language
 AlertEvents
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The AlertEvents table in the advanced hunting schema contains information about alerts on Microsoft Defender
Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

AlertId string Unique identifier for the alert

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

Severity string Indicates the potential impact (high,

medium, or low) of the threat indicator
or breach activity identified by the alert

Category string Type of threat indicator or breach

activity identified by the alert

Title string Title of the alert

FileName string Name of the file that the recorded

action was applied to

SHA1 string SHA-1 of the file that the recorded

action was applied to

RemoteUrl string URL or fully qualified ___domain name

(FQDN) that was being connected to

RemoteIP string IP address that was being connected to

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns
 COLUMN NAME DATA TYPE DESCRIPTION

Table string Table that contains the details of the

event

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceFileEvents
1/7/2020 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The DeviceFileEvents table in the advanced hunting schema contains information about file creation, modification,
and other file system events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ActionType string Type of activity that triggered the event

FileName string Name of the file that the recorded

action was applied to

FolderPath string Folder containing the file that the

recorded action was applied to

SHA1 string SHA-1 of the file that the recorded

action was applied to

SHA256 string SHA-256 of the file that the recorded

action was applied to. This field is
usually not populated—use the SHA1
column when available

MD5 string MD5 hash of the file that the recorded

action was applied to

FileOriginUrl string URL where the file was downloaded

from

FileOriginReferrerUrl string URL of the web page that links to the

downloaded file

FileOriginIP string IP address where the file was

downloaded from
COLUMN NAME DATA TYPE DESCRIPTION

InitiatingProcessAccountDomain string Domain of the account that ran the

process responsible for the event

InitiatingProcessAccountName string User name of the account that ran the

process responsible for the event

InitiatingProcessAccountSid string Security Identifier (SID) of the account

that ran the process responsible for the
event

InitiatingProcessMD5 string MD5 hash of the process (image file)

that initiated the event

InitiatingProcessSHA1 string SHA-1 of the process (image file) that

initiated the event

InitiatingProcessFolderPath string Folder containing the process (image

file) that initiated the event

InitiatingProcessFileName string Name of the process that initiated the

event

InitiatingProcessId int Process ID (PID) of the process that

initiated the event

InitiatingProcessCommandLine string Command line used to run the process

that initiated the event

InitiatingProcessCreationTime datetime Date and time when the process that

initiated the event was started

InitiatingProcessIntegrityLevel string integrity level of the process that

initiated the event. Windows assigns
integrity levels to processes based on
certain characteristics, such as if they
were launched from an internet
download. These integrity levels
influence permissions to resources

InitiatingProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the
process that initiated the event

InitiatingProcessParentId int Process ID (PID) of the parent process

that spawned the process responsible
for the event

InitiatingProcessParentFileName string Name of the parent process that

spawned the process responsible for the
event

InitiatingProcessParentCreationTime datetime Date and time when the parent of the

process responsible for the event was
started
 COLUMN NAME DATA TYPE DESCRIPTION

RequestProtocol string Network protocol, if applicable, used to

initiate the activity: Unknown, Local,
SMB, or NFS

ShareName string Name of shared folder containing the

file

RequestSourceIP string IPv4 or IPv6 address of the remote

device that initiated the activity

RequestSourcePort string Source port on the remote device that

initiated the activity

RequestAccountName string User name of account used to remotely

initiate the activity

RequestAccountDomain string Domain of the account used to

remotely initiate the activity

RequestAccountSid string Security Identifier (SID) of the account

to remotely initiate the activity

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns

AppGuardContainerId string Identifier for the virtualized container

used by Application Guard to isolate
browser activity

SensitivityLabel string Label applied to an email, file, or other

content to classify it for information
protection

SensitivitySubLabel string Sublabel applied to an email, file, or

other content to classify it for
information protection; sensitivity
sublabels are grouped under sensitivity
labels but are treated independently

IsAzureInfoProtectionApplied boolean Indicates whether the file is encrypted

by Azure Information Protection

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceImageLoadEvents
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The DeviceImageLoadEvents table in the advanced hunting schema contains information about DLL loading events.
Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ActionType string Type of activity that triggered the event

FileName string Name of the file that the recorded

action was applied to

FolderPath string Folder containing the file that the

recorded action was applied to

SHA1 string SHA-1 of the file that the recorded

action was applied to

MD5 string MD5 hash of the file that the recorded

action was applied to

InitiatingProcessAccountDomain string Domain of the account that ran the

process responsible for the event

InitiatingProcessAccountName string User name of the account that ran the

process responsible for the event

InitiatingProcessAccountSid string Security Identifier (SID) of the account

that ran the process responsible for the
event
COLUMN NAME DATA TYPE DESCRIPTION

InitiatingProcessIntegrityLevel string Integrity level of the process that

initiated the event. Windows assigns
integrity levels to processes based on
certain characteristics, such as if they
were launched from an internet
download. These integrity levels
influence permissions to resources

InitiatingProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the
process that initiated the event

InitiatingProcessSHA1 string SHA-1 of the process (image file) that

initiated the event

InitiatingProcessMD5 string MD5 hash of the process (image file)

that initiated the event

InitiatingProcessFileName string Name of the process that initiated the

event

InitiatingProcessId int Process ID (PID) of the process that

initiated the event

InitiatingProcessCommandLine string Command line used to run the process

that initiated the event

InitiatingProcessCreationTime datetime Date and time when the process that

initiated the event was started

InitiatingProcessFolderPath string Folder containing the process (image

file) that initiated the event

InitiatingProcessParentId int Process ID (PID) of the parent process

that spawned the process responsible
for the event

InitiatingProcessParentFileName string Name of the parent process that

spawned the process responsible for the
event

InitiatingProcessParentCreationTime datetime Date and time when the parent of the

process responsible for the event was
started

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns

AppGuardContainerId string Identifier for the virtualized container

used by Application Guard to isolate
browser activity
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceLogonEvents
1/7/2020 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The DeviceLogonEvents table in the advanced hunting schema contains information about user logons and other
authentication events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ActionType string Type of activity that triggered the event

AccountDomain string Domain of the account

AccountName string User name of the account

AccountSid string Security Identifier (SID) of the account

COLUMN NAME DATA TYPE DESCRIPTION

LogonType string Type of logon session, specifically:

- Interactive - User physically interacts

with the machine using the local
keyboard and screen

- Remote interactive (RDP) logons -

User interacts with the machine
remotely using Remote Desktop,
Terminal Services, Remote Assistance, or
other RDP clients

- Network - Session initiated when the

machine is accessed using PsExec or
when shared resources on the machine,
such as printers and shared folders, are
accessed

- Batch - Session initiated by scheduled

tasks

- Service - Session initiated by services

as they start

LogonId string Identifier for a logon session. This

identifier is unique on the same
machine only between restarts

RemoteDeviceName string Name of the machine that performed a

remote operation on the affected
machine. Depending on the event being
reported, this name could be a fully-
qualified ___domain name (FQDN), a
NetBIOS name or a host name without
___domain information

RemoteIP string IP address that was being connected to

RemoteIPType string Type of IP address, for example Public,

Private, Reserved, Loopback, Teredo,
FourToSixMapping, and Broadcast

RemotePort int TCP port on the remote device that was

being connected to

AdditionalFields string Additional information about the event

in JSON array format

InitiatingProcessAccountDomain string Domain of the account that ran the

process responsible for the event

InitiatingProcessAccountName string User name of the account that ran the

process responsible for the event

InitiatingProcessAccountSid string Security Identifier (SID) of the account

that ran the process responsible for the
event
COLUMN NAME DATA TYPE DESCRIPTION

InitiatingProcessIntegrityLevel string Integrity level of the process that

initiated the event. Windows assigns
integrity levels to processes based on
certain characteristics, such as if they
were launched from an internet
download. These integrity levels
influence permissions to resources

InitiatingProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the
process that initiated the event

InitiatingProcessSHA1 string SHA-1 of the process (image file) that

initiated the event

InitiatingProcessSHA256 string SHA-256 of the process (image file) that

initiated the event. This field is usually
not populated—use the SHA1 column
when available

InitiatingProcessMD5 string MD5 hash of the process (image file)

that initiated the event

InitiatingProcessFileName string Name of the process that initiated the

event

InitiatingProcessId int Process ID (PID) of the process that

initiated the event

InitiatingProcessCommandLine string Command line used to run the process

that initiated the event

InitiatingProcessCreationTime datetime Date and time when the process that

initiated the event was started

InitiatingProcessFolderPath string Folder containing the process (image

file) that initiated the event

InitiatingProcessParentId int Process ID (PID) of the parent process

that spawned the process responsible
for the event

InitiatingProcessParentFileName string Name of the parent process that

spawned the process responsible for the
event

InitiatingProcessParentCreationTime datetime Date and time when the parent of the

process responsible for the event was
started
 COLUMN NAME DATA TYPE DESCRIPTION

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns

AppGuardContainerId string Identifier for the virtualized container

used by Application Guard to isolate
browser activity

IsLocalAdmin boolean Boolean indicator of whether the user is

a local administrator on the machine

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceInfo
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The DeviceInfo table in the advanced hunting schema contains information about machines in the organization,
including their OS version, active users, and computer name. Use this reference to construct queries that return
information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ClientVersion string Version of the endpoint agent or sensor

running on the machine

PublicIP string Public IP address used by the

onboarded machine to connect to the
Microsoft Defender ATP service. This
could be the IP address of the machine
itself, a NAT device, or a proxy

OSArchitecture string Architecture of the operating system

running on the machine

OSPlatform string Platform of the operating system

running on the machine. This indicates
specific operating systems, including
variations within the same family, such
as Windows 10 and Windows 7

OSBuild string Build version of the operating system

running on the machine

IsAzureADJoined boolean Boolean indicator of whether machine is

joined to the Azure Active Directory

LoggedOnUsers string List of all users that are logged on the

machine at the time of the event in
JSON array format
 COLUMN NAME DATA TYPE DESCRIPTION

RegistryDeviceTag string Machine tag added through the

registry

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns

OSVersion string Version of the operating system

running on the machine

MachineGroup string Machine group of the machine. This

group is used by role-based access
control to determine access to the
machine

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceNetworkInfo
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The DeviceNetworkInfo table in the advanced hunting schema contains information about networking
configuration of machines, including network adapters, IP and MAC addresses, and connected networks or
domains. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns

NetworkAdapterName string Name of the network adapter

MacAddress string MAC address of the network adapter

NetworkAdapterType string Network adapter type. For the possible

values, refer to this enumeration

NetworkAdapterStatus string Operational status of the network

adapter. For the possible values, refer to
this enumeration

TunnelType string Tunneling protocol, if the interface is

used for this purpose, for example 6to4,
Teredo, ISATAP, PPTP, SSTP, and SSH
 COLUMN NAME DATA TYPE DESCRIPTION

ConnectedNetworks string Networks that the adapter is connected

to. Each JSON array contains the
network name, category (public, private
or ___domain), a description, and a flag
indicating if it's connected publicly to
the internet

DnsAddresses string DNS server addresses in JSON array

format

IPv4Dhcp string IPv4 address of DHCP server

IPv6Dhcp string IPv6 address of DHCP server

DefaultGateways string Default gateway addresses in JSON

array format

IPAddresses string JSON array containing all the IP

addresses assigned to the adapter,
along with their respective subnet prefix
and IP address space, such as public,
private, or link-local

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceEvents
1/7/2020 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The miscellaneous device events or DeviceEvents table in the advanced hunting schema contains information
about various event types, including events triggered by security controls, such as Windows Defender Antivirus
and exploit protection. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ActionType string Type of activity that triggered the event

FileName string Name of the file that the recorded

action was applied to

FolderPath string Folder containing the file that the

recorded action was applied to

SHA1 string SHA-1 of the file that the recorded

action was applied to

SHA256 string SHA-256 of the file that the recorded

action was applied to. This field is
usually not populated—use the SHA1
column when available

MD5 string MD5 hash of the file that the recorded

action was applied to

AccountDomain string Domain of the account

AccountName string User name of the account

AccountSid string Security Identifier (SID) of the account

COLUMN NAME DATA TYPE DESCRIPTION

RemoteUrl string URL or fully qualified ___domain name

(FQDN) that was being connected to

RemoteDeviceName string Name of the machine that performed a

remote operation on the affected
machine. Depending on the event being
reported, this name could be a fully-
qualified ___domain name (FQDN), a
NetBIOS name, or a host name without
___domain information

ProcessId int Process ID (PID) of the newly created

process

ProcessCommandLine string Command line used to create the new

process

ProcessCreationTime datetime Date and time the process was created

ProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the newly
created process

LogonId string Identifier for a logon session. This

identifier is unique on the same
machine only between restarts

RegistryKey string Registry key that the recorded action

was applied to

RegistryValueName string Name of the registry value that the

recorded action was applied to

RegistryValueData string Data of the registry value that the

recorded action was applied to

RemoteIP string IP address that was being connected to

RemotePort int TCP port on the remote device that was

being connected to

LocalIP string IP address assigned to the local

machine used during communication

LocalPort int TCP port on the local machine used

during communication

FileOriginUrl string URL where the file was downloaded

from

FileOriginIP string IP address where the file was

downloaded from
COLUMN NAME DATA TYPE DESCRIPTION

AdditionalFields string Additional information about the event

in JSON array format

InitiatingProcessSHA1 string SHA-1 of the process (image file) that

initiated the event

InitiatingProcessSHA256 string SHA-256 of the process (image file) that

initiated the event. This field is usually
not populated—use the SHA1 column
when available

InitiatingProcessFileName string Name of the process that initiated the

event

InitiatingProcessFolderPath string Folder containing the process (image

file) that initiated the event

InitiatingProcessId int Process ID (PID) of the process that

initiated the event

InitiatingProcessCommandLine string Command line used to run the process

that initiated the event

InitiatingProcessCreationTime datetime Date and time when the process that

initiated the event was started

InitiatingProcessParentId int Process ID (PID) of the parent process

that spawned the process responsible
for the event

InitiatingProcessParentFileName string Name of the parent process that

spawned the process responsible for the
event

InitiatingProcessParentCreationTime datetime Date and time when the parent of the

process responsible for the event was
started

InitiatingProcessMD5 string MD5 hash of the process (image file)

that initiated the event

InitiatingProcessAccountDomain string Domain of the account that ran the

process responsible for the event

InitiatingProcessAccountName string User name of the account that ran the

process responsible for the event

InitiatingProcessAccountSid string Security Identifier (SID) of the account

that ran the process responsible for the
event

InitiatingProcessLogonId string Identifier for a logon session of the

process that initiated the event. This
identifier is unique on the same
machine only between restarts
 COLUMN NAME DATA TYPE DESCRIPTION

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns

AppGuardContainerId string Identifier for the virtualized container

used by Application Guard to isolate
browser activity

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceNetworkEvents
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The DeviceNetworkEvents table in the advanced hunting schema contains information about network connections
and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ActionType string Type of activity that triggered the event

RemoteIP string IP address that was being connected to

RemotePort int TCP port on the remote device that was

being connected to

RemoteUrl string URL or fully qualified ___domain name

(FQDN) that was being connected to

LocalIP string IP address assigned to the local

machine used during communication

LocalPort int TCP port on the local machine used

during communication

Protocol string IP protocol used, whether TCP or UDP

LocalIPType string Type of IP address, for example Public,

Private, Reserved, Loopback, Teredo,
FourToSixMapping, and Broadcast

RemoteIPType string Type of IP address, for example Public,

Private, Reserved, Loopback, Teredo,
FourToSixMapping, and Broadcast
COLUMN NAME DATA TYPE DESCRIPTION

InitiatingProcessSHA1 string SHA-1 of the process (image file) that

initiated the event

InitiatingProcessMD5 string MD5 hash of the process (image file)

that initiated the event

InitiatingProcessFileName string Name of the process that initiated the

event

InitiatingProcessId int Process ID (PID) of the process that

initiated the event

InitiatingProcessCommandLine string Command line used to run the process

that initiated the event

InitiatingProcessCreationTime datetime Date and time when the process that

initiated the event was started

InitiatingProcessFolderPath string Folder containing the process (image

file) that initiated the event

InitiatingProcessParentFileName string Name of the parent process that

spawned the process responsible for the
event

InitiatingProcessParentId int Process ID (PID) of the parent process

that spawned the process responsible
for the event

InitiatingProcessParentCreationTime datetime Date and time when the parent of the

process responsible for the event was
started

InitiatingProcessAccountDomain string Domain of the account that ran the

process responsible for the event

InitiatingProcessAccountName string User name of the account that ran the

process responsible for the event

InitiatingProcessAccountSid string Security Identifier (SID) of the account

that ran the process responsible for the
event

InitiatingProcessIntegrityLevel string Integrity level of the process that

initiated the event. Windows assigns
integrity levels to processes based on
certain characteristics, such as if they
were launched from an internet
download. These integrity levels
influence permissions to resources

InitiatingProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the
process that initiated the event
 COLUMN NAME DATA TYPE DESCRIPTION

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns

AppGuardContainerId string Identifier for the virtualized container

used by Application Guard to isolate
browser activity

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceProcessEvents
1/7/2020 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The DeviceProcessEvents table in the advanced hunting schema contains information about process creation and
related events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ActionType string Type of activity that triggered the event

FileName string Name of the file that the recorded

action was applied to

FolderPath string Folder containing the file that the

recorded action was applied to

SHA1 string SHA-1 of the file that the recorded

action was applied to

SHA256 string SHA-256 of the file that the recorded

action was applied to. This field is
usually not populated—use the SHA1
column when available.

MD5 string MD5 hash of the file that the recorded

action was applied to

ProcessId int Process ID (PID) of the newly created

process

ProcessCommandLine string Command line used to create the new

process
COLUMN NAME DATA TYPE DESCRIPTION

ProcessIntegrityLevel string Integrity level of the newly created

process. Windows assigns integrity
levels to processes based on certain
characteristics, such as if they were
launched from an internet downloaded.
These integrity levels influence
permissions to resources

ProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the newly
created process

ProcessCreationTime datetime Date and time the process was created

AccountDomain string Domain of the account

AccountName string User name of the account

AccountSid string Security Identifier (SID) of the account

LogonId string Identifier for a logon session. This

identifier is unique on the same
machine only between restarts

InitiatingProcessAccountDomain string Domain of the account that ran the

process responsible for the event

InitiatingProcessAccountName string User name of the account that ran the

process responsible for the event

InitiatingProcessAccountSid string Security Identifier (SID) of the account

that ran the process responsible for the
event

InitiatingProcessLogonId string Identifier for a logon session of the

process that initiated the event. This
identifier is unique on the same
machine only between restarts.

InitiatingProcessIntegrityLevel string Integrity level of the process that

initiated the event. Windows assigns
integrity levels to processes based on
certain characteristics, such as if they
were launched from an internet
download. These integrity levels
influence permissions to resources

InitiatingProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the
process that initiated the event

InitiatingProcessSHA1 string SHA-1 of the process (image file) that

initiated the event
 COLUMN NAME DATA TYPE DESCRIPTION

InitiatingProcessSHA256 string SHA-256 of the process (image file) that

initiated the event. This field is usually
not populated—use the SHA1 column
when available

InitiatingProcessMD5 string MD5 hash of the process (image file)

that initiated the event

InitiatingProcessFileName string Name of the process that initiated the

event

InitiatingProcessId int Process ID (PID) of the process that

initiated the event

InitiatingProcessCommandLine string Command line used to run the process

that initiated the event

InitiatingProcessCreationTime datetime Date and time when the process that

initiated the event was started

InitiatingProcessFolderPath string Folder containing the process (image

file) that initiated the event

InitiatingProcessParentId int Process ID (PID) of the parent process

that spawned the process responsible
for the event

InitiatingProcessParentFileName string Name of the parent process that

spawned the process responsible for the
event

InitiatingProcessParentCreationTime datetime Date and time when the parent of the

process responsible for the event was
started

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns

AppGuardContainerId string Identifier for the virtualized container

used by Application Guard to isolate
browser activity

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceRegistryEvents
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The DeviceRegistryEvents table in the advanced hunting schema contains information about the creation and
modification of registry entries. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

COLUMN NAME DATA TYPE DESCRIPTION

Timestamp datetime Date and time when the event was

recorded

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

ActionType string Type of activity that triggered the event

RegistryKey string Registry key that the recorded action

was applied to

RegistryValueType string Data type, such as binary or string, of

the registry value that the recorded
action was applied to

RegistryValueName string Name of the registry value that the

recorded action was applied to

RegistryValueData string Data of the registry value that the

recorded action was applied to

PreviousRegistryValueName string Original name of the registry value

before it was modified

PreviousRegistryValueData string Original data of the registry value

before it was modified

InitiatingProcessAccountDomain string Domain of the account that ran the

process responsible for the event

InitiatingProcessAccountName string User name of the account that ran the

process responsible for the event
COLUMN NAME DATA TYPE DESCRIPTION

InitiatingProcessAccountSid string Security Identifier (SID) of the account

that ran the process responsible for the
event

InitiatingProcessSHA1 string SHA-1 of the process (image file) that

initiated the event

InitiatingProcessMD5 string MD5 hash of the process (image file)

that initiated the event

InitiatingProcessFileName string Name of the process that initiated the

event

InitiatingProcessId int Process ID (PID) of the process that

initiated the event

InitiatingProcessCommandLine string Command line used to run the process

that initiated the event

InitiatingProcessCreationTime datetime Date and time when the process that

initiated the event was started

InitiatingProcessFolderPath string Folder containing the process (image

file) that initiated the event

InitiatingProcessParentId int Process ID (PID) of the parent process

that spawned the process responsible
for the event

InitiatingProcessParentFileName string Name of the parent process that

spawned the process responsible for the
event

InitiatingProcessParentCreationTime datetime Date and time when the parent of the

process responsible for the event was
started

InitiatingProcessIntegrityLevel string Integrity level of the process that

initiated the event. Windows assigns
integrity levels to processes based on
certain characteristics, such as if they
were launched from an internet
download. These integrity levels
influence permissions to resources

InitiatingProcessTokenElevation string Token type indicating the presence or

absence of User Access Control (UAC)
privilege elevation applied to the
process that initiated the event

ReportId long Event identifier based on a repeating

counter. To identify unique events, this
column must be used in conjunction
with the DeviceName and Timestamp
columns
 COLUMN NAME DATA TYPE DESCRIPTION

AppGuardContainerId string Identifier for the virtualized container

used by Application Guard to isolate
browser activity

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 DeviceTvmSoftwareInventoryVulnerabilities
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

The DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema contains the Threat &
Vulnerability Management inventory of software on your devices as well as any known vulnerabilities in these
software products. This table also includes operating system information, CVE IDs, and vulnerability severity
information. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.

COLUMN NAME DATA TYPE DESCRIPTION

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

OSPlatform string Platform of the operating system

running on the machine. This indicates
specific operating systems, including
variations within the same family, such
as Windows 10 and Windows 7.

OSVersion string Version of the operating system

running on the machine

OSArchitecture string Architecture of the operating system

running on the machine

SoftwareVendor string Severity level assigned to the security

vulnerability based on the CVSS score
and dynamic factors influenced by the
threat landscape

SoftwareName string Name of the software product

SoftwareVersion string Version number of the software product

 COLUMN NAME DATA TYPE DESCRIPTION

CveId string Unique identifier assigned to the

security vulnerability under the
Common Vulnerabilities and Exposures
(CVE) system

VulnerabilitySeverityLevel string Severity level assigned to the security

vulnerability based on the CVSS score
and dynamic factors influenced by the
threat landscape

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
Overview of Threat & Vulnerability Management
 DeviceTvmSoftwareVulnerabilitiesKB
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

The DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema contains the list of
vulnerabilities Threat & Vulnerability Management assesses devices for. Use this reference to construct queries
that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.

COLUMN NAME DATA TYPE DESCRIPTION

CveId string Unique identifier assigned to the

security vulnerability under the
Common Vulnerabilities and Exposures
(CVE) system

CvssScore string Severity score assigned to the security

vulnerability under th Common
Vulnerability Scoring System (CVSS)

IsExploitAvailable boolean Indicates whether exploit code for the

vulnerability is publicly available

VulnerabilitySeverityLevel string Severity level assigned to the security

vulnerability based on the CVSS score
and dynamic factors influenced by the
threat landscape

LastModifiedTime datetime Date and time the item or related

metadata was last modified

PublishedDate datetime Date vulnerability was disclosed to

public

VulnerabilityDescription string Description of vulnerability and

associated risks

AffectedSoftware string List of all software products affected by

the vulnerability
Related topics
Advanced hunting overview
Learn the query language
Understand the schema
Overview of Threat & Vulnerability Management
 DeviceTvmSecureConfigurationAssessment
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security
configuration from Threat & Vulnerability Management. Use this reference to check the latest assessment results
and determine whether devices are compliant.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.

COLUMN NAME DATA TYPE DESCRIPTION

DeviceId string Unique identifier for the machine in the

service

DeviceName string Fully qualified ___domain name (FQDN) of

the machine

OSPlatform string Platform of the operating system

running on the machine. This indicates
specific operating systems, including
variations within the same family, such
as Windows 10 and Windows 7.

Timestamp datetime Date and time when the record was

generated

ConfigurationId string Unique identifier for a specific

configuration

ConfigurationCategory string Category or grouping to which the

configuration belongs: Application, OS,
Network, Accounts, Security controls

ConfigurationSubcategory string Subcategory or subgrouping to which

the configuration belongs. In many
cases, this describes specific capabilities
or features.

ConfigurationImpact string Rated impact of the configuration to the

overall configuration score (1-10)
 COLUMN NAME DATA TYPE DESCRIPTION

IsCompliant boolean Indicates whether the configuration or

policy is properly configured

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
Overview of Threat & Vulnerability Management
 DeviceTvmSecureConfigurationAssessmentKB
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

The DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema contains information about
the various secure configurations — such as whether a device has automatic updates on — checked by Threat &
Vulnerability Management. It also includes risk information, related industry benchmarks, and applicable MITRE
ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.

COLUMN NAME DATA TYPE DESCRIPTION

ConfigurationId string Unique identifier for a specific

configuration

ConfigurationImpact string Rated impact of the configuration to the

overall configuration score (1-10)

ConfigurationName string Display name of the configuration

ConfigurationDescription string Description of the configuration

RiskDescription string Description of the associated risk

ConfigurationCategory string Category or grouping to which the

configuration belongs: Application, OS,
Network, Accounts, Security controls

ConfigurationSubcategory string Subcategory or subgrouping to which

the configuration belongs. In many
cases, this describes specific capabilities
or features.

ConfigurationBenchmarks string List of industry benchmarks

recommending the same or similar
configuration

RelatedMitreTechniques string List of Mitre ATT&CK framework

techniques related to the configuration
 COLUMN NAME DATA TYPE DESCRIPTION

RelatedMitreTactics string List of Mitre ATT&CK framework tactics

related to the configuration

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
Overview of Threat & Vulnerability Management
 Advanced hunting query best practices
1/8/2020 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Optimize query performance

Apply these recommendations to get results faster and avoid timeouts while running complex queries.
When trying new queries, always use limit to avoid extremely large result sets. You can also initially assess
the size of the result set using count .
Use time filters first. Ideally, limit your queries to seven days.
Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
Use the has operator over contains when looking for full tokens.
Look in a specific column rather than running full text searches across all columns.
When joining tables, specify the table with fewer rows first.
project only the necessary columns from tables you've joined.

TIP
For more guidance on improving query performance, read Kusto query best practices.

Query tips and pitfalls

Queries with process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as
unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the
process ID together with the process creation time. When you join or summarize data around processes, include
columns for the machine identifier (either DeviceId or DeviceName ), the process ID ( ProcessId or
InitiatingProcessId ), and the process creation time ( ProcessCreationTime or InitiatingProcessCreationTime ).

The following example query finds processes that access more than 10 IP addresses over port 445 (SMB ),
possibly scanning for file shares.

DeviceNetworkEvents
| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime,
InitiatingProcessFileName
| where RemoteIPCount > 10

The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime so that it looks at a single
process, without mixing multiple processes with the same process ID.
Queries with command lines
Command lines can vary. When applicable, filter on file names and do fuzzy matching.
There are numerous ways to construct a command line to accomplish a task. For example, an attacker could
reference an image file with or without a path, without a file extension, using environment variables, or with
quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
To create more durable queries using command lines, apply the following practices:
Identify the known processes (such as net.exe or psexec.exe) by matching on the filename fields, instead of
filtering on the command-line field.
When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments
in a certain order. Instead, use regular expressions or use multiple separate contains operators.
Use case insensitive matches. For example, use =~ , in~ , and contains instead of == , in and contains_cs
To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with
spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS
obfuscation techniques that require other approaches, but these can help address the most common ones.
The following examples show various ways to construct a query that looks for the file net.exe to stop the Windows
Defender Firewall service:

// Non-durable query - do not use

DeviceProcessEvents
| where ProcessCommandLine == "net stop MpsSvc"
| limit 10

// Better query - filters on filename, does case-insensitive matches

DeviceProcessEvents
| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop"
and ProcessCommandLine contains "MpsSvc"

// Best query also ignores quotes

DeviceProcessEvents
| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe")
| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Advanced hunting overview
Learn the query language
Understand the schema
 Configure Microsoft Defender ATP to stream
Advanced Hunting events to your Azure Event Hubs
12/4/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Before you begin:

1. Create an event hub in your tenant.
2. Log in to your Azure tenant, go to Subscriptions > Your subscription > Resource Providers > Register to
Microsoft.insights.

Enable raw data streaming:

1. Log in to Microsoft Defender Security Center with a Global Admin user.
2. Go to Data export settings page on Microsoft Defender Security Center.
3. Click on Add data export settings.
4. Choose a name for your new settings.
5. Choose Forward events to Azure Event Hubs.
6. Type your Event Hubs name and your Event Hubs resource ID. In order to get your Event Hubs resource
ID, go to your Azure Event Hubs namespace page on Azure > properties tab > copy the text under Resource
ID:

7. Choose the events you want to stream and click Save.

The schema of the events in Azure Event Hubs:

{
"records": [
{
"time": "<The time WDATP received the event>"
"tenantId": "<The Id of the tenant that the event belongs to>"
"category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
"properties": { <WDATP Advanced Hunting event as Json> }
}
...
]
}

Each event hub message in Azure Event Hubs contains list of records.
Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs
(you will only get events from your tenant), and the event in JSON format in a property called "properties".
 For more information about the schema of Microsoft Defender ATP events, see Advanced Hunting overview.

Data types mapping:

To get the data types for event properties do the following:
1. Log in to Microsoft Defender Security Center and go to Advanced Hunting page.
2. Run the following query to get the data types mapping for each event:

{EventType}
| getschema
| project ColumnName, ColumnType

Here is an example for Machine Info event:

Related topics
Overview of Advanced Hunting
Microsoft Defender ATP streaming API
Stream Microsoft Defender ATP events to your Azure storage account
Azure Event Hubs documentation
 Custom detections overview
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
With custom detections, you can proactively monitor for and respond to various events and system states,
including suspected breach activity and misconfigured machines. This is made possible by customizable detection
rules that automatically trigger alerts as well as response actions.
Custom detections work with Advanced hunting, which provides a powerful, flexible query language that covers a
broad set of event and system information from your network. You can set them to run at regular intervals,
generating alerts and taking response actions whenever there are matches.
Custom detections provide:
Alerts for rule-based detections built from advanced hunting queries
Automatic response actions that apply to files and machines

NOTE
To create and manage custom detections, your role needs to have the manage security settings permission.

Related topic
Create and manage custom detection rules
Advanced hunting overview
 Create and manage custom detections rules
1/8/2020 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Custom detection rules built from Advanced hunting queries let you proactively monitor various events and
system states, including suspected breach activity and misconfigured machines. You can set them to run at regular
intervals, generating alerts and taking response actions whenever there are matches.

NOTE
To create and manage custom detections, your role needs to have the manage security settings permission.

Create a custom detection rule

1. Prepare the query.
In Microsoft Defender Security Center, go to Advanced hunting and select an existing query or create a new
query. When using an new query, run the query to identify errors and understand possible results.
Required columns in the query results
To use a query for a custom detection rule, the query must return the Timestamp , DeviceId , and ReportId
columns in the results. Simple queries, such as those that don’t use the project or summarize operator to
customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to
aggregate and count by DeviceId , you can still return Timestamp and ReportId by getting them from the most
recent event involving each machine.
The sample query below counts the number of unique machines ( DeviceId ) with antivirus detections and uses this
count to find only the machines with more than five detections. To return the latest Timestamp and the
corresponding ReportId , it uses the summarize operator with the arg_max function.

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "AntivirusDetection"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| where count_ > 5

2. Create new rule and provide alert details.

With the query in the query editor, select Create detection rule and specify the following alert details:
Detection name — name of the detection rule
Frequency — interval for running the query and taking action. See additional guidance below
Alert title — title displayed with alerts triggered by the rule
Severity — potential risk of the component or activity identified by the rule. Read about alert severities
Category — type of threat component or activity, if any. Read about alert categories
Description — more information about the component or activity identified by the rule
Recommended actions — additional actions that responders might take in response to an alert
For more information about how alert details are displayed, read about the alert queue.
Rule frequency
When saved, custom detections rules immediately run. They then run again at fixed intervals based on the
frequency you choose. Rules that run less frequently will have longer lookback durations:
Every 24 hours — checks data from the past 30 days
Every 12 hours — checks data from the past 24 hours
Every 3 hours — checks data from the past 6 hours
Every hour — checks data from the past 2 hours
Whenever a rule runs, similar detections on the same machine could be aggregated into fewer alerts, so running a
rule less frequently can generate fewer alerts. Select the frequency that matches how closely you want to monitor
detections, and consider your organization's capacity to respond to the alerts.
3. Specify actions on files or machines.
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
Actions on machines
These actions are applied to machines in the DeviceId column of the query results:
Isolate machine — applies full network isolation, preventing the machine from connecting to any application
or service, except for the Microsoft Defender ATP service. Learn more about machine isolation
Collect investigation package — collects machine information in a ZIP file. Learn more about the
investigation package
Run antivirus scan — performs a full Windows Defender Antivirus scan on the machine
Initiate investigation — initiates an automated investigation on the machine
Actions on files
These actions are applied to files in the SHA1 or the InitiatingProcessSHA1 column of the query results:
Allow/Block — automatically adds the file to your custom indicator list so that it is always allowed to run or
blocked from running. You can set the scope of this action so that it is taken only on selected machine groups.
This scope is independent of the scope of the rule.
Quarantine file — deletes the file from its current ___location and places a copy in quarantine
4. Click Create to save and turn on the rule.
When saved, the custom detection rule immediately runs. It runs again every 24 hours to check for matches,
generate alerts, and take response actions.

Manage existing custom detection rules

In Settings > Custom detections, you can view the list of existing custom detection rules, check their previous
runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
View existing rules
To view all existing custom detection rules, navigate to Settings > Custom detections. The page lists all the rules
with the following run information:
Last run — when a rule was last run to check for query matches and generate alerts
Last run status — whether a rule ran successfully
Next run — the next scheduled run
Status — whether a rule has been turned on or off
View rule details, modify rule, and run rule
To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in
Settings > Custom detections. This opens a page about the custom detection rule with the following
information:
General information about the rule, including the details of the alert, run status, and scope
List of triggered alerts
List of triggered actions

Custom detection rule page

You can also take the following actions on the rule from this page:
Run — run the rule immediately. This also resets the interval for the next run.
Edit — modify the rule without changing the query
Modify query — edit the query in advanced hunting
Turn on / Turn off — enable the rule or stop it from running
Delete — turn off the rule and remove it

TIP
To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.

Related topic
Custom detections overview
Advanced hunting overview
Learn the advanced hunting query language
View and organize alerts
 Overview of management and APIs
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with
flexibility and granular control to fit varying customer requirements.
Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client
machines and Azure Security Center for server machines, providing complete end-to-end experience of
configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other
third-party tools used for machines management.
Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do
through the flexibility of role-based access control (RBAC ). The RBAC model supports all flavors of security teams
structure:
Globally distributed organizations and security teams
Tiered model security operations teams
Fully segregated devisions with single centralized global security operations teams
The Microsoft Defender ATP solution is built on top of an integration-ready platform:
It supports integration with a number of security information and event management (SIEM ) solutions and
also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution.
It supports a rich set of application programming interface (APIs) providing flexibility for those who are already
heavily invested in data enrichment and automation:
Enriching events coming from other security systems with foot print or prevalence information
Triggering file or machine level response actions through APIs
Keeping systems in-sync such as importing machine tags from asset management systems into
Microsoft Defender ATP, synchronize alerts and incidents status cross ticketing systems with Microsoft
Defender ATP.
An important aspect of machine management is the ability to analyze the environment from varying and broad
perspectives. This often helps drive new insights and proper priority identification:
The Secure score dashboard provides metrics based method of prioritizing the most important proactive
security measures.
Microsoft Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and
details related to Microsoft Defender ATP alerts and secure score of machines. The platform also supports full
customization of the reports, including mashing of Microsoft Defender ATP data with your own data stream to
produce business specific reports.

In this section
 TOPIC DESCRIPTION

Understand threat intelligence concepts Learn about alert definitions, indicators of compromise, and
other threat intelligence concepts.

Managed security service provider Get a quick overview on managed security service provider
support.

Related topics
Onboard machines
Enable the custom threat intelligence application
Microsoft Defender ATP Public API
Pull alerts to your SIEM tools
Create and build Power BI reports using Microsoft Defender ATP data
Role-based access control
 Understand threat intelligence concepts
12/11/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual
information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your
knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when
to call an observed behavior as suspicious.
With Microsoft Defender ATP, you can create custom threat alerts that can help you keep track of possible attack
activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack
chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of
compromise (IOCs) and the relationship between them.

Alert definitions
Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible
cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by
an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical
in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's
objective is reached.

Indicators of compromise (IOC)

IOCs are individually-known malicious events that indicate that a network or machine has already been breached.
Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack
has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also
important during forensic investigations. Although it might not provide the ability to intervene with an attack chain,
gathering these indicators can be useful in creating better defenses for possible future attacks.

Relationship between alert definitions and IOCs

In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including
the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert
definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other
options.
Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines
how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on
the Microsoft Defender ATP console.
Here is an example of an IOC:
Type: Sha1
 Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
Action: Equals
IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that
correspond to it.

Related topics
Manage indicators
 Managed security service provider support
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Security is recognized as a key component in running an enterprise, however some organizations might not have
the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints
and network, others may want to have a second set of eyes to review alerts in their network.
To address this demand, managed security service providers (MSSP ) offer to deliver managed detection and
response (MDR ) services on top of Microsoft Defender ATP.
Microsoft Defender ATP adds support for this scenario and to allow MSSPs to take the following actions:
Get access to MSSP customer's Microsoft Defender Security Center portal
Get email notifications, and
Fetch alerts through security information and event management (SIEM ) tools

Related topic
Configure managed security service provider integration
 Microsoft Defender ATP and other Microsoft
solutions
12/11/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Integrate with other Microsoft solutions

Microsoft Defender ATP directly integrates with various Microsoft solutions.
Azure Advanced Threat Protection (Azure ATP)
Suspicious activities are processes running under a user context. The integration between Microsoft Defender ATP
and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities.
Azure Security Center
Microsoft Defender ATP provides a comprehensive server protection solution, including endpoint detection and
response (EDR ) capabilities on Windows Servers.
Azure Information Protection
Keep sensitive data secure while enabling productivity in the workplace through data discovery and data
protection.
Conditional Access
Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation,
ensuring that only secure devices have access to resources.
Microsoft Cloud App Security
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into
cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender
ATP monitored machines.
Office 365 Advanced Threat Protection (Office 365 ATP)
Office 365 ATP helps protect your organization from malware in email messages or files through ATP Safe Links,
ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office
365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an
attack. Through threat intelligence sharing, attacks can be contained and blocked.

NOTE
Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first
activity time. After that, the data is no longer available in Office 365 ATP.

Skype for Business

The Skype for Business integration provides a way for analysts to communicate with a potentially compromised
user or device owner through a simple button from the portal.

Microsoft Threat Protection

With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified
pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and
applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
Learn more about Microsoft Threat Protection

Related topics
Configure integration and other advanced features
Microsoft Threat Protection overview
Turn on Microsoft Threat Protection
Protect users, data, and devices with Conditional Access
 Enable Conditional Access to better protect users,
devices, and data
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Conditional Access is a capability that helps you better protect your users and enterprise information by making
sure that only secure devices have access to applications.
With Conditional Access, you can control access to enterprise information based on the risk level of a device. This
helps keep trusted users on trusted devices using trusted applications.
You can define security conditions under which devices and applications can run and access information from your
network by enforcing policies to stop applications from running until a device returns to a compliant state.
The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device
compliance policies and Azure Active Directory (Azure AD ) conditional access policies.
The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device
compliance policy rules to access applications.

Understand the Conditional Access flow

Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked
until the threat is remediated.
The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then
sent to Intune.
Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain
conditions are met, the policy is applied.
For example, you can configure Intune to apply Conditional Access on devices that have a high risk.
In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to
applications. In parallel, an automated investigation and remediation process is launched.
A user can still use the device while the automated investigation and remediation is taking place, but access to
enterprise data is blocked until the threat is fully remediated.
To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a
compliant state when there is no risk seen on it.
There are three ways to address a risk:
1. Use Manual or automated remediation.
2. Resolve active alerts on the machine. This will remove the risk from the machine.
3. You can remove the machine from the active policies and consequently, Conditional Access will not be applied
on the machine.
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The
automated remediation is configured through configuration settings provided in the following section, Configure
Conditional Access.
When the risk is removed either through manual or automated remediation, the device returns to a compliant state
and access to applications is granted.
The following example sequence of events explains Conditional Access in action:
1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk.
2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to
remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then
communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is
applied to block access to applications.
4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft
Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state.
Azure AD applies the policy which allows access to applications.
5. Users can now access applications.

Related topic
Configure Conditional Access in Microsoft Defender ATP
 Microsoft Cloud App Security in Microsoft Defender
ATP overview
1/2/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud
apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance
requirements on data stored in the cloud. For more information, see Cloud App Security.

NOTE
This feature is available with an E5 license for Enterprise Mobility + Security on machines running Windows 10 version 1809
or later.

Microsoft Defender ATP and Cloud App Security integration

Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy
servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app
networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into
the device, providing complete coverage of network activity.
The integration provides the following major improvements to the existing Cloud App Security discovery:
Available everywhere - Since the network activity is collected directly from the endpoint, it's available
wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the
enterprise firewall or proxy servers.
Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security
requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security
integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center
settings and you're good to go.
Device context - Cloud traffic logs lack device context. Microsoft Defender ATP network activity is reported
with the device context (which device accessed the cloud app), so you are able to understand exactly where
(device) the network activity took place, in addition to who (user) performed it.

For more information about cloud discovery, see Working with discovered apps.

Related topic
Configure Microsoft Cloud App Security integration
 Information protection in Windows overview
12/10/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep
sensitive data secure while enabling productivity in the workplace.
Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and
comprehensive data loss prevention (DLP ) solution for Windows devices. This solution is delivered and managed
as part of the unified Microsoft 365 information protection suite.

TIP
Read our blog post about how Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect,
and monitor sensitive data on Windows devices.

Microsoft Defender ATP applies the following methods to discover, classify, and protect data:
Data discovery - Identify sensitive data on Windows devices at risk
Data classification - Automatically classify data based on common Microsoft Information Protection (MIP )
policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect
sensitive data even if the end user hasn’t manually classified it.
Data protection - Windows Information Protection (WIP ) as outcome of Azure Information Protection label

Data discovery and data classification

Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive
information types.
Sensitivity labels classify and help protect sensitive content.
Sensitive information types in the Office 365 data loss prevention (DLP ) implementation fall under two categories:
Default
Custom
Default sensitive information types include information such as bank account numbers, social security numbers, or
national IDs. For more information, see What the sensitive information type look for.
Custom types are ones that you define and is designed to protect a different type of sensitive information (for
example, employee IDs or project numbers). For more information see, Create a custom sensitive information type.
When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it
contains sensitive information.
Turn on the Azure Information Protection integration so that when a file that contains sensitive information is
discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure
Information Protection from the device.

The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard.

Azure Information Protection - Data discovery dashboard

This dashboard presents a summarized discovery information of data discovered by bothMicrosoft Defender ATP
and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint.

Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP,
indicating the risk level of the security device where the file was discovered, based on the active security threats
detected by Microsoft Defender ATP.
Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.

NOTE
Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered
files.

Log Analytics
Data discovery based on Microsoft Defender ATP is also available in Azure Log Analytics, where you can perform
complex queries over the raw data.
For more information on Azure Information Protection analytics, see Central reporting for Azure Information
Protection.
Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
To view Microsoft Defender ATP data, perform a query that contains:

InformationProtectionLogs_CL
| where Workload_s == "Windows Defender"

Prerequisites:
Customers must have a subscription for Azure Information Protection.
Enable Azure Information Protection integration in Microsoft Defender Security Center:
Go to Settings in Microsoft Defender Security Center, click on Advanced Settings under General.

Data protection
Endpoint data loss prevention
For data to be protected, they must first be identified through labels.
Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the
labels to identify endpoints that need Windows Information Protection (WIP ) applied on them.
When you create sensitivity labels, you can set the information protection functionalities that will be applied on the
file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention.
For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable
Windows end point protection (DLP for devices).

Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a
labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and
enables WIP on that file if its label corresponds with Office Security and Compliance (SCC ) policy.
This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
For more information, see Configure information protection in Windows.

Auto labeling
Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance
Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device
and inspects it based on context to identify sensitive information types.
Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the
same way as if the file was labeled; the file is protected with Endpoint data loss prevention.

NOTE
Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed.
When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be
applied or a message can be shown to users recommending they apply it themselves.

For more information, see Configure information protection in Windows.

Related topics
How Windows Information Protection protects files with a sensitivity label
 Use sensitivity labels to prioritize incident response
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have
the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information
are protected.
Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of
sensitivity labels. Sensitivity labels quickly identify incidents that may involve machines with sensitive information
such as confidential information.

Investigate incidents that involve sensitive data

Learn how to use data sensitivity labels to prioritize incident investigation.

NOTE
Labels are detected for Windows 10, version 1809 or later.

1. In Microsoft Defender Security Center, select Incidents.

2. Scroll to the right to see the Data sensitivity column. This column reflects sensitivity labels that have been
observed on machines related to the incidents providing an indication of whether sensitive files may be
impacted by the incident.

You can also filter based on Data sensitivity

3. Open the incident page to further investigate.

4. Select the Machines tab to identify machines storing files with sensitivity labels.

5. Select the machines that store sensitive data and search through the timeline to identify which files may be
impacted then take appropriate action to ensure that data is protected.
You can narrow down the events shown on the machine timeline by searching for data sensitivity labels.
Doing this will show only events associated with files that have said label name.
TIP
These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and
schedule detection to take into account sensitivity labels and file protection status.
 Microsoft Threat Experts
12/18/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Microsoft Threat Experts is a managed detection and response (MDR ) service that provides Security Operation
Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique
environments don’t get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to
experts on demand.

NOTE
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get
proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is
a prerequisite for experts on demand collaboration. See Configure Microsoft Threat Experts capabilities for details.

Targeted attack notification

Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including
human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed
hunting service includes:
Threat monitoring and analysis, reducing dwell time and risk to the business
Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
Identifying the most important risks, helping SOCs maximize time and energy
Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.

Collaborate with experts, on demand

Customers can engage our security experts directly from within Microsoft Defender Security Center for timely
and accurate response. Experts provide insights needed to better understand the complex threats affecting your
organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network
connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this
capability, you can:
Get additional clarification on alerts including root cause or scope of the incident
Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker
Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
Seamlessly transition to Microsoft Incident Response (IR ) or other third-party Incident Response services
when necessary
The option to Consult a threat expert is available in several places in the portal so you can engage with experts
in the context of your investigation:
Help and support menu
 Machine page actions menu

Alerts page actions menu

File page actions menu

Related topic
Configure Microsoft Threat Experts capabilities
 Microsoft Defender Security Center portal overview
1/3/2020 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to
alerts of potential advanced persistent threat (APT) activity or data breaches.
You can use Microsoft Defender Security Center to:
View, sort, and triage alerts from your endpoints
Search for more information on observed indicators such as files and IP Addresses
Change Microsoft Defender ATP settings, including time zone and review licensing information.

Microsoft Defender Security Center

When you open the portal, you’ll see the main areas of the application:

(1) Navigation pane

 (2) Main portal
(3) Search, Community center, Time settings, Help and support, Feedback

NOTE
Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time
protection antimalware product.

You can navigate through the portal using the menu options available in all sections. Refer to the following table
for a description of each section.

AREA DESCRIPTION

(1) Navigation pane Use the navigation pane to move between Dashboards,
Incidents, Machines list, Alerts queue, Automated
investigations, Advanced hunting, Reports,
Interoperability, Threat & vulnerability management,
Evaluation and tutorials, Service health, Configuration
management, and Settings.

Dashboards Access the Security operations, the Secure Score, or Threat

analytics dashboard.

Incidents View alerts that have been aggregated as incidents.

Machines list Displays the list of machines that are onboarded to Microsoft
Defender ATP, some information about them, and the
corresponding number of alerts.

Alerts queue View alerts generated from machines in your organizations.

Automated investigations Displays a list of automated investigations that's been

conducted in the network, the status of each investigation
and other details such as when the investigation started and
the duration of the investigation.

Advanced hunting Advanced hunting allows you to proactively hunt and

investigate across your organization using a powerful search
and query tool.

Reports View graphs detailing alert trends over time, and alert
summary charts categorizing threats by severity, status, and
attack approach

Interoperability Lists supported partner applications that can work together

with Microsoft Defender, as well as applications that are
already connected to Microsoft Defender.

Threat & Vulnerability management View your configuration score, exposure score, exposed
machines, vulnerable software, and take action on top security
recommendations.

Evaluation and tutorials Manage test machines, attack simulations, and reports. Learn
and experience the Microsoft Defender ATP capabilities
through a guided walkthrough in a trial environment.
 AREA DESCRIPTION

Service health Provides information on the current status of the Window

Defender ATP service. You'll be able to verify that the service
health is healthy or if there are current issues.

Configuration management Displays on-boarded machines, your organizations' security

baseline, predictive analysis, and allows you to perform attack
surface management on your machines.

Settings Shows the settings you selected during onboarding and lets
you update your industry preferences and retention policy
period. You can also set other configuration settings such as
email notifications, activate the preview experience, enable or
turn off advanced features, SIEM integration, threat intel API,
build Power BI reports, and set baselines for the Secure Score
dashboard.

(2) Main portal Main area where you will see the different views such as the
Dashboards, Alerts queue, and Machines list.

(3) Community center, Localization, Help and support, Community center -Access the Community center to learn,
Feedback collaborate, and share experiences about the product.
Time settings - Gives you access to the configuration
settings where you can set time zones and view license
information.

Help and support - Gives you access to the Microsoft

Defender ATP guide, Microsoft support, and Premier support.

Feedback - Access the feedback button to provide comments

about the portal.

NOTE
For devices with high resolution DPI scaling issues, please see Windows scaling issues for high-DPI devices for possible
solutions.

Microsoft Defender ATP icons

The following table provides information on the icons used all throughout the portal:

ICON DESCRIPTION

Microsoft Defender ATP logo

Alert – Indication of an activity correlated with advanced

attacks.

Detection – Indication of a malware threat detection.

Active threat – Threats actively executing at the time of

detection.

Remediated – Threat removed from the machine.

ICON DESCRIPTION

Not remediated – Threat not removed from the machine.

Indicates events that triggered an alert in the Alert process

tree.

Machine icon

Windows Defender Antivirus events

Windows Defender Application Guard events

Windows Defender Device Guard events

Windows Defender Exploit Guard events

Windows Defender SmartScreen events

Windows Firewall events

Response action

Process events

Network events

File events

Registry events

Load DLL events

Other events

Access token modification

File creation

Signer

File path

Command line
 ICON DESCRIPTION

Unsigned file

Process tree

Memory allocation

Process injection

Powershell command run

Community center

Notifications

Automated investigation - no threats found

Automated investigation - failed

Automated investigation - partially investigated

Automated investigation - terminated by system

Automated investigation - pending

Automated investigation - running

Automated investigation - remediated

Automated investigation - partially remediated

Threat & Vulnerability Management - threat insights

Threat & Vulnerability Management - possible active alert

Threat & Vulnerability Management - recommendation

insights

Related topics
Understand the Microsoft Defender Advanced Threat Protection portal
View the Security operations dashboard
View the Secure Score dashboard and improve your secure score
View the Threat analytics dashboard and take recommended mitigation actions
 Microsoft Defender ATP for US Government GCC
High customers
11/19/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for US Government Community Cloud
High (GCC High) customers, built in the US Azure Government environment, uses the same underlying
technologies as Microsoft Defender ATP in Azure Commercial.
This offering is currently available to US Office 365 GCC High customers and is based on the same prevention,
detection, investigation, and remediation as the commercial version. However, there are some key differences in
the availability of capabilities for this offering.

Endpoint versions
The following OS versions are supported:
Windows 10, version 1903
Windows 10, version 1809 (OS Build 17763.404 with KB4490481)
Windows 10, version 1803 (OS Build 17134.799 with KB4499183)
Windows 10, version 1709 (OS Build 16299.1182 with KB4499147)
Windows Server, 2019 (with KB4490481)

NOTE
A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct
environment.

The following OS versions are not supported:

Windows Server 2008 R2 SP1
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8 Pro
Windows 8.1 Enterprise
macOS
The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While
our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there
are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019:

Threat & Vulnerability Management

Not currently available.

Automated investigation and remediation

The following capabilities are not currently available:
Response to Office 365 alerts
Live response

Management and APIs

The following capabilities are not currently available:
Threat protection report
Machine health and compliance report
Integration with third-party products

Email notifications
Not currently available.

Integrations
Integrations with the following Microsoft products are not currently available:
Azure Security Center
Azure Advanced Threat Protection
Azure Information Protection
Office 365 Advanced Threat Protection
Microsoft Cloud App Security
Skype for Business
Microsoft Intune (sharing of device information and enhanced policy enforcement)

Microsoft Threat Experts

Not currently available.

Required connectivity settings

You'll need to ensure that traffic from the following are allowed:

SERVICE LOCATION DNS RECORD

Common URLs for all locations (Global ___location) crl.microsoft.com

ctldl.windowsupdate.com
notify.windows.com
settings-win.data.microsoft.com

NOTE: settings-win.data.microsoft.com is only needed on

Windows 10 machines running version 1803 or earlier.
SERVICE LOCATION DNS RECORD

Microsoft Defender ATP GCC High specific us4-v20.events.data.microsoft.com

winatp-gw-usgt.microsoft.com
winatp-gw-usgv.microsoft.com
*.blob.core.usgovcloudapi.net
 What's new in Microsoft Defender ATP
1/7/2020 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
The following features are generally available (GA) in the latest release of Microsoft Defender ATP as well as
security features in Windows 10 and Windows Server.
For more information preview features, see Preview features.

November-December 2019
Microsoft Defender ATP for Mac
Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of
the unified endpoint security platform will now be available for Mac devices, including endpoint detection
and response.
Threat & Vulnerability Management application and application version end-of-life information
Applications and application versions which have reached their end-of-life are tagged or labeled as such so
you are aware that they will no longer be supported, and can take action to either uninstall or replace.
Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
Threat & Vulnerability Management Advanced Hunting Schemas
Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about
software inventory, vulnerability knowledgebase, security configuration assessment, and security
configuration knowledgebase.
Threat & Vulnerability Management role-based access controls
Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat &
Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific
data to do their task. You can also achieve even further granularity by specifying whether a Threat &
Vulnerability Management role can only view vulnerability-related data, or can create and manage
remediation and exceptions.

October 2019
Indicators for IP addresses, URLs/Domains
You can now allow or block URLs/domains using your own threat intelligence.
Microsoft Threat Experts - Experts on Demand
You now have the option to consult with Microsoft Threat Experts from several places in the portal to help
you in the context of your investigation.
Connected Azure AD applications
The Connected applications page provides information about the Azure AD applications connected to
Microsoft Defender ATP in your organization.
API Explorer
The API explorer makes it easy to construct and perform API queries, test and send requests for any
available Microsoft Defender ATP API endpoint.
September 2019
Tamper Protection settings using Intune
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device
Management portal (Intune).
Live response
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and
take immediate response actions to promptly contain identified threats - real-time.
Evaluation lab
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and
environment configuration so that you can focus on evaluating the capabilities of the platform, running
simulations, and seeing the prevention, detection, and remediation features in action.
Windows Server 2008 R2 SP1
You can now onboard Windows Server 2008 R2 SP1.

June 2019
Threat & Vulnerability Management
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of
endpoint vulnerabilities and misconfigurations.
Machine health and compliance report The machine health and compliance report provides high-level
information about the devices in your organization.

May 2019
Threat protection reports
The threat protection report provides high-level information about alerts generated in your organization.
Microsoft Threat Experts
Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that
provides proactive hunting, prioritization, and additional context and insights that further empower security
operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional
layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities
as part of Microsoft 365.
Indicators
APIs for indicators are now generally available.
Interoperability
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and
threat intelligence capabilities of the platform.

April 2019
Microsoft Threat Experts Targeted Attack Notification capability
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as
much information as can be quickly delivered thus bringing attention to critical threats in their network,
including the timeline, scope of breach, and the methods of intrusion.
Microsoft Defender ATP API
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those
APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
February 2019
Incidents
Incident is a new entity in Microsoft Defender ATP that brings together all relevant alerts and related
entities to narrate the broader attack story, giving analysts better perspective on the purview of complex
threats.
Onboard previous versions of Windows
Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft
Defender ATP sensor.

October 2018
Attack surface reduction rules
All Attack surface reduction rules are now supported on Windows Server 2019.
Controlled folder access
Controlled folder access is now supported on Windows Server 2019.
Custom detection
With custom detections, you can create custom queries to monitor events for any kind of behavior such as
suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the
creation of custom detection rules.
Integration with Azure Security Center
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server
protection solution. With this integration Azure Security Center can leverage the power of Microsoft
Defender ATP to provide improved threat detection for Windows Servers.
Managed security service provider (MSSP ) support
Microsoft Defender ATP adds support for this scenario by providing MSSP integration. The integration will
allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security
Center portal, fetch email notifications, and fetch alerts through security information and event
management (SIEM ) tools.
Removable device control
Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats from
removable devices, including new settings to allow or block specific hardware IDs.
Support for iOS and Android devices
iOS and Android devices are now supported and can be onboarded to the service.
Threat analytics
Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as
soon as emerging threats and outbreaks are identified. The reports help security operations teams assess
impact on their environment and provides recommended actions to contain, increase organizational
resilience, and prevent specific threats.
New in Windows 10 version 1809, there are two new attack surface reduction rules:
Block Adobe Reader from creating child processes
Block Office communication application from creating child processes.
Windows Defender Antivirus
Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. Office VBA +
AMSI: Parting the veil on malicious macros.
Windows Defender Antivirus, new in Windows 10 version 1809, can now run within a sandbox
 (preview ), increasing its security.
Configure CPU priority settings for Windows Defender Antivirus scans.

March 2018
Advanced Hunting
Query data using advanced hunting in Microsoft Defender ATP.
Attack surface reduction rules
New attack surface reduction rules:
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block process creations originating from PSExec and WMI commands
Block untrusted and unsigned processes that run from USB
Block executable content from email client and webmail
Automated investigation and remediation
Use Automated investigations to investigate and remediate threats.

NOTE
Available from Windows 10, version 1803 or later.

Conditional Access
Enable conditional access to better protect users, devices, and data.
Microsoft Defender ATP Community center
The Microsoft Defender ATP Community Center is a place where community members can learn,
collaborate, and share experiences about the product.
Controlled folder access
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
Onboard non-Windows machines
Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS ) in
Microsoft Defender Security Center and better protect your organization's network.
Role-based access control (RBAC )
Using role-based access control (RBAC ), you can create roles and groups within your security operations
team to grant appropriate access to the portal.
Windows Defender Antivirus
Windows Defender Antivirus now shares detection status between M365 services and interoperates with
Microsoft Defender ATP. For more information, see Use next-gen technologies in Windows Defender
Antivirus through cloud-delivered protection.
Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as
executable files. For more information, see Enable block at first sight.
 Minimum requirements for Microsoft Defender ATP
12/17/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
There are some minimum requirements for onboarding machines to the service. Learn about the licensing,
hardware and software requirements, and other configuration settings to onboard devices to the service.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

TIP
Learn about the latest enhancements in Microsoft Defender ATP: What's new in Microsoft Defender ATP.
Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.

Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Windows 10 Enterprise E5
Windows 10 Education A5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
Microsoft 365 A5 (M365 A5)
For more information on the array of features in Windows 10 editions, see Compare Windows 10 editions.
For a detailed comparison table of Windows 10 commercial edition comparison, see the comparison PDF.
For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see
Protecting Windows Servers with Microsoft Defender ATP.

Browser requirements
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
Microsoft Edge
Internet Explorer version 11
Google Chrome

NOTE
While other browsers might work, the mentioned browsers are the ones supported.

Hardware and software requirements

Supported Windows versions
Windows 7 SP1 Enterprise
 Windows 7 SP1 Pro
Windows 8.1 Enterprise
Windows 8.1 Pro
Windows 10, version 1607 or later
Windows 10 Enterprise
Windows 10 Education
Windows 10 Pro
Windows 10 Pro Education
Windows server
Windows Server 2008 R2 SP1
Windows Server 2012 R2
Windows Server 2016
Windows Server 2016, version 1803
Windows Server 2019
Machines on your network must be running one of these editions.
The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported
editions.

NOTE
Machines that are running mobile versions of Windows are not supported.

Other supported operating systems

macOSX
Linux
Android

NOTE
You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP
for the integration to work.

Network and data storage and configuration requirements

When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender
Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the
United States datacenter.

NOTE
You cannot change your data storage ___location after the first-time setup.
Review the Microsoft Defender ATP data storage and privacy for more information on where and how Microsoft stores
your data.

Diagnostic data settings

NOTE
Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled.
You must ensure that the diagnostic data service is enabled on all the machines in your organization. By default,
this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
Use the command line to check the Windows 10 diagnostic data service startup type:
1. Open an elevated command-line prompt on the machine:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

sc qc diagtrack

If the service is enabled, then the result should look like the following screenshot:

If the START_TYPE is not set to AUTO_START, then you'll need to set the service to automatically start.
Use the command line to set the Windows 10 diagnostic data service to automatically start:
1. Open an elevated command-line prompt on the endpoint:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

sc config diagtrack start=auto

3. A success message is displayed. Verify the change by entering the following command, and press Enter:

sc qc diagtrack

Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the
Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and
investigation package collection are not included in this daily average bandwidth.
For more information on additional proxy configuration settings see, Configure machine proxy and Internet
connectivity settings .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in
Windows 10.

Windows Defender Antivirus configuration requirement

The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and
provide information about them.
You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows
Defender Antivirus is the active antimalware or not. For more information, see Manage Windows Defender
Antivirus updates and apply baselines.
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Microsoft
Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled
Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft
Defender ATP must be excluded from this group policy.
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you
shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more
information, see Onboard servers.
For more information, see Windows Defender Antivirus compatibility.

Windows Defender Antivirus Early Launch Antimalware (ELAM) driver

is enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the
Microsoft Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center
Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus
ELAM driver is enabled. For more information, see Ensure that Windows Defender Antivirus is not disabled by
policy.

Related topic
Validate licensing and complete setup
Onboard machines
 Validate licensing provisioning and complete set up
for Microsoft Defender ATP
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Check license state

Checking for the license state and whether it got properly provisioned, can be done through the admin center or
through the Microsoft Azure portal.
1. To view your licenses go to the Microsoft Azure portal and navigate to the Microsoft Azure portal license
section.

2. Alternately, in the admin center, navigate to Billing > Subscriptions.

On the screen you will see all the provisioned licenses and their current Status.

Cloud Service Provider validation

To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the
admin center.
1. From the Partner portal, click on the Administer services > Office 365.
2. Clicking on the Partner portal link will leverage the Admin on behalf option and will give you access to
the customer admin center.

Access Microsoft Defender Security Center for the first time

When accessing Microsoft Defender Security Center for the first time there will be a setup wizard that will guide
you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft
Defender ATP created.
1. Each time you access the portal you will need to validate that you are authorized to access the product. This
Set up your permissions step will only be available if you are not currently authorized to access the
product.

Once the authorization step is completed, the Welcome screen will be displayed.
2. The Welcome screen will provide some details as to what is about to occur during the set up wizard.
 You will need to set up your preferences for Microsoft Defender Security Center.
3. Set up preferences

a. Select data storage ___location

When onboarding the service for the first time, you can choose to store your data in the Microsoft
Azure datacenters in the United States, the European Union, or the United Kingdom. Once
configured, you cannot change the ___location where your data is stored. This provides a convenient
way to minimize compliance risk by actively selecting the geographic locations where your data will
reside. Microsoft will not transfer the data from the specified geolocation.

WARNING
This option cannot be changed without completely offboarding from Microsoft Defender ATP and completing
a new enrollment process.

b. Select the data retention policy

Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however,
you have the option to set the data retention period for a shorter timeframe during this step of the
set up process.
 NOTE
This option can be changed at a later time.

c. Select the size of your organization

You will need to indicate the size of your organization based on an estimate of the number of
employees currently employed.

NOTE
The organization size question is not related to how many licenses were purchased for your organization. It
is used by the service to optimize the creation of the data cluster for your organization.

d. Turn on preview features

Learn about new features in the Microsoft Defender ATP preview release and be among the first to
try upcoming features by turning on Preview features.
You'll have access to upcoming features which you can provide feedback on to help improve the
overall experience before features are generally available.
Toggle the setting between On and Off to choose Preview features.

NOTE
This option can be changed at a later time.

4. You will receive a warning notifying you that you won't be able to change some of your preferences once
you click Continue.

NOTE
Some of these options can be changed at a later time in Microsoft Defender Security Center.
5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will
take an average of 5 minutes to complete.
6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
Onboard Windows 10 machines
Run detection test (optional)

IMPORTANT
If you click Start using Microsoft Defender ATP before onboarding machines you will receive the following
notification:

7. After onboarding machines you can click Start using Microsoft Defender ATP. You will now launch
Microsoft Defender ATP for the first time.

Related topics
Onboard machines to the Microsoft Defender Advanced Threat Protection service
Troubleshoot onboarding process and portal access issues
 Microsoft Defender ATP evaluation lab
1/7/2020 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Windows Defender ATP )
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome
environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to
the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during
the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment
configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing
the prevention, detection, and remediation features in action.
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the
type of configuration that best suits your needs.
After the lab setup process is complete, you can add Windows 10 or Windows Server 2019 machines. These test
machines come pre-configured to have the latest and greatest OS versions with the right security components in
place and Office 2019 Standard installed.
With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made
simulations to see how Microsoft Defender ATP performs.
You'll have full access to all the powerful capabilities of the platform such as automated investigations, advanced
hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP
offers.

Before you begin

You'll need to fulfill the licensing requirements or have trial access to Microsoft Defender ATP to access the
evaluation lab.
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Get started with the lab

You can access the lab from the menu. In the navigation menu, select Evaluation and tutorials > Evaluation
lab.

When you access the evaluation lab for the first time, you'll find an introduction page with a link to the evaluation
guide. The guide contains tips and recommendations to keep in mind when evaluating an advanced threat
protection product.
It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough
assessment of the platform.

NOTE
Each environment is provisioned with a limited set of test machines.
Depending the type of environment structure you select, machines will be available for the specified number of hours
from the day of activation.
When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the
available test machine count.
Given the limited resources, it’s advisable to use the machines carefully.

Setup the evaluation lab

1. In the navigation pane, select Evaluation and tutorials > Evaluation lab, then select Setup lab.

2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a
longer period or more machines for a shorter period. Select your preferred lab configuration then select
Create lab.
When the environment completes the setup process, you're ready to add machines.

Add machines
When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with
connection details. You can add Windows 10 or Windows Server 2019 machines.
The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as
other apps such as Java, Python, and SysIntenals.
The machine will automatically be onboarded to your tenant with the recommended Windows security
components turned on and in audit mode - with no effort on your side.
The following security components are pre-configured in the test machines:
Attack Surface Reduction
Block at first sight
Controlled Folder Access
Exploit Protection
 Network Protection
Potentially unwanted application detection
Cloud-delivered protection
Windows Defender SmartScreen

NOTE
Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your
simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see
Configure always-on protection.

Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated
by default. For more information, see Overview of Automated investigations.

NOTE
The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.

1. From the dashboard, select Add machine.

2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019.
 NOTE
If something goes wrong with the machine creation process, you'll be notified and you'll need to submit a new
request. If the machine creation fails, it will not be counted against the overall allowed quota.

3. The connection details are displayed. Select Copy to save the password for the machine.

NOTE
The password is only displayed once. Be sure to save it for later use.
4. Machine set up begins. This can take up to approximately 30 minutes.
The environment will reflect your test machine status through the evaluation - including risk score, exposure score,
and alerts created through the simulation.
Simulate attack scenarios
Use the test machines to run attack simulations by connecting to them.
If you are looking for a pre-made simulation, you can use our "Do It Yourself" attack scenarios. These scripts are
safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you
through investigation experience.
You can also use Advanced hunting to query data and Threat analytics to view reports about emerging threats.

NOTE
The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.

1. Connect to your machine and run an attack simulation by selecting Connect.

2. Save the RDP file and launch it by selecting Connect.

NOTE
If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting
Reset password from the menu:

The machine will change it’s state to “Executing password reset", then you’ll be presented with your new password in
a few minutes.

3. Enter the password that was displayed during the machine creation step.
4. Run simulations on the machine.
After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft
Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the
evidence collected and analyzed by the feature.
Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check
out some world-wide threats documented in Threat analytics.

Simulation results
Get a full overview of the simulation results, all in one place, allowing you to drill down to the relevant pages with
every detail you need.
View the machine details page by selecting the machine from the table. You'll be able to drill down on relevant
alerts and investigations by exploring the rich context provided on the attack simulation.
Evaluation report
The lab reports summarize the results of the simulations conducted on the machines.

At a glance, you'll quickly be able to see:

Incidents that were triggered
Generated alerts
 Assessments on exposure level
Threat categories observed
Detection sources
Automated investigations

Provide feedback
Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience
and impressions from product capabilities and evaluation results.
Let us know what you think, by selecting Provide feedback.
 Microsoft Defender ATP preview features
1/6/2020 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and
capabilities.

TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming
features by turning on the preview experience.
For more information on new capabilities that are generally available, see What's new in Microsoft Defender ATP.

Turn on preview features

You'll have access to upcoming features which you can provide feedback on to help improve the overall experience
before features are generally available.
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select Settings > Advanced features > Preview features.
2. Toggle the setting between On and Off and select Save preferences.

Preview features
The following features are included in the preview release:
Threat & Vulnerability supported operating systems and platforms
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management
so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports
Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server
2012R2, Windows Server 2016, Windows Server 2019.
Threat & Vulnerability Management role-based access controls
You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat
& Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific
data to do their task. You can also achieve even further granularity by specifying whether a Threat &
Vulnerability Management role can only view vulnerability-related data, or can create and manage
remediation and exceptions.
Threat & Vulnerability Management granular exploit details
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you
informed decision on your next steps. The threat insights icon now shows more granular details, such as if
the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups
for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation
news, disclosures, or related security advisories.
 Threat & Vulnerability Management Report inaccuracy
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated
security recommendation, software inventory, and discovered vulnerabilities.
Machine health and compliance report The machine health and compliance report provides high-level
information about the devices in your organization.
Information protection
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection
to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is
seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss
prevention (DLP ) solution for Windows devices.

NOTE
Partially available from Windows 10, version 1809.

Integration with Microsoft Cloud App Security

Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility
into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft
Defender ATP monitored machines.

NOTE
Available from Windows 10, version 1809 or later.

Onboard Windows Server 2019

Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows
Server 2019 in the same method available for Windows 10 client machines.
Power BI reports using Microsoft Defender ATP data
Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from
the portal.

TIP
Want to experience Microsoft Defender ATP? Sign up for a free trial.
 Microsoft Defender ATP data storage and privacy
9/20/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
This section covers some of the most frequently asked questions regarding privacy and data handling for
Microsoft Defender ATP.

NOTE
This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related
to Microsoft Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see Microsoft
Privacy Statement. See also Windows 10 privacy FAQ for more information.

What data does Microsoft Defender ATP collect?

Microsoft Defender ATP will collect and store information from your configured machines in a customer dedicated
and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes,
hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine
identifiers, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy
practices and Microsoft Trust Center policies.
This data enables Microsoft Defender ATP to:
Proactively identify indicators of attack (IOAs) in your organization
Generate alerts if a possible attack was detected
Provide your security operations with a view into machines, files, and URLs related to threat signals from your
network, enabling you to investigate and explore the presence of security threats on the network.
Microsoft does not use your data for advertising.

Data protection and encryption

The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on
Microsoft Azure infrastructure.
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most
critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more
information on other technologies used by the Microsoft Defender ATP service, see Azure encryption overview .
In all scenarios, data is encrypted using 256-bit AES encryption at the minimum.

Do I have the flexibility to select where to store my data?

When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters
in the European Union, the United Kingdom, or the United States, or dedicated Azure Government data centers
(soon to be in preview ). Once configured, you cannot change the ___location where your data is stored. This provides
a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will
reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in
the United States.

Is my data isolated from other customer data?

Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each
customer can only access data collected from its own organization and generic data that Microsoft provides.

How does Microsoft prevent malicious insider activities and abuse of

high privilege roles?
Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their
assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and
reactive controls including the following mechanisms to help protect against unauthorized developer and/or
administrative activity:
Tight access control to sensitive data
Combinations of controls that greatly enhance independent detection of malicious activity
Multiple levels of monitoring, logging, and reporting
Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access
to applications, systems, and network infrastructure in proportion to the level of background verification.
Operations personnel follow a formal process when they are required to access a customer’s account or related
information in the performance of their duties.
Access to data for services deployed in Microsoft Azure Government data centers is only granted to operating
personnel who have been screened and approved to handle data that is subject to certain government regulations
and requirements, such as FedRAMP, NIST 800.171 (DIB ), ITAR, IRS 1075, DoD L4, and CJIS.

Is data shared with other customers?

No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting
from Microsoft processing, and which don’t contain any customer specific data, might be shared with other
customers. Each customer can only access data collected from its own organization and generic data that Microsoft
provides.

How long will Microsoft store my data? What is Microsoft’s data

retention policy?
At service onboarding
You can choose the data retention policy for your data. This determines how long Window Defender ATP will store
your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s
regulatory compliance needs.
At contract termination or expiration
Your data will be kept and will be available to you while the license is under grace period or suspended mode. At
the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than
180 days from contract termination or expiration.

Can Microsoft help us maintain regulatory compliance?

Microsoft provides customers with detailed information about Microsoft's security and compliance programs,
including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services
against their own legal and regulatory requirements. Microsoft Defender ATP is ISO 27001 certified and has a
roadmap for obtaining national, regional and industry-specific certifications.
Microsoft Defender ATP for Government (soon to be in preview ) is currently undergoing audit for achieving
FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to
achieve compliance for the infrastructure and applications they run.
For more information on the Microsoft Defender ATP ISO certification reports, see Microsoft Trust Center.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

 Assign user access to Microsoft Defender Security
Center
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP supports two ways to manage permissions:

Basic permissions management: Set permissions to either full access or read-only.
Role-based access control (RBAC ): Set granular permissions by defining roles, assigning Azure AD user
groups to the roles, and granting the user groups access to machine groups. For more information on RBAC,
see Manage portal access using role-based access control.

NOTE
If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the
switch:
Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure
AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access.
Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to
RBAC. Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC.
Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that
only Azure AD user groups can be assigned a role under RBAC.
After switching to RBAC, you will not be able to switch back to using basic permissions management.

Related topics
Use basic permissions to access the portal
Manage portal access using RBAC
 Evaluate Microsoft Defender ATP
10/2/2019 • 2 minutes to read • Edit Online

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) is a unified platform for preventative
protection, post-breach detection, automated investigation, and response.
You can evaluate Microsoft Defender Advanced Threat Protection in your organization by starting your free trial.
You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following
instructions.

Evaluate attack surface reduction

These capabilities help prevent attacks and exploitations from infecting your organization.
Evaluate attack surface reduction
Evaluate exploit protection
Evaluate network protection
Evaluate controlled folder access
Evaluate application guard
Evaluate network firewall

Evaluate next generation protection

Next gen protections help detect and block the latest threats.
Evaluate antivirus

See Also
Microsoft Defender Advanced Threat Protection overview
 Application Guard testing scenarios
12/3/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.

Application Guard in standalone mode

You can see how an employee would use standalone mode with Application Guard.
To test Application Guard in Standalone mode
1. Install Application Guard.
2. Restart the device, start Microsoft Edge, and then click New Application Guard window from the menu.

3. Wait for Application Guard to set up the isolated environment.

NOTE
Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load.
However, subsequent starts should occur without any perceivable delays.

4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge
window, making sure you see the Application Guard visual cues.
Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
Install, set up, and turn on Application Guard
Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version
1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. Install Application Guard.
2. Restart the device and then start Microsoft Edge.
3. Set up the Network Isolation settings in Group Policy:
a. Click on the Windows icon, type Group Policy, and then click Edit Group Policy.
b. Go to the Administrative Templates\Network\Network Isolation\Enterprise resource domains
hosted in the cloud setting.
c. For the purposes of this scenario, type .microsoft.com into the Enterprise cloud resources box.
d. Go to the Administrative Templates\Network\Network Isolation\Domains categorized as both
work and personal setting.
e. For the purposes of this scenario, type bing.com into the Neutral resources box.
4. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode
setting.
5. Click Enabled, choose Option 1, and click OK.
 NOTE
Enabling this setting verifies that all the necessary settings are properly configured on your employee devices,
including the network isolation settings set earlier in this scenario.

6. Start Microsoft Edge and type www.microsoft.com.

After you submit the URL, Application Guard determines the URL is trusted because it uses the ___domain
you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to
the hardware-isolated environment.

Customize Application Guard

Application Guard lets you specify your configuration, allowing you to create the proper balance between
isolation-based security and productivity for your employees.
Application Guard provides the following default behavior for your employees:
No copying and pasting between the host PC and the isolated container.
 No printing from the isolated container.
No data persistence from one isolated container to another isolated container.
You have the option to change each of these settings to work with your enterprise from within Group Policy.
Applies to:
Windows 10 Enterpise edition, version 1709 or higher
Windows 10 Professional edition, version 1803
Copy and paste options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Configure Windows Defender Application Guard clipboard settings.
2. Click Enabled and click OK.

3. Choose how the clipboard works:

Copy and paste from the isolated session to the host PC
Copy and paste from the host PC to the isolated session
Copy and paste both directions
4. Choose what can be copied:
1. Only text can be copied between the host PC and the isolated container.
2. Only images can be copied between the host PC and the isolated container.
 3. Both text and images can be copied between the host PC and the isolated container.
5. Click OK.
Print options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Configure Windows Defender Application Guard print settings.
2. Click Enabled and click OK.

3. Based on the list provided in the setting, choose the number that best represents what type of printing
should be available to your employees. You can allow any combination of local, network, PDF, and XPS
printing.
4. Click OK.
Data persistence options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow data persistence for Windows Defender Application Guard
setting.
2. Click Enabled and click OK.
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
The website opens in the isolated session.
4. Add the site to your Favorites list and then close the isolated session.
5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your Favorites list.

NOTE
If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container
triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the
data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across
container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host
PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-
provided utility to reset the container and to discard any personal data.

To reset the container, follow these steps:

1. Open a command-line program and navigate to Windows/System32.
2. Type wdagtool.exe cleanup . The container environment is reset, retaining only the employee-generated data.
3. Type wdagtool.exe cleanup RESET_PERSISTENCE_LAYER . The container environment is reset, including discarding
all employee-generated data.

Applies to:
 Windows 10 Enterpise edition, version 1803
Windows 10 Professional edition, version 1803
Download options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow files to download and save to the host operating system from
Windows Defender Application Guard setting.
2. Click Enabled and click OK.

3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Windows Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
Hardware acceleration options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender
Application Guard setting.
2. Click Enabled and click OK.
3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with
video, 3D, or other graphics-intensive content. The website opens in an isolated session.
4. Assess the visual experience and battery performance.
Applies to:
Windows 10 Enterpise edition, version 1809
Windows 10 Professional edition, version 1809
File trust options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow users to trust files that open in Windows Defender
Application Guard setting.
2. Click Enabled, set Options to 2, and click OK.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open a file in Edge, such an Office 365 file.
5. Check to see that an antivirus scan completed before the file was opened.
Camera and microphone options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow camera and microphone access in Windows Defender
Application Guard setting.
2. Click Enabled and click OK.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
Root certificate sharing options
1. Go to the Computer Configuration\Administrative Templates\Windows Components\Windows
Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate
Authorities from the user's device setting.
2. Click Enabled, copy the thumbprint of each certificate to share, separated by a comma, and click OK.
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 Audit Windows Defender Application Control policies
12/18/2019 • 5 minutes to read • Edit Online

Applies to:
Windows 10
Windows Server 2016
Running Application Control in audit mode allows administrators to discover any applications that were missed
during an initial policy scan and to identify any new applications that have been installed and run since the original
policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been
denied had the policy been enforced is logged in the Applications and Services
Logs\Microsoft\Windows\CodeIntegrity\Operational event log. When these logged binaries have been
validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can
merge it with your existing WDAC policies.
Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see
Create an initial Windows Defender Application Control policy from a reference computer.
To audit a Windows Defender Application Control policy with local policy:
1. Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to
C:\Windows\System32\CodeIntegrity.
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running
GPEdit.msc.

NOTE
The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process
that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or
malware to run.
An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into
C:\Windows\System32\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.

3. Navigate to Computer Configuration\Administrative Templates\System\Windows Defender

Device Guard, and then select Deploy Windows Defender Application Control. Enable this setting by
using the appropriate file path, for example, C:\Windows\System32\CodeIntegrity\DeviceGuardPolicy.bin,
as shown in Figure 1.

NOTE
You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy
them to every system.
You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of
the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the
computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow
the system to convert the policy names for you. By doing this, it ensures that the policies are easily
distinguishable when viewed in a share or any other central repository.
 Figure 1. Deploy your Windows Defender Application Control policy
4. Restart the reference system for the WDAC policy to take effect.
5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit
mode, any exception to the deployed WDAC policy will be logged in the Applications and Services
Logs\Microsoft\Windows\CodeIntegrity\Operational event log, as shown in Figure 2.
 Figure 2. Exceptions to the deployed WDAC policy
You will be reviewing the exceptions that appear in the event log, and making a list of any applications that
should be allowed to run in your environment.
6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your
WDAC policy, this is a good time to create it. For information, see Deploy catalog files to support Windows
Defender Application Control.
Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in
the event log. This is described in the next section.

Create a Windows Defender Application Control policy that captures

audit information from the event log
Use the following procedure after you have been running a computer with a WDAC policy in audit mode for a
period of time. When you are ready to capture the needed policy information from the event log (so that you can
later merge that information into the original WDAC policy), complete the following steps.
1. Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of
any applications that should be allowed to run in your environment, and decide on the file rule level that
should be used to trust these applications.
Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of
them. For information about file rule levels, see Windows Defender Application Control file rule levels in
"Deploy Windows Defender Application Control: policy rules and file rules."
Your event log might also contain exceptions for applications that you eventually want your WDAC policy to
block. If these appear, make a list of these also, for a later step in this procedure.
2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename
shown here is DeviceGuardAuditPolicy.xml:
$CIPolicyPath=$env:userprofile+"\Desktop\"

$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"

3. Use New -CIPolicy to generate a new WDAC policy from logged audit events. This example uses a file rule
 level of Hash and includes 3> CIPolicylog.txt , which redirects warning messages to a text file,
CIPolicylog.txt.
New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt

NOTE
When you create policies from audit events, you should carefully consider the file rule level that you select to trust.
The preceding example uses the Hash rule level, which is the most specific. Any change to the file (such as replacing
the file with a newer version of the same file) will change the Hash value, and require an update to the policy.

4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as
shown, the filename will be DeviceGuardAuditPolicy.xml, and it will be on your desktop. Look for the
following:
Any applications that were caught as exceptions, but should be allowed to run in your environment.
These are applications that should be in the .xml file. Leave these as-is in the file.
Any applications that actually should not be allowed to run in your environment. Edit these out of the
.xml file. If they remain in the .xml file, and the information in the file is merged into your existing
WDAC policy, the policy will treat the applications as trusted, and allow them to run.
You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two
policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section,
Merge Windows Defender Application Control policies.

NOTE
You may have noticed that you did not generate a binary version of this policy as you did in Create a Windows Defender
Application Control policy from a reference computer. This is because WDAC policies created from an audit log are not
intended to run as stand-alone policies but rather to update existing WDAC policies.
 Evaluate exploit protection
10/22/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Exploit protection helps protect devices from malware that uses exploits to spread and infect other devices.
Mitigation can be applied to either the operating system or to an individual app. Many of the features that were
part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can
enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit
protection, you can see what would have happened if you had enabled exploit protection in your production
environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps,
and you can see which suspicious or malicious events occur.

TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how exploit protection
works.

Enable exploit protection in audit mode

You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows
PowerShell.
Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the App & browser control tile (or the app icon on the left menu bar) and then click Exploit
protection.
3. Go to Program settings and choose the app you want to apply protection to:
a. If the app you want to configure is already listed, click it and then click Edit
b. If the app is not listed, at the top of the list click Add program to customize and then choose how you
want to add the app.
Use Add by program name to have the mitigation applied to any running process with that
name. You must specify a file with an extension. You can enter a full path to limit the mitigation to
only the app with that name in that ___location.
Use Choose exact file path to use a standard Windows Explorer file picker window to find and
select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit will apply
the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you
need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click Apply when you're done setting
up your configuration.
PowerShell
To set app-level mitigations to audit mode, use Set-ProcessMitigation with the Audit mode cmdlet.
Configure each mitigation in the following format:

Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,

<mitigation or options>

Where:
<Scope>:
-Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after
this flag.
<Action>:
-Enable to enable the mitigation
-Disable to disable the mitigation
<Mitigation>:
The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.

MITIGATION AUDIT MODE CMDLET

Arbitrary code guard (ACG) AuditDynamicCode

Block low integrity images AuditImageLoad

Block untrusted fonts AuditFont, FontAuditOnly

Code integrity guard AuditMicrosoftSigned, AuditStoreSigned

Disable Win32k system calls AuditSystemCall

Do not allow child processes AuditChildProcess

For example, to enable Arbitrary Code Guard (ACG ) in audit mode for an app named testing.exe, run the
following command:

Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode

You can disable audit mode by replacing -Enable with -Disable .

Review exploit protection audit events

To review which apps would have been blocked, open Event Viewer and filter for the following events in the
Security-Mitigations log.

FEATURE PROVIDER/SOURCE EVENT ID DESCRIPTION

Exploit protection Security-Mitigations (Kernel 1 ACG audit

Mode/User Mode)

Exploit protection Security-Mitigations (Kernel 3 Do not allow child processes

Mode/User Mode) audit
 FEATURE PROVIDER/SOURCE EVENT ID DESCRIPTION

Exploit protection Security-Mitigations (Kernel 5 Block low integrity images

Mode/User Mode) audit

Exploit protection Security-Mitigations (Kernel 7 Block remote images audit

Mode/User Mode)

Exploit protection Security-Mitigations (Kernel 9 Disable win32k system calls

Mode/User Mode) audit

Exploit protection Security-Mitigations (Kernel 11 Code integrity guard audit

Mode/User Mode)

Related topics
Comparison with Enhanced Mitigation Experience Toolkit
Enable exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
Troubleshoot exploit protection
Enable network protection
Enable controlled folder access
Enable attack surface reduction
 Evaluate network protection
8/27/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Network protection helps prevent employees from using any application to access dangerous domains that may
host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site
in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site
will replicate the behavior that would happen if a user visited a malicious site or ___domain.

TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to see how other protection
features work.

Enable network protection in audit mode

You can enable network protection in audit mode to see which IP addresses and domains would have been
blocked if it was enabled.
You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks
occur.
1. Type powershell in the Start menu, right-click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:

Set-MpPreference -EnableNetworkProtection AuditMode

Visit a (fake ) malicious ___domain

1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
2. Go to https://smartscreentestratings2.net.
The network connection will be allowed and a test message will be displayed.
Review network protection events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-
Windows-Windows-Defender/Operational log. The following table lists all network protection events.

EVENT ID PROVIDE/SOURCE DESCRIPTION

5007 Windows Defender (Operational) Event when settings are changed

1125 Windows Defender (Operational) Event when a network connection is

audited

1126 Windows Defender (Operational) Event when a network connection is

blocked

Related topics
Network protection
Enable network protection
Troubleshoot network protection
 Evaluate controlled folder access
8/27/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious
or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from ransomware that can attempt to
encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the
feature directly in your organization.

TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.

Use audit mode to measure impact

You can enable the controlled folder access feature in audit mode. This lets you see a record of what would have
happened if you had enabled the setting.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect
your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur
over a certain period.
To enable audit mode, use the following PowerShell cmdlet:

Set-MpPreference -EnableControlledFolderAccess AuditMode

TIP
If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool
to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or System Center
Configuration Manager to configure and deploy the setting, as described in the main controlled folder access topic.

Review controlled folder access events in Windows Event Viewer

The following controlled folder access events appear in Windows Event Viewer under
Microsoft/Windows/Windows Defender/Operational folder.

EVENT ID DESCRIPTION

5007 Event when settings are changed

 EVENT ID DESCRIPTION

1124 Audited controlled folder access event

1123 Blocked controlled folder access event

Customize protected folders and apps

During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
See Protect important folders with controlled folder access for configuring the feature with management tools,
including Group Policy, PowerShell, and MDM CSP.

Related topics
Protect important folders with controlled folder access
[Evaluate Microsoft Defender ATP ]../(microsoft-defender-atp/evaluate-atp.md)
Use audit mode
 Evaluate attack surface reduction rules
8/27/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to
infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10
clients.
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test
the feature directly in your organization.

TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.

Use audit mode to measure impact

You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have
been blocked if you had enabled attack surface reduction rules.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect
your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
To enable audit mode, use the following PowerShell cmdlet:

Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode

This enables all attack surface reduction rules in audit mode.

TIP
If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management
tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, or MDM CSPs to
configure and deploy the setting, as described in the main Attack surface reduction rules topic.

Review attack surface reduction events in Windows Event Viewer

To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-
Windows-Windows-Defender/Operational log. The following table lists all network protection events.

EVENT ID DESCRIPTION

5007 Event when settings are changed

1121 Event when an attack surface reduction rule fires in block

mode
 EVENT ID DESCRIPTION

1122 Event when an attack surface reduction rule fires in audit

mode

Customize attack surface reduction rules

During your evaluation, you may wish to configure each rule individually or exclude certain files and processes
from being evaluated by the feature.
See the Customize attack surface reduction rules topic for information on configuring the feature with
management tools, including Group Policy and MDM CSP policies.

Related topics
Reduce attack surfaces with attack surface reduction rules
Use audit mode to evaluate Windows Defender
 Evaluating Windows Defender Firewall with
Advanced Security Design Examples
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use
Windows Defender Firewall to improve the security of the devices connected to the network. You can use these
topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall
designs and to determine which design or combination of designs best suits the goals of your organization.
Firewall Policy with Advanced Security Design Example
Domain Isolation Policy Design Example
Server Isolation Policy Design Example
Certificate-based Isolation Policy Design Example
 Evaluate Windows Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and
potentially unwanted applications.

TIP
You can also visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm the following features are
working and see how they work:
Cloud-delivered protection
Fast learning (including Block at first sight)
Potentially unwanted application blocking

It explains the important next generation protection features of Windows Defender Antivirus available for both
small and large enterprises, and how they increase malware detection and protection across your network.
You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar
settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the
settings.
The guide is available in PDF format for offline viewing:
Download the guide in PDF format
You can also download a PowerShell that will enable all the settings described in the guide automatically. You can
obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
Download the PowerShell script to automatically configure the settings

IMPORTANT
The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in
this guide may not be suitable for real-world deployment.
For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a
network, see Deploy Windows Defender Antivirus.

Related topics
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
 Access the Microsoft Defender ATP Community
Center
5/15/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and
share experiences about the product.
There are several spaces you can explore to learn about specific information:
Announcements
What's new
Threat Intelligence
There are several ways you can access the Community Center:
In the Microsoft Defender Security Center navigation pane, select Community center. A new browser tab
opens and takes you to the Microsoft Defender ATP Tech Community page.
Access the community through the Microsoft Defender Advanced Threat Protection Tech Community page
You can instantly view and read conversations that have been posted in the community.
To get the full experience within the community such as being able to comment on posts, you'll need to join the
community. For more information on how to get started in the Microsoft Tech Community, see Microsoft Tech
Community: Getting Started.
 Configure attack surface reduction
11/1/2019 • 2 minutes to read • Edit Online

You can configure attack surface reduction with a number of tools, including:
Microsoft Intune
System Center Configuration Manager
Group Policy
PowerShell cmdlets
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the
applicable configuration tool (or tools).

In this section
TOPIC DESCRIPTION

Enable hardware-based isolation for Microsoft Edge How to prepare for and install Application Guard, including
hardware and software requirements

Enable application control How to control applications run by users and protect kernel
mode processes

Exploit protection How to automatically apply exploit mitigation techniques on

both operating system processes and on individual apps

Network protection How to prevent users from using any apps to access
dangerous domains

Controlled folder access How to protect valuable data from malicious apps

Attack surface reduction How to prevent actions and apps that are typically used by
exploit-seeking malware

Network firewall How to protect devices and data across a network

 System Guard Secure Launch and SMM protection
12/24/2019 • 4 minutes to read • Edit Online

This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM )
protection to improve the startup security of Windows 10 devices. The information below is presented from a
client perspective.

How to enable System Guard Secure Launch

You can enable System Guard Secure Launch by using any of these options:
Mobile Device Management (MDM )
Group Policy
Windows Security Center
Registry
Mobile Device Management
System Guard Secure Launch can be configured for Mobile Device Management (MDM ) by using DeviceGuard
policies in the Policy CSP, specifically DeviceGuard/ConfigureSystemGuardLaunch.
Group Policy
1. Click Start > type and then click Edit group policy.
2. Click Computer Configuration > Administrative Templates > System > Device Guard > Turn On
Virtualization Based Security > Secure Launch Configuration.

Windows Security Center

Click Start > Settings > Update & Security > Windows Security > Open Windows Security > Device
security > Core isolation > Firmware protection.

Registry
1. Open Registry editor.
2. Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios.
3. Right-click Scenarios > New > Key and name the new key SystemGuard.
4. Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.
5. Double-click Enabled, change the value to 1, and click OK.
 IMPORTANT
If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.

How to verify System Guard Secure Launch is configured and running

To verify that Secure Launch is running, use System Information (MSInfo32). Click Start, search for System
Information, and look under Virtualization-based Security Services Running and Virtualization-based
Security Services Configured.
 NOTE
To enable System Guard Secure launch, the platform must meet all the baseline requirements for Device Guard, Credential
Guard, and Virtualization Based Security.

System requirements for System Guard

FOR INTEL® VPRO™ PROCESSORS STARTING WITH INTEL®
COFFEELAKE, WHISKEYLAKE, OR LATER SILICON DESCRIPTION

64-bit CPU A 64-bit computer with minimum 4 cores (logical processors)

is required for hypervisor and virtualization-based security
(VBS). For more info about Hyper-V, see Hyper-V on Windows
Server 2016 or Introduction to Hyper-V on Windows 10. For
more info about hypervisor, see Hypervisor Specifications.

Trusted Platform Module (TPM) 2.0 Platforms must support a discrete TPM 2.0.
Integrated/firmware TPMs are not supported.

Windows DMA Protection Platforms must meet the Windows DMA Protection
Specification (all external DMA ports must be off by default
until the OS explicitly powers them).

SMM communication buffers All SMM communication buffers must be implemented in

EfiRuntimeServicesData ,EfiRuntimeServicesCode ,
EfiACPIMemoryNVS, or EfiReservedMemoryType memory
types.
FOR INTEL® VPRO™ PROCESSORS STARTING WITH INTEL®
COFFEELAKE, WHISKEYLAKE, OR LATER SILICON DESCRIPTION

SMM Page Tables Must NOT contain any mappings to EfiConventionalMemory

(e.g. no OS/VMM owned memory).
Must NOT contain any mappings to code sections within
EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same
page
Must allow ONLY that TSEG pages can be marked executable
and the memory map must report TSEG
EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page
tables are locked on every SMM entry.

Modern/Connected Standby Platforms must support Modern/Connected Standby.

TPM AUX Index Platform must set up a AUX index with index, attributes, and
policy that exactly corresponds to the AUX index specified in
the TXT DG with a data size of exactly 104 bytes (for SHA256
AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
Exactly the "TXT PS2" style Attributes on creation as
follows:
AuthWrite
PolicyDelete
WriteLocked
WriteDefine
AuthRead
WriteDefine
NoDa
Written
PlatformCreate
A policy of exactly PolicyCommandCode(CC =
TPM2_CC_UndefineSpaceSpecial) (SHA256 NameAlg
and Policy)
Size of exactly 70 bytes
NameAlg = SHA256
In addition, it must have been initialized and locked
(TPMA_NV_WRITTEN = 1, TPMA_NV_WRITELOCKED =
1) at time of OS launch.
PS index data DataRevocationCounters, SINITMinVersion, and
PolicyControl must all be 0x00

AUX Policy The required AUX policy must be as follows:

A = TPM2_PolicyLocality (Locality 3 & Locality 4)
B = TPM2_PolicyCommandCode
(TPM_CC_NV_UndefineSpecial)
authPolicy = {A} OR {{A} AND {B}}
authPolicy digest = 0xef, 0x9a, 0x26, 0xfc, 0x22, 0xd1,
0xae, 0x8c, 0xec, 0xff, 0x59, 0xe9, 0x48, 0x1a, 0xc1,
0xec, 0x53, 0x3d, 0xbe, 0x22, 0x8b, 0xec, 0x6d, 0x17,
0x93, 0x0f, 0x4c, 0xb2, 0xcc, 0x5b, 0x97, 0x24
FOR INTEL® VPRO™ PROCESSORS STARTING WITH INTEL®
COFFEELAKE, WHISKEYLAKE, OR LATER SILICON DESCRIPTION

TPM NV Index Platform firmware must set up a TPM NV index for use by the
OS with:
Handle: 0x01C101C0
Attributes:
TPMA_NV_POLICYWRITE
TPMA_NV_PPREAD
TPMA_NV_OWNERREAD
TPMA_NV_AUTHREAD
TPMA_NV_POLICYREAD
TPMA_NV_NO_DA
TPMA_NV_PLATFORMCREATE
TPMA_NV_POLICY_DELETE
A policy of:
A=
TPM2_PolicyAuthorize(MSFT_DRTM_AUTH_BLOB_S
igningKey)
B=
TPM2_PolicyCommandCode(TPM_CC_NV_Undefin
eSpaceSpecial)
authPolicy = {A} OR {{A} AND {B}}
Digest value of 0xcb, 0x45, 0xc8, 0x1f, 0xf3, 0x4b,
0xcf, 0x0a, 0xfb, 0x9e, 0x1a, 0x80, 0x29, 0xfa, 0x23,
0x1c,0x87, 0x27, 0x30, 0x3c, 0x09, 0x22, 0xdc,
0xce, 0x68, 0x4b, 0xe3, 0xdb, 0x81, 0x7c, 0x20,
0xe1

Platform firmware Platform firmware must carry all code required to execute an
Intel® Trusted Execution Technology secure launch:
Intel® SINIT ACM must be carried in the OEM BIOS
Platforms must ship with a production ACM signed by
the correct production Intel® ACM signer for the
platform

Platform firmware update System firmware is recommended to be updated via

UpdateCapsule in Windows Update.

FOR QUALCOMM® PROCESSORS WITH SD850 OR LATER CHIPSETS DESCRIPTION

Monitor Mode Communication All Monitor Mode communication buffers must be

implemented in either EfiRuntimeServicesData (recommended),
data sections of EfiRuntimeServicesCode as described by the
Memory Attributes Table, EfiACPIMemoryNVS, or
EfiReservedMemoryType memory types
FOR QUALCOMM® PROCESSORS WITH SD850 OR LATER CHIPSETS DESCRIPTION

Monitor Mode Page Tables All Monitor Mode page tables must:
NOT contain any mappings to EfiConventionalMemory
(e.g. no OS/VMM owned memory)
They must NOT have execute and write permissions for
the same page
Platforms must only allow Monitor Mode pages
marked as executable
The memory map must report Monitor Mode as
EfiReservedMemoryType
Platforms must provide mechanism to protect the
Monitor Mode page tables from modification

Modern/Connected Standby Platforms must support Modern/Connected Standby.

Platform firmware Platform firmware must carry all code required to perform a
launch.

Platform firmware update System firmware is recommended to be updated via

UpdateCapsule in Windows Update.
 Prepare to install Windows Defender Application
Guard
11/19/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Review system requirements

See System requirements for Windows Defender Application Guard to review the hardware and software
installation requirements for Windows Defender Application Guard.

NOTE
Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-
production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.

Prepare for Windows Defender Application Guard

Before you can install and use Windows Defender Application Guard, you must determine which way you intend
to use it in your enterprise. You can use Application Guard in either Standalone or Enterprise-managed mode.
Standalone mode
Applies to:
Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Pro edition, version 1803
Employees can use hardware-isolated browsing sessions without any administrator or management policy
configuration. In this mode, you must install Application Guard and then the employee must manually start
Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the
Application Guard in standalone mode testing scenario.
Enterprise-managed mode
Applies to:
Windows 10 Enterprise edition, version 1709 or higher
You and your security department can define your corporate boundaries by explicitly adding trusted domains and
by customizing the Application Guard experience to meet and enforce your needs on employee devices.
Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise ___domain(s) in
the container.
The following diagram shows the flow between the host PC and the isolated container.
Install Application Guard
Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s
devices through the Control Panel, PowerShell, or your mobile device management (MDM ) solution.
To install by using the Control Panel
1. Open the Control Panel, click Programs, and then click Turn Windows features on or off.
2. Select the check box next to Windows Defender Application Guard and then click OK.
Application Guard and its underlying dependencies are all installed.
To install by using PowerShell

NOTE
Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking
system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is
recommended for enterprise managed scenarios only.

1. Click the Search or Cortana icon in the Windows 10 taskbar and type PowerShell.
2. Right-click Windows PowerShell, and then click Run as administrator.
Windows PowerShell opens with administrator credentials.
3. Type the following command:

Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard

4. Restart the device.

Application Guard and its underlying dependencies are all installed.
 Application Control
11/19/2019 • 4 minutes to read • Edit Online

Applies to:
Windows 10
Windows Server 2016
Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—
signature-based detection to fight against malware—provides an inadequate defense against new attacks.
In most organizations, information is the most valuable asset, and ensuring that only approved users have access
to that information is imperative. However, when a user runs a process, that process has the same level of access
to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the
organization if a user knowingly or unknowingly runs malicious software.
Application control can help mitigate these types of security threats by restricting the applications that users are
allowed to run and the code that runs in the System Core (kernel). Application control policies can also block
unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has
an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an
application trust model where all applications are assumed trustworthy to one where applications must earn trust
in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite
application control as one of the most effective means for addressing the threat of executable file-based malware
(.exe, .dll, etc.).

NOTE
Although application control can significantly harden your computers against malicious code, we recommend that you
continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.

Windows 10 includes two technologies that can be used for application control depending on your organization's
specific scenarios and requirements:
Windows Defender Application Control; and
AppLocker

Windows Defender Application Control

Windows Defender Application Control (WDAC ) was introduced with Windows 10 and allows organizations to
control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a
security feature under the servicing criteria defined by the Microsoft Security Response Center (MSRC ).

NOTE
Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity
policies.

WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be
defined based on:
Attributes of the codesigning certificate(s) used to sign an app and its binaries;
Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and
version, or the hash of the file;
The reputation of the app as determined by Microsoft's Intelligent Security Graph;
The identity of the process that initiated the installation of the app and its binaries (managed installer);
The path from which the app or file is launched (beginning with Windows 10 version 1903);
The process that launched the app or binary.
WDAC System Requirements
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server
2016 and above. They can be applied to computers running any edition of Windows 10 or Windows Server 2016
and optionally managed via Mobile Device Management (MDM ), such as Microsoft Intune. Group Policy can also
be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above.

AppLocker
AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are
allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and
helps end users avoid running unapproved software on their computers.
AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be
defined based on:
Attributes of the codesigning certificate(s) used to sign an app and its binaries;
Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and
version, or the hash of the file;
The path from which the app or file is launched (beginning with Windows 10 version 1903).
AppLocker System Requirements
AppLocker policies can only be configured on and applied to computers that are running on the supported
versions and editions of the Windows operating system. For more info, see Requirements to Use AppLocker.
AppLocker policies can be deployed using Group Policy or MDM.

Choose when to use WDAC or AppLocker

Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the
following factors can help you decide when to use each of the technologies.
WDAC is best when:
You are adopting application control primarily for security reasons.
Your application control policy can be applied to all users on the managed computers.
All of the devices you wish to manage are running Windows 10.
AppLocker is best when:
You have a mixed Windows operating system (OS ) environment and need to apply the same policy controls to
Windows 10 and earlier versions of the OS.
You need to apply different policies for different users or groups on a shared computer.
You are using application control to help users avoid running unapproved software, but you do not require a
solution designed as a security feature.
You do not wish to enforce application control on application files such as DLLs or drivers.
When to use both WDAC and AppLocker together
AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device
scenarios where its important to prevent some users from running specific apps. As a best practice, you should
enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to
fine-tune the restrictions to an even lower level.

See also
WDAC design guide
WDAC deployment guide
AppLocker overview
 How to control USB devices and other removable
media using Microsoft Defender ATP
10/29/2019 • 15 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Microsoft recommends a layered approach to securing removable media, and Microsoft Defender ATP provides
multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising
your devices:
1. Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting.
Identify or investigate suspicious usage activity.
2. Configure to allow or block only certain removable devices and prevent threats.
a. Allow or block removable devices based on granular configuration to deny write access to removable
disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination.
Flexible policy assignment of device installation settings based on an individual or group of Azure
Active Directory (Azure AD ) users and devices.
b. Prevent threats from removable storage introduced by removable storage devices by enabling:
- Windows Defender Antivirus real-time protection (RTP ) to scan removable storage for malware.
- The Attack Surface Reduction (ASR ) USB rule to block untrusted and unsigned processes that run
from USB.
- Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA
Protection for Thunderbolt and blocking DMA until a user signs in.
3. Create customized alerts and response actions to monitor usage of removable devices based on these plug
and play events or any other Microsoft Defender ATP events with custom detection rules.
4. Respond to threats from peripherals in real-time based on properties reported by each peripheral.

NOTE
These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from
leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you
can configure BitLocker and Windows Information Protection, which will encrypt company data even if it is stored on a
personal device, or use the Storage/RemovableDiskDenyWriteAccess CSP to deny write access to removable disks.
Additionally, you can classify and protect files on Windows devices (including their mounted USB devices) by using Microsoft
Defender ATP and Azure Information Protection.

Discover plug and play connected events

You can view plug and play connected events in Microsoft Defender ATP advanced hunting to identify suspicious
usage activity or perform internal investigations. For examples of Microsoft Defender ATP advanced hunting
queries, see the Microsoft Defender ATP hunting queries GitHub repo.
Sample Power BI report templates are available for Microsoft Defender ATP that you can use for Advanced
hunting queries. With these sample templates, including one for device control, you can integrate the power of
Advanced hunting into Power BI. See the GitHub repository for PowerBI templates for more information. See
Create custom reports using Power BI to learn more about Power BI integration.
Allow or block removable devices
The following table describes the ways Microsoft Defender ATP can allow or block removable devices based on
granular configuration.

CONTROL DESCRIPTION

Restrict USB drives and other peripherals You can allow/prevent users to install only the USB drives and
other peripherals included on a list of authorized/unauthorized
devices or device types.

Block installation and usage of removable storage You can't install or use removable storage.

Allow installation and usage of specifically approved You can only install and use approved peripherals that report
peripherals specific properties in their firmware.

Prevent installation of specifically prohibited peripherals You can't install or use prohibited peripherals that report
specific properties in their firmware.

Allow installation and usage of specifically approved You can only install and use approved peripherals that match
peripherals with matching device instance IDs any of these device instance IDs.

Prevent installation and usage of specifically prohibited You can't install or use prohibited peripherals that match any
peripherals with matching device instance IDs of these device instance IDs.

Limit services that use Bluetooth You can limit the services that can use Bluetooth.

Use Microsoft Defender ATP baseline settings You can set the recommended configuration for ATP by using
the Microsoft Defender ATP security baseline.

Restrict USB drives and other peripherals

To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The
following table describes the ways Microsoft Defender ATP can help prevent installation and usage of USB drives
and other peripherals.

CONTROL DESCRIPTION

Allow installation and usage of USB drives and other Allow users to install only the USB drives and other peripherals
peripherals included on a list of authorized devices or device types

Prevent installation and usage of USB drives and other Prevent users from installing USB drives and other peripherals
peripherals included on a list of unauthorized devices and device types

All of the above controls can be set through the Intune Administrative Templates. The relevant policies are located
here in the Intune Administrator Templates:
 NOTE
Using Intune, you can apply device configuration policies to Azure AD user and/or device groups. The above policies can also
be set through the Device Installation CSP settings and the Device Installation GPOs.

NOTE
Always test and refine these settings with a pilot group of users and devices first before applying them in production. For
more information about controlling USB devices, see the Microsoft Defender ATP blog.

Allow installation and usage of USB drives and other peripherals

One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing
everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.

NOTE
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing
specifically approved USB peripherals and limiting the users who can access them.

1. Enable Prevent installation of devices not described by other policy settings to all users.
2. Enable Allow installation of devices using drivers that match these device setup classes for all device
setup classes.
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
When configuring the allow device installation policy, you must allow all parent attributes as well. You can view the
parents of a device by opening Device Manager and view by connection.
In this example, the following classes needed to be added: HID, Keyboard, and {36fc9e60-c465-11cf-8056-
444553540000}. See Microsoft-provided USB drivers for more information.

If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit.
Then add the device ID that you want to add. To find the vendor or product IDs, see Look up device vendor ID or
product ID.
For example:
1. Remove class USBDevice from the Allow installation of devices using drivers that match these device
setup.
2. Add the vendor ID or product ID to allow in the Allow installation of device that match any of these
device IDs.
Prevent installation and usage of USB drives and other peripherals
If you want to prevent the installation of a device class or certain devices, you can use the prevent device
installation policies:
1. Enable Prevent installation of devices that match any of these device IDs.
2. Enable Prevent installation of devices that match these device setup classes.

NOTE
The prevent device installation policies take precedence over the allow device installation policies.

The Prevent installation of devices that match any of these device IDs policy allows you to specify a list of
vendor or product IDs for devices that Windows is prevented from installing.
To prevent installation of devices that match any of these device IDs:
1. Look up device vendor ID or product ID for devices that you want Windows to prevent from installing.
2. Enable Prevent installation of devices that match any of these device IDs and add the vendor or product
IDs to the list.

Look up device vendor ID or product ID

You can use Device Manager to look up a device vendor or product ID.
1. Open Device Manager.
2. Click View and select Devices by connection.
3. From the tree, right-click the device and select Properties.
4. In the dialog box for the selected device, click the Details tab.
5. Click the Property drop-down list and select Hardware Ids.
6. Right-click the top ID value and select Copy.
For information on vendor and product ID formats, see Standard USB Identifiers.
For information on vendor IDs, see USB members.
The following is an example for looking up a device vendor ID or product ID using PowerShell:

Get-WMIObject -Class Win32_DiskDrive |

Select-Object -Property *

Block installation and usage of removable storage

1. Sign in to the Microsoft Azure portal.
2. Click Intune > Device configuration > Profiles > Create profile.

3. Use the following settings:

Name: Type a name for the profile
Description: Type a description
Platform: Windows 10 and later
Profile type: Device restrictions

4. Click Configure > General.

5. For Removable storage and USB connection (mobile only), choose Block. Removable storage
includes USB drives, whereas USB connection (mobile only) excludes USB charging but includes other
USB connections on mobile devices only.
6. Click OK to close General settings and Device restrictions.
7. Click Create to save the profile.
Allow installation and usage of specifically approved peripherals
Peripherals that are allowed to be installed can be specified by their hardware identity. For a list of common
identifier structures, see Device Identifier Formats. Test the configuration prior to rolling it out to ensure it blocks
and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys
rather than only one.
For a SyncML example that allows installation of specific device IDs, see
DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP. To allow specific device classes, see
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP. Allowing installation of specific devices
requires also enabling DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings.
Prevent installation of specifically prohibited peripherals
Microsoft Defender ATP blocks installation and usage of prohibited peripherals by using either of these options:
Administrative Templates can block any device with a matching hardware ID or setup class.
 Device Installation CSP settings with a custom profile in Intune. You can prevent installation of specific device
IDs or prevent specific device classes.
Allow installation and usage of specifically approved peripherals with matching device instance IDs
Peripherals that are allowed to be installed can be specified by their device instance IDs. Test the configuration prior
to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example,
test multiple USB keys rather than only one.
You can allow installation and usage of approved peripherals with matching device instance IDs by configuring
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs policy setting.
Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs
Peripherals that are prohibited to be installed can be specified by their device instance IDs. Test the configuration
prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For
example, test multiple USB keys rather than only one.
You can prevent installation of the prohibited peripherals with matching device instance IDs by configuring
DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs policy setting.
Limit services that use Bluetooth
Using Intune, you can limit the services that can use Bluetooth through the "Bluetooth allowed services". The
default state of "Bluetooth allowed services" settings means everything is allowed. As soon as a service is added,
that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesn’t add the file transfer
GUIDs, file transfer should be blocked.

Use Microsoft Defender ATP baseline settings

The Microsoft Defender ATP baseline settings represent the recommended configuration for ATP. Configuration
settings for baseline are located in the edit profile page of the configuration settings.
Prevent threats from removable storage
Removable storage devices can introduce additional security risk to your organization. Microsoft Defender ATP can
help identify and block malicious files on removable storage devices.
Microsoft Defender ATP can also prevent USB peripherals from being used on devices to help prevent external
threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be
installed and used on the device.
Note that if you block USB devices or any other device classes using the device installation policies, connected
devices, such as phones, can still charge.

NOTE
Always test and refine these settings with a pilot group of users and devices first before widely distributing to your
organization.

The following table describes the ways Microsoft Defender ATP can help prevent threats from removable storage.
For more information about controlling USB devices, see the Microsoft Defender ATP blog.

CONTROL DESCRIPTION

Enable Windows Defender Antivirus Scanning Enable Windows Defender Antivirus scanning for real-time
protection or scheduled scans.

Block untrusted and unsigned processes on USB peripherals Block USB files that are unsigned or untrusted.
 CONTROL DESCRIPTION

Protect against Direct Memory Access (DMA) attacks Configure settings to protect against DMA attacks.

NOTE
Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing
specifically approved USB peripherals and limiting the users who can access them.

Enable Windows Defender Antivirus Scanning

Protecting authorized removable storage with Windows Defender Antivirus requires enabling real-time protection
or scheduling scans and configuring removable drives for scans.
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope
includes all files, including those on mounted removable devices such as USB drives. You can optionally run a
PowerShell script to perform a custom scan of a USB drive after it is mounted, so that Windows Defender
Antivirus starts scanning all files on a removable device once the removable device is attached. However, we
recommend enabling real-time protection for improved scanning performance, especially for large storage
devices.
If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by
default) to scan the removable device during a full scan. Removable devices are scanned during a quick or
custom scan regardless of the DisableRemovableDriveScanning setting.

NOTE
We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10
in Device Restrictions > Configure > Windows Defender Antivirus > Real-time monitoring.

Block untrusted and unsigned processes on USB peripherals

End-users might plug in removable devices that are infected with malware. To prevent infections, a company can
block USB files that are unsigned or untrusted. Alternatively, companies can leverage the audit feature of attack
surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB
peripheral. This can be done by setting Untrusted and unsigned processes that run from USB to either Block
or Audit only, respectively. With this rule, admins can prevent or audit unsigned or untrusted executable files from
running from USB removable drives, including SD cards. Affected file types include executable files (such as .exe,
.dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
These settings require enabling real-time protection.
1. Sign in to the Microsoft Azure portal.
2. Click Intune > Device configuration > Profiles > Create profile.
3. Use the following settings:
Name: Type a name for the profile
Description: Type a description
Platform: Windows 10 or later
Profile type: Endpoint protection

4. Click Configure > Windows Defender Exploit Guard > Attack Surface Reduction.
5. For Unsigned and untrusted processes that run from USB, choose Block.
6. Click OK to close Attack Surface Reduction, Windows Defender Exploit Guard, and Endpoint
protection.
7. Click Create to save the profile.
Protect against Direct Memory Access (DMA ) attacks
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that
allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA
attacks:
1. Beginning with Windows 10 version 1803, Microsoft introduced Kernel DMA Protection for Thunderbolt to
provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for
Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring
the DMA Guard CSP. This is an additional control for peripherals that don't support device memory
isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory
 Management Unit (IOMMU ) of a device to block unallowed I/O, or memory access, by the peripheral
(memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the
peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked,
allowed, or allowed only after the user signs in (default).
2. On Windows 10 systems that do not support Kernel DMA Protection, you can:
Block DMA until a user signs in
Block all connections via the Thunderbolt ports (including USB devices)

Create customized alerts and response actions

You can create custom alerts and response actions with the WDATP Connector and the custom detection rules:
Wdatp Connector response Actions:
Investigate: Initiate investigations, collect investigation package, and isolate a machine.
Threat Scanning on USB devices.
Restrict execution of all applications on the machine except a predefined set MDATP connector is one of over
200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built.
More information on WDATP Connector Response Actions
Custom Detection Rules Response Action: Both machine and file level actions can be applied.
More information on Custom Detection Rules Response Actions
For information on device control related advance hunting events and examples on how to create custom alerts,
see Advanced hunting updates: USB events, machine-level actions, and schema changes.

Respond to threats
You can create custom alerts and automatic response actions with the Microsoft Defender ATP Custom Detection
Rules. Response actions within the custom detection cover both machine and file level actions. You can also create
alerts and automatic response actions using PowerApps and Flow with the Microsoft Defender ATP connector. The
connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over
200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See
Connectors to learn more about connectors.
For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB
device is mounted onto a machine.

Related topics
Configure real-time protection for Windows Defender Antivirus
Defender/AllowFullScanRemovableDriveScanning
Policy/DeviceInstallation CSP
Perform a custom scan of a removable device
Device Control PowerBI Template for custom reporting
BitLocker
Windows Information Protection
 Windows Defender Application Control and
virtualization-based protection of code integrity
12/3/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to
"lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this
configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature
called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through
the use of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However,
when these two technologies are configured to work together, they present a very strong protection capability for
Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other
solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early
in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user
mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by
digitally signing the policy. This would mean that changing the policy would require both administrative
privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker
with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the
application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a
vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is
significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would
otherwise have enough privilege to disable most system defenses and override the application control policies
enforced by configurable code integrity or any other application control solution.

Windows Defender Application Control

When we originally designed this configuration state, we did so with a specific security promise in mind. Although
there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our
discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies
on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver
compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that
because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
Configurable code integrity carries no specific hardware or software requirements other than running Windows 10,
which means many IT professionals were wrongly denied the benefits of this powerful application control
capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where
application control alone could have prevented the attack altogether. With this in mind, we are discussing and
documenting configurable code integrity as a independent technology within our security stack and giving it a
name of its own: Windows Defender Application Control. We hope this change will help us better communicate
options for adopting application control within an organization.

Related articles
Windows Defender Application Control
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender
Driver compatibility with Windows Defender in Windows 10
Code integrity
 Memory integrity
12/11/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed
and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the
injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by
memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful
security boundary that helps to block many types of malware from running in Windows 10 and Windows Server
2016 environments.
For more information about Windows Security, see Device protection in Windows Security.
 Baseline protections and additional qualifications for
virtualization-based protection of code integrity
12/20/2019 • 7 minutes to read • Edit Online

Applies to
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of
the virtualization-based security (VBS ) features in Windows Defender Device Guard. Computers lacking these
requirements can still be protected by Windows Defender Application Control (WDAC ) policies—the difference is
that those computers will not be as hardened against certain threats.
For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that
attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard
drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on
bootable media.

WARNING
Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly
recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on
production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error
(also called a stop error).

The following tables provide more information about the hardware, firmware, and software required for
deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus
protections for improved security that are associated with hardware and firmware options available in 2015, 2016,
and 2017.

NOTE
Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new
computers.

Baseline protections
BASELINE PROTECTIONS DESCRIPTION SECURITY BENEFITS

Hardware: 64-bit CPU A 64-bit computer is required for the

Windows hypervisor to provide VBS.
BASELINE PROTECTIONS DESCRIPTION SECURITY BENEFITS

Hardware: CPU virtualization These hardware features are required VBS provides isolation of the secure
extensions, for VBS: kernel from the normal operating
plus extended page tables One of the following virtualization system. Vulnerabilities and zero-days in
extensions: the normal operating system cannot be
• VT-x (Intel) or exploited because of this isolation.
• AMD-V
And:
• Extended page tables, also called
Second Level Address Translation (SLAT).

Firmware: UEFI firmware version See the UEFI Secure Boot helps ensure that the
2.3.1.c or higher with UEFI Secure System.Fundamentals.Firmware.UEFISec device boots only authorized code. This
Boot ureBoot requirement in the Windows can prevent boot kits and root kits from
Hardware Compatibility Specifications installing and persisting across reboots.
for Windows 10, version 1809 and
Windows Server 2019 - Systems
download. You can find previous
versions of the Windows Hardware
Compatibility Program Specifications
and Policies here.

Firmware: Secure firmware update UEFI firmware must support secure UEFI firmware just like software can
process firmware update found under the have security vulnerabilities that, when
System.Fundamentals.Firmware.UEFISec found, need to be patched through
ureBoot requirement in the Windows firmware updates. Patching helps
Hardware Compatibility Specifications prevent root kits from getting installed.
for Windows 10, version 1809 and
Windows Server 2019 - Systems
download. You can find previous
versions of the Windows Hardware
Compatibility Program Specifications
and Policies here.

Software: HVCI compatible drivers See the HVCI Compatible drivers help ensure
Filter.Driver.DeviceGuard.DriverCompati that VBS can maintain appropriate
bility requirement in the Windows memory permissions. This increases
Hardware Compatibility Specifications resistance to bypassing vulnerable
for Windows 10, version 1809 and kernel drivers and helps ensure that
Windows Server 2019 - Filter driver malware cannot run in kernel. Only code
download. You can find previous verified through code integrity can run
versions of the Windows Hardware in kernel mode.
Compatibility Program Specifications
and Policies here.

Software: Qualified Windows Windows 10 Enterprise, Windows 10 Support for VBS and for management
operating system Education, Windows Server 2016, or features that simplify configuration of
Windows 10 IoT Enterprise Windows Defender Device Guard.
Important:
Windows Server 2016 running
as a ___domain controller does not
support Windows Defender
Credential Guard. Only
virtualization-based protection
of code integrity is supported in
this configuration.

Important The following tables list additional qualifications for improved security. You can use Windows
 Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they
do not support protections for improved security. However, we strongly recommend meeting these additional
qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.

Additional qualifications for improved security

The following tables describe additional hardware and firmware qualifications, and the improved security that is
available when these qualifications are met.
Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical
Preview 4
PROTECTIONS FOR IMPROVED SECURITY DESCRIPTION SECURITY BENEFITS

Firmware: Securing Boot • BIOS password or stronger • BIOS password or stronger

Configuration and Management authentication must be supported. authentication helps ensure that only
• In the BIOS configuration, BIOS authenticated Platform BIOS
authentication must be set. administrators can change BIOS
• There must be support for protected settings. This helps protect against a
BIOS option to configure list of physically present user with BIOS access.
permitted boot devices (for example, • Boot order when locked provides
“Boot only from internal hard drive”) protection against the computer being
and boot device order, overriding booted into WinRE or another operating
BOOTORDER modification made by system on bootable media.
operating system.
• In the BIOS configuration, BIOS
options related to security and boot
options (list of permitted boot devices,
boot order) must be secured to prevent
other operating systems from starting
and to prevent changes to the BIOS
settings.

Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
PROTECTIONS FOR IMPROVED SECURITY DESCRIPTION SECURITY BENEFITS

Firmware: Hardware Rooted Trust • Boot Integrity (Platform Secure Boot) • Boot Integrity (Platform Secure Boot)
Platform Secure Boot must be supported. See the from Power-On provides protections
System.Fundamentals.Firmware.CS.UEFI against physically present attackers, and
SecureBoot.ConnectedStandby defense-in-depth against malware.
requirement in the Windows Hardware • HSTI 1.1.a provides additional security
Compatibility Specifications for Windows assurance for correctly secured silicon
10, version 1809 and Windows Server and platform.
2019 - Systems download. You can find
previous versions of the Windows
Hardware Compatibility Program
Specifications and Policies here.
• The Hardware Security Test Interface
(HSTI) 1.1.a must be implemented. See
Hardware Security Testability
Specification.

Firmware: Firmware Update through Firmware must support field updates Helps ensure that firmware updates are
Windows Update through Windows Update and UEFI fast, secure, and reliable.
encapsulation update.
 PROTECTIONS FOR IMPROVED SECURITY DESCRIPTION SECURITY BENEFITS

Firmware: Securing Boot • Required BIOS capabilities: Ability of • Enterprises can choose to allow
Configuration and Management OEM to add ISV, OEM, or Enterprise proprietary EFI drivers/applications to
Certificate in Secure Boot DB at run.
manufacturing time. • Removing Microsoft UEFI CA from
• Required configurations: Microsoft Secure Boot DB provides full control to
UEFI CA must be removed from Secure enterprises over software that runs
Boot DB. Support for 3rd-party UEFI before the operating system boots.
modules is permitted but should
leverage ISV-provided certificates or
OEM certificate for the specific UEFI
software.

Additional security qualifications starting with Windows 10, version 1703

PROTECTIONS FOR IMPROVED SECURITY DESCRIPTION SECURITY BENEFITS

Firmware: VBS enablement of NX • VBS will enable No-Execute (NX) • Vulnerabilities in UEFI runtime, if any,
protection for UEFI runtime services protection on UEFI runtime service code will be blocked from compromising VBS
and data memory regions. UEFI runtime (such as in functions like UpdateCapsule
service code must support read-only and SetVariable)
page protections, and UEFI runtime • Reduces the attack surface to VBS
service data must not be exceutable. from system firmware.
• UEFI runtime service must meet these
requirements:
• Implement UEFI 2.6
EFI_MEMORY_ATTRIBUTES_TABLE. All
UEFI runtime service memory (code and
data) must be described by this table.
• PE sections need to be page-
aligned in memory (not required for in
non-volitile storage).
• The Memory Attributes Table needs
to correctly mark code and data as
RO/NX for configuration by the OS:
• All entries must include attributes
EFI_MEMORY_RO, EFI_MEMORY_XP, or
both
• No entries may be left with
neither of the above attributes,
indicating memory that is both
exceutable and writable. Memory must
be either readable and executable or
writeable and non-executable.
Notes:
• This only applies to UEFI
runtime service memory, and
not UEFI boot service memory.
• This protection is applied by
VBS on OS page tables.

Please also note the following:

• Do not use sections that are both
writeable and exceutable
• Do not attempt to directly modify
executable system memory
• Do not use dynamic code
PROTECTIONS FOR IMPROVED SECURITY DESCRIPTION SECURITY BENEFITS

Firmware: Firmware support for SMM The Windows SMM Security Mitigations • Protects against potential
protection Table (WSMT) specification contains vulnerabilities in UEFI runtime services,
details of an Advanced Configuration if any, will be blocked from
and Power Interface (ACPI) table that compromising VBS (such as in functions
was created for use with Windows like UpdateCapsule and SetVariable)
operating systems that support • Reduces the attack surface to VBS
Windows virtualization-based security from system firmware.
(VBS) features. • Blocks additional security attacks
against SMM.
 Enable virtualization-based protection of code
integrity
9/10/2019 • 9 minutes to read • Edit Online

Applies to
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some
applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to
malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or
during the enablement process itself. If this happens, see Troubleshooting for remediation steps.

NOTE
HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required Mode based
execution control (MBE) Virtualization. AMD CPUs do not have MBE.

TIP
"The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the
SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode
(RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book

HVCI Features
HVCI protects modification of the Code Flow Guard (CFG ) bitmap.
HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.

How to turn on HVCI in Windows 10

To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these
options:
Windows Security app
Microsoft Intune (or another MDM provider)
Group Policy
System Center Configuration Manager
Registry
Windows Security app
HVCI is labeled Memory integrity in the Windows Security app and it can be accessed via Settings > Update &
Security > Windows Security > Device security > Core isolation details > Memory integrity. For more
information, see KB4096339.
Enable HVCI using Intune
Enabling in Intune requires using the Code Integrity node in the AppLocker CSP.
Enable HVCI using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
2. Navigate to Computer Configuration > Administrative Templates > System > Device Guard.
3. Double-click Turn on Virtualization Based Security.
4. Click Enabled and under Virtualization Based Protection of Code Integrity, select Enabled with UEFI
lock to ensure HVCI cannot be disabled remotely or select Enabled without UEFI lock.

5. Click Ok to close the editor.

To apply the new policy on a ___domain-joined computer, either restart or run gpupdate /force in an elevated
command prompt.
Use registry keys to enable virtualization-based protection of code integrity
Set the following registry keys to enable HVCI. This provides exactly the same set of configuration options
provided by Group Policy.
 IMPORTANT
Among the commands that follow, you can choose settings for Secure Boot and Secure Boot with DMA. In most
situations, we recommend that you choose Secure Boot. This option provides Secure Boot with as much protection as is
supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will
have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
In contrast, with Secure Boot with DMA, the setting will enable Secure Boot—and VBS itself—only on a computer that
supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or
HVCI protection, although it can still have WDAC enabled.
All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your
system may fail. We recommend that you enable these features on a group of test computers before you enable them on
users' computers.

For Windows 10 version 1607 and later

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD

/d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD

/d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v

"Enabled" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v

"Locked" /t REG_DWORD /d 0 /f

If you want to customize the preceding recommended settings, use the following settings.
To enable VBS

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD

/d 1 /f

To enable VBS and require Secure boot only (value 1)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD

/d 1 /f

To enable VBS with Secure Boot and DMA (value 3), in the preceding command, change /d 1 to /d 3.

To enable VBS without UEFI lock (value 0)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f

To enable VBS with UEFI lock (value 1), in the preceding command, change /d 0 to /d 1.

To enable virtualization-based protection of Code Integrity policies

 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v
"Enabled" /t REG_DWORD /d 1 /f

To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v

"Locked" /t REG_DWORD /d 0 /f

To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1), in the
preceding command, change /d 0 to /d 1.

For Windows 10 version 1511 and earlier

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD

/d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD

/d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD

/d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f

If you want to customize the preceding recommended settings, use the following settings.
To enable VBS (it is always locked to UEFI )

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD

/d 1 /f

To enable VBS and require Secure boot only (value 1)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD

/d 1 /f

To enable VBS with Secure Boot and DMA (value 3), in the preceding command, change /d 1 to /d 3.

To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD

/d 1 /f

To enable virtualization-based protection of Code Integrity policies without UEFI lock

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f

Validate enabled Windows Defender Device Guard hardware -based security features
Windows 10 and Windows Server 2016 have a WMI class for related properties and features:
Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the
following command:
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

NOTE
The Win32_DeviceGuard WMI class is only available on the Enterprise edition of Windows 10.

NOTE
Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.

The output of this command provides details of the available hardware-based security features as well as those
features that are currently enabled.
AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device
Guard.

VALUE DESCRIPTION

0. If present, no relevant properties exist on the device.

1. If present, hypervisor support is available.

2. If present, Secure Boot is available.

3. If present, DMA protection is available.

4. If present, Secure Memory Overwrite is available.

5. If present, NX protections are available.

6. If present, SMM mitigations are available.

7. If present, Mode Based Execution Control is available.

InstanceIdentifier
A string that is unique to a particular device. Valid values are determined by WMI.
RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.

VALUE DESCRIPTION

0. Nothing is required.

1. If present, hypervisor support is needed.

2. If present, Secure Boot is needed.

3. If present, DMA protection is needed.

 VALUE DESCRIPTION

4. If present, Secure Memory Overwrite is needed.

5. If present, NX protections are needed.

6. If present, SMM mitigations are needed.

7. If present, Mode Based Execution Control is needed.

SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.

VALUE DESCRIPTION

0. No services configured.

1. If present, Windows Defender Credential Guard is configured.

2. If present, HVCI is configured.

3. If present, System Guard Secure Launch is configured.

SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.

VALUE DESCRIPTION

0. No services running.

1. If present, Windows Defender Credential Guard is running.

2. If present, HVCI is running.

3. If present, System Guard Secure Launch is running.

Version
This field lists the version of this WMI class. The only valid value now is 1.0.
VirtualizationBasedSecurityStatus
This field indicates whether VBS is enabled and running.

VALUE DESCRIPTION

0. VBS is not enabled.

1. VBS is enabled but not running.

2. VBS is enabled and running.

PSComputerName
This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run
msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device
Guard properties are displayed at the bottom of the System Summary section.

Troubleshooting
A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using Device
Manager.
B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are
able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file ___location
in step 3 above and then restart your device.
C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn
on HVCI, you can recover using the Windows Recovery Environment (Windows RE ). To boot to Windows RE, see
Windows RE Technical Reference. After logging in to Windows RE, you can turn off HVCI by renaming or deleting
the SIPolicy.p7b file from the file ___location in step 3 above and then restart your device.

How to turn off HVCI

1. Run the following command from an elevated prompt to set the HVCI registry key to off

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v

"Enabled" /t REG_DWORD /d 0 /f

2. Restart the device.

3. To confirm HVCI has been successfully disabled, open System Information and check Virtualization-based
security Services Running, which should now have no value displayed.

HVCI deployment in virtual machines

HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the
same from within the virtual machine.
WDAC protects against malware running in the guest virtual machine. It does not provide additional protection
from the host administrator. From the host, you can disable WDAC for a virtual machine:

Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true

Requirements for running HVCI in Hyper-V virtual machines

The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
HVCI and nested virtualization can be enabled at the same time
Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter
to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity .
The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring
a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security
using Set-VMSecurity .
 Enable exploit protection
12/23/2019 • 9 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Exploit protection helps protect against malware that uses exploits to infect devices and spread. It consists of a
number of mitigations that can be applied to either the operating system or individual apps.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and
review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of these methods:
Windows Security app
Microsoft Intune
Mobile Device Management (MDM )
System Center Configuration Manager (SCCM )
Group Policy
PowerShell
They are configured by default in Windows 10.
You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
You can export these settings as an XML file and deploy them to other machines.

Windows Security app

1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the App & browser control tile (or the app icon on the left menu bar) and then click Exploit
protection.
3. Go to Program settings and choose the app you want to apply mitigations to:
a. If the app you want to configure is already listed, click it and then click Edit
b. If the app is not listed, at the top of the list click Add program to customize and then choose how you
want to add the app:
Use Add by program name to have the mitigation applied to any running process with that
name. You must specify a file with an extension. You can enter a full path to limit the mitigation to
only the app with that name in that ___location.
Use Choose exact file path to use a standard Windows Explorer file picker window to find and
select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit will apply
the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you
need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure.
6. Under the System settings section, find the mitigation you want to configure and select one of the
following. Apps that aren't configured individually in the Program settings section will use the settings
configured here:
On by default - The mitigation is enabled for apps that don't have this mitigation set in the app-
specific Program settings section
Off by default - The mitigation is disabled for apps that don't have this mitigation set in the app-
specific Program settings section
Use default - The mitigation is either enabled or disabled, depending on the default configuration that
is set up by Windows 10 installation; the default value (On or Off) is always specified next to the Use
default label for each mitigation
7. Repeat this for all the system-level mitigations you want to configure. Click Apply when you're done
setting up your configuration.
If you add an app to the Program settings section and configure individual mitigation settings there, they will be
honored above the configuration for the same mitigations specified in the System settings section. The following
matrix and examples help to illustrate how defaults work:

ENABLED IN PROGRAM SETTINGS ENABLED IN SYSTEM SETTINGS BEHAVIOR

As defined in Program settings

As defined in Program settings

As defined in System settings

Default as defined in Use default

option

Example 1
Mikael configures Data Execution Prevention (DEP ) in the System settings section to be Off by default.
Mikael then adds the app test.exe to the Program settings section. In the options for that app, under Data
Execution Prevention (DEP ), he enables the Override system settings option and sets the switch to On.
There are no other apps listed in the Program settings section.
The result will be that DEP only will be enabled for test.exe. All other apps will not have DEP applied.
Example 2
Josie configures Data Execution Prevention (DEP ) in the System settings section to be Off by default.
Josie then adds the app test.exe to the Program settings section. In the options for that app, under Data
Execution Prevention (DEP ), she enables the Override system settings option and sets the switch to On.
Josie also adds the app miles.exe to the Program settings section and configures Control flow guard (CFG) to
On. She doesn't enable the Override system settings option for DEP or any other mitigations for that app.
The result will be that DEP will be enabled for test.exe. DEP will not be enabled for any other app, including
miles.exe. CFG will be enabled for miles.exe.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the App & browser control tile (or the app icon on the left menu bar) and then click Exploit
protection.
3. Go to Program settings and choose the app you want to apply mitigations to:
a. If the app you want to configure is already listed, click it and then click Edit
b. If the app is not listed, at the top of the list click Add program to customize and then choose how you
want to add the app:
Use Add by program name to have the mitigation applied to any running process with that
name. You must specify a file with an extension. You can enter a full path to limit the mitigation to
only the app with that name in that ___location.
Use Choose exact file path to use a standard Windows Explorer file picker window to find and
select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing Audit will apply
the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you
need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click Apply when you're done setting
up your configuration.

Intune
1. Sign in to the Azure portal and open Intune.
2. Click Device configuration > Profiles > Create profile.
3. Name the profile, choose Windows 10 and later and Endpoint protection.

4. Click Configure > Windows Defender Exploit Guard > Exploit protection.
5. Upload an XML file with the exploit protection settings:
6. Click OK to save each open blade and click Create.
7. Click the profile Assignments, assign to All Users & All Devices, and click Save.

MDM
Use the ./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings configuration service provider
(CSP ) to enable or disable exploit protection mitigations or to use audit mode.

SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Exploit protection, and click Next.
4. Browse to the ___location of the exploit protection XML file and click Next.
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close.

Group Policy
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Exploit Guard > Exploit Protection
> Use a common set of exploit protection settings.
4. Click Enabled and type the ___location of the XML file and click OK.
PowerShell
You can use the PowerShell verb Get or Set with the cmdlet ProcessMitigation . Using Get will list the current
configuration status of any mitigations that have been enabled on the device - add the -Name cmdlet and app exe
to see mitigations for just that app:

Get-ProcessMitigation -Name processName.exe

IMPORTANT
System-level mitigations that have not been configured will show a status of NOTSET .
For system-level settings, NOTSET indicates the default setting for that mitigation has been applied.
For app-level settings, NOTSET indicates the system-level setting for the mitigation will be applied.
The default setting for each system-level mitigation can be seen in the Windows Security.

Use Set to configure each mitigation in the following format:

Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,

<mitigation or options>

Where:
<Scope>:
-Name to indicate the mitigations should be applied to a specific app. Specify the app's executable after
this flag.
-System to indicate the mitigation should be applied at the system level
<Action>:
-Enable to enable the mitigation
-Disable to disable the mitigation
<Mitigation>:
The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is
separated with a comma.
For example, to enable the Data Execution Prevention (DEP ) mitigation with ATL thunk emulation and for an
executable called testing.exe in the folder C:\Apps\LOB\tests, and to prevent that executable from creating child
processes, you'd use the following command:

Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks,

DisallowChildProcessCreation

IMPORTANT
Separate each mitigation option with commas.

If you wanted to apply DEP at the system level, you'd use the following command:

Set-Processmitigation -System -Enable DEP

To disable mitigations, you can replace -Enable with -Disable . However, for app-level mitigations, this will force
the mitigation to be disabled only for that app.
If you need to restore the mitigation back to the system default, you need to include the -Remove cmdlet as well,
as in the following example:

Set-Processmitigation -Name test.exe -Remove -Disable DEP

This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each
mitigation.

MITIGATION APPLIES TO POWERSHELL CMDLETS AUDIT MODE CMDLET

Control flow guard (CFG) System and app-level CFG, StrictCFG, Audit not available
SuppressExports

Data Execution Prevention System and app-level DEP, EmulateAtlThunks Audit not available
(DEP)

Force randomization for System and app-level ForceRelocateImages Audit not available
images (Mandatory ASLR)

Randomize memory System and app-level BottomUp, HighEntropy Audit not available
allocations (Bottom-Up
ASLR)

Validate exception chains System and app-level SEHOP, SEHOPTelemetry Audit not available
(SEHOP)

Validate heap integrity System and app-level TerminateOnHeapError Audit not available

Arbitrary code guard (ACG) App-level only DynamicCode AuditDynamicCode

Block low integrity images App-level only BlockLowLabel AuditImageLoad

Block remote images App-level only BlockRemoteImages Audit not available

Block untrusted fonts App-level only DisableNonSystemFonts AuditFont, FontAuditOnly

Code integrity guard App-level only BlockNonMicrosoftSigned, AuditMicrosoftSigned,

AllowStoreSigned AuditStoreSigned

Disable extension points App-level only ExtensionPoint Audit not available

Disable Win32k system calls App-level only DisableWin32kSystemCalls AuditSystemCall

Do not allow child processes App-level only DisallowChildProcessCreatio AuditChildProcess

n

Export address filtering (EAF) App-level only EnableExportAddressFilterPl Audit not available
us,
EnableExportAddressFilter
[1]
 MITIGATION APPLIES TO POWERSHELL CMDLETS AUDIT MODE CMDLET

Import address filtering (IAF) App-level only EnableImportAddressFilter Audit not available

Simulate execution (SimExec) App-level only EnableRopSimExec Audit not available

Validate API invocation App-level only EnableRopCallerCheck Audit not available

(CallerCheck)

Validate handle usage App-level only StrictHandle Audit not available

Validate image dependency App-level only EnforceModuleDepencySigni Audit not available

integrity ng

Validate stack integrity App-level only EnableRopStackPivot Audit not available

(StackPivot)

[1]: Use the following format to enable EAF modules for dlls for a process:

Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules

dllName1.dll,dllName2.dll

Customize the notification

See the Windows Security topic for more information about customizing the notification when a rule is triggered
and blocks an app or file.

Related topics
Comparison with Enhanced Mitigation Experience Toolkit
Evaluate exploit protection
Configure and audit exploit protection mitigations
Import, export, and deploy exploit protection configurations
 Import, export, and deploy exploit protection
configurations
12/4/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of
a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the Enhanced Mitigation Experience Toolkit (EMET) are now included in
exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You
can then export this configuration as an XML file and share it with multiple machines on your network so they all
have the same set of mitigation settings.
You can also convert and import an existing EMET configuration XML file into an exploit protection configuration
XML.
This topic describes how to create a configuration file and deploy it across your network, and how to convert an
EMET configuration.
The Evaluation Package contains a sample configuration file (name ProcessMitigation-Selfhost-v4.xml that you
can use to see how the XML structure looks. The sample file also contains settings that have been converted from
an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit
protection and then review the settings in the Windows Security app, as described further in this topic.

Create and export a configuration file

Before you export a configuration file, you need to ensure you have the correct settings.
You should first configure exploit protection on a single, dedicated machine. See Customize exploit protection for
descriptions about and instructions for configuring mitigations.
When you have configured exploit protection to your desired state (including both system-level and app-level
mitigations), you can export the file using either the Windows Security app or PowerShell.
Use the Windows Security app to export a configuration file
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the App & browser control tile (or the app icon on the left menu bar) and then click Exploit
protection settings:
3. At the bottom of the Exploit protection section, click Export settings and then choose the ___location and
name of the XML file where you want the configuration to be saved.

IMPORTANT
If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings
exported correctly on the XML file.

NOTE
When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't
need to export a file from both the System settings and Program settings sections - either section will export all settings.

Use PowerShell to export a configuration file

1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:

Get-ProcessMitigation -RegistryConfigFilePath filename.xml

Change filename to any name or ___location of your choosing.

Example command Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml

IMPORTANT
When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access
the configuration file. Ensure you place the file in a shared ___location.

Import a configuration file

You can import an exploit protection configuration file that you've previously created. You can only use
PowerShell to import the configuration file.
After importing, the settings will be instantly applied and can be reviewed in the Windows Security app.
Use PowerShell to import a configuration file
1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:

Set-ProcessMitigation -PolicyFilePath filename.xml

Change filename to the ___location and name of the exploit protection XML file.
Example command Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml

IMPORTANT
Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET
configuration file, you must convert it first.

Convert an EMET configuration file to an exploit protection

configuration file
You can convert an existing EMET configuration file to the new format used by exploit protection. You must do
this if you want to import an EMET configuration into exploit protection in Windows 10.
You can only do this conversion in PowerShell.

WARNING
You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to
help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file
will not work.
However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default
configuration file into EMET, then export the settings to a new file.
You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit
protection.

1. Type powershell in the Start menu, right click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:
 ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml

Change emetFile to the name and ___location of the EMET configuration file, and change filename to whichever
___location and file name you want to use.

IMPORTANT
If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the
XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the
Mandatory ASLR mitigation setting is correctly configured:
1. Open the PowerShell-converted XML file in a text editor.
2. Search for ASLR ForceRelocateImages="false" and change it to ASLR ForceRelocateImages="true" for each app
that you want Mandatory ASLR to be enabled.

Manage or deploy a configuration

You can use Group Policy to deploy the configuration you've created to multiple machines in your network.

IMPORTANT
When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access
the configuration XML file. Ensure you place the file in a shared ___location.

Use Group Policy to distribute the configuration

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Exploit Guard > Exploit protection.
4. Double-click the Use a common set of Exploit protection settings setting and set the option to
Enabled.
5. In the Options:: section, enter the ___location and filename of the Exploit protection configuration file that you
want to use, such as in the following examples:
C:\MitigationSettings\Config.XML
\\Server\Share\Config.xml
https://localhost:8080/Config.xml
C:\ExploitConfigfile.xml
6. Click OK and Deploy the updated GPO as you normally do.

Related topics
Protect devices from exploits
Comparison with Enhanced Mitigation Experience Toolkit
Evaluate exploit protection
Enable exploit protection
Configure and audit exploit protection mitigations
 Enable network protection
10/28/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Network protection helps to prevent employees from using any application to access dangerous domains that
may host phishing scams, exploits, and other malicious content on the Internet. You can audit network protection
in a test environment to see which apps would be blocked before you enable it.
You can enable network protection by using any of these methods:
Microsoft Intune
Mobile Device Management (MDM )
System Center Configuration Manager (SCCM )
Group Policy
PowerShell

Intune
1. Sign in to the Azure portal and open Intune.
2. Click Device configuration > Profiles > Create profile.
3. Name the profile, choose Windows 10 and later and Endpoint protection.

4. Click Configure > Windows Defender Exploit Guard > Network filtering > Enable.

5. Click OK to save each open blade and click Create.

6. Click the profile Assignments, assign to All Users & All Devices, and click Save.

MDM
Use the ./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection configuration service provider (CSP )
to enable or disable network protection or enable audit mode.

SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Network protection, and click Next.
4. Choose whether to block or audit access to suspicious domains and click Next.
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close.

Group Policy
You can use the following procedure to enable network protection on ___domain-joined computers or on a
standalone computer.
1. On a standalone computer, click Start, type and then click Edit group policy.
-Or-
On a ___domain-joined Group Policy management computer, open the Group Policy Management Console,
right-click the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Network protection.
4. Double-click the Prevent users and apps from accessing dangerous websites setting and set the
option to Enabled. In the options section, you must specify one of the following:
Block - Users will not be able to access malicious IP addresses and domains
Disable (Default) - The Network protection feature will not work. Users will not be blocked from
accessing malicious domains
Audit Mode - If a user visits a malicious IP address or ___domain, an event will be recorded in the
Windows event log but the user will not be blocked from visiting the address.

IMPORTANT
To fully enable network protection, you must set the Group Policy option to Enabled and also select Block in the options
drop-down menu.

You can confirm network protection is enabled on a local computer by using Registry editor:
1. Click Start and type regedit to open Registry Editor.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows
Defender Exploit Guard\Network Protection
3. Click EnableNetworkProtection and confirm the value:
 0=Off
1=On
2=Audit

PowerShell
1. Type powershell in the Start menu, right-click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:

Set-MpPreference -EnableNetworkProtection Enabled

You can enable the feature in audit mode using the following cmdlet:

Set-MpPreference -EnableNetworkProtection AuditMode

Use Disabled instead of AuditMode or Enabled to turn the feature off.

Related topics
Network protection
Evaluate network protection
Troubleshoot network protection
 Enable controlled folder access
9/10/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
Controlled folder access is included with Windows 10 and Windows Server 2019.
You can enable controlled folder access by using any of these methods:
Windows Security app
Microsoft Intune
Mobile Device Management (MDM )
System Center Configuration Manager (SCCM )
Group Policy
PowerShell
Audit mode allows you to test how the feature would work (and review events) without impacting the normal use
of the machine.
Group Policy settings that disable local administrator list merging will override controlled folder access settings.
They also override protected folders and allowed apps set by the local administrator through controlled folder
access. These policies include:
Windows Defender Antivirus Configure local administrator merge behavior for lists
System Center Endpoint Protection Allow users to add exclusions and overrides
For more information about disabling local list merging, see Prevent or allow users to locally modify Windows
Defender AV policy settings.

Windows Security app

1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then click
Ransomware protection.
3. Set the switch for Controlled folder access to On.

NOTE
If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows
Security app after a restart of the device. If the feature is set to Audit mode with any of those tools, the Windows Security
app will show the state as Off.

If you are protecting user profile data, we recommend that the user profile should be on the default Windows
installation drive.
Intune
1. Sign in to the Azure portal and open Intune.
2. Click Device configuration > Profiles > Create profile.
3. Name the profile, choose Windows 10 and later and Endpoint protection.

4. Click Configure > Windows Defender Exploit Guard > Controlled folder access > Enable.
5. Type the path to each application that has access to protected folders and the path to any additional folder
that needs protection and click Add.

NOTE
Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to
trigger events until they are restarted.

6. Click OK to save each open blade and click Create.

7. Click the profile Assignments, assign to All Users & All Devices, and click Save.
MDM
Use the ./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders configuration service provider
(CSP ) to allow apps to make changes to protected folders.

SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Controlled folder access, and click Next.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click Next.

NOTE
Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to
trigger events until they are restarted.

5. Review the settings and click Next to create the policy.

6. After the policy is created, click Close.

Group Policy
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Controlled folder access.
4. Double-click the Configure Controlled folder access setting and set the option to Enabled. In the
options section you must specify one of the following:
Enable - Malicious and suspicious apps will not be allowed to make changes to files in protected
folders. A notification will be provided in the Windows event log
Disable (Default) - The Controlled folder access feature will not work. All apps can make changes
to files in protected folders.
Audit Mode - If a malicious or suspicious app attempts to make a change to a file in a protected
folder, the change will be allowed but will be recorded in the Windows event log. This allows you to
assess the impact of this feature on your organization.
 IMPORTANT
To fully enable controlled folder access, you must set the Group Policy option to Enabled and also select Enable in the
options drop-down menu.

PowerShell
1. Type powershell in the Start menu, right-click Windows PowerShell and click Run as administrator.
2. Enter the following cmdlet:

Set-MpPreference -EnableControlledFolderAccess Enabled

You can enable the feature in audit mode by specifying AuditMode instead of Enabled .
Use Disabled to turn the feature off.

Related topics
Protect important folders with controlled folder access
Customize controlled folder access
Evaluate Microsoft Defender ATP
 Enable attack surface reduction rules
8/27/2019 • 5 minutes to read • Edit Online

Attack surface reduction rules help prevent actions and apps that malware often uses to infect computers. You can
set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
Each ASR rule contains three settings:
Not configured: Disable the ASR rule
Block: Enable the ASR rule
Audit: Evaluate how the ASR rule would impact your organization if enabled
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so
you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender
Advanced Threat Protection (Microsoft Defender ATP ). These advanced capabilities aren't available with an E3
license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
You can enable attack surface reduction rules by using any of these methods:
Microsoft Intune
Mobile Device Management (MDM )
System Center Configuration Manager (SCCM )
Group Policy
PowerShell
Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will
overwrite any conflicting Group Policy or PowerShell settings on startup.

Exclude files and folders from ASR rules

You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that
even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from
running. This could potentially allow unsafe files to run and infect your devices.

WARNING
Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and
no report or event will be recorded.
If ASR rules are detecting files that you believe shouldn't be detected, you should use audit mode first to test the rule.

IMPORTANT
File and folder exclusions do not apply to the following ASR rules:
Block process creations originating from PSExec and WMI commands
Block JavaScript or VBScript from launching downloaded executable content

You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't
specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service
starts. For example, if you add an exclusion for an update service that is already running, the update service will
continue to trigger events until the service is stopped and restarted.
ASR rules support environment variables and wildcards. For information about using wildcards, see Use
wildcards in the file name and folder path or extension exclusion lists.
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.

Intune
1. In Intune, select Device configuration > Profiles. Choose an existing endpoint protection profile or
create a new one. To create a new one, select Create profile and enter information for this profile. For
Profile type, select Endpoint protection. If you've chosen an existing profile, select Properties and then
select Settings.
2. In the Endpoint protection pane, select Windows Defender Exploit Guard, then select Attack
Surface Reduction. Select the desired setting for each ASR rule.
3. Under Attack Surface Reduction exceptions, you can enter individual files and folders, or you can select
Import to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV
file should be in the following format:
C:\folder, %ProgramFiles%\folder\file, C:\path
4. Select OK on the three configuration panes and then select Create if you're creating a new endpoint
protection file or Save if you're editing an existing one.

MDM
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules configuration service provider
(CSP ) to individually enable and set the mode for each rule.
The following is a sample for reference, using GUID values for ASR rules.
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
Value: {75668C1F -73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC -4529-8536-B80A7769E899}=1|
{D4F940AB -401B -4EfC -AADC -AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D }=1|
{5BEB7EFE -FD9A-4556-801D -275E5FFC04CC }=0|{BE9BA2D9-53EA-4CDC -84E5-9B1EEEE46550}=1
The values to enable, disable, or enable in audit mode are:
Disable = 0
Block (enable ASR rule) = 1
Audit = 2
Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service
provider (CSP ) to add exclusions.
Example:
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
Value: c:\path|e:\path|c:\Whitelisted.exe

NOTE
Be sure to enter OMA-URI values without spaces.
SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
Windows Defender Exploit Guard.
2. Click Home > Create Exploit Guard Policy.
3. Enter a name and a description, click Attack Surface Reduction, and click Next.
4. Choose which rules will block or audit actions and click Next.
5. Review the settings and click Next to create the policy.
6. After the policy is created, click Close.

Group Policy
WARNING
If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the
management software will overwrite any conflicting Group Policy settings on startup.

1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Attack surface reduction.
4. Select Configure Attack surface reduction rules and select Enabled. You can then set the individual
state for each rule in the options section:
Click Show... and enter the rule ID in the Value name column and your desired state in the Value
column as follows:
Disable = 0
Block (enable ASR rule) = 1
Audit = 2
5. To exclude files and folders from ASR rules, select the Exclude files and paths from Attack surface
reduction rules setting and set the option to Enabled. Click Show and enter each file or folder in the
Value name column. Enter 0 in the Value column for each item.

PowerShell
WARNING
If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the
management software will overwrite any conflicting PowerShell settings on startup.

1. Type powershell in the Start menu, right-click Windows PowerShell and click Run as administrator.
2. Enter the following cmdlet:

Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions

Enabled

To enable ASR rules in audit mode, use the following cmdlet:

Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions

AuditMode

To turn off ASR rules, use the following cmdlet:

Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions

Disabled
 IMPORTANT
You must specify the state individually for each rule, but you can combine rules and states in a comma-separated
list.
In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be
enabled in audit mode:

Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -

AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode

You can also the Add-MpPreference PowerShell verb to add new rules to the existing list.

WARNING
Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, you should
use Add-MpPreference instead. You can obtain a list of rules and their current state by using Get-MpPreference

3. To exclude files and folders from ASR rules, use the following cmdlet:

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"

Continue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add more files and folders to

the list.

IMPORTANT
Use Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will overwrite the
existing list.

Related topics
Reduce attack surfaces with attack surface reduction rules
Evaluate attack surface reduction
Enable cloud-delivered protection
 Customize attack surface reduction rules
8/27/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to
infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10
clients.
This topic describes how to customize attack surface reduction rules by excluding files and folders or adding
custom text to the notification alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.

Exclude files and folders

You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an
attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from
running.

WARNING
This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the
protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run,
and there will be no report or event recorded.

An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully
qualified ___domain name for a resource, but you cannot limit an exclusion to certain rules.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion
for an update service that is already running, the update service will continue to trigger events until the service is
stopped and restarted.
Attack surface reduction supports environment variables and wildcards. For information about using wildcards,
see Use wildcards in the file name and folder path or extension exclusion lists. If you are encountering problems
with rules detecting files that you believe should not be detected, you should use audit mode first to test the rule.

RULE DESCRIPTION GUID

Block all Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

 RULE DESCRIPTION GUID

Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899

Block Office applications from injecting code into other 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84

processes

Block JavaScript or VBScript from launching downloaded D3E037E1-3EB8-44C8-A917-57927947596D

executable content

Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

Block executable files from running unless they meet a 01443614-cd74-433a-b99e-2ecdc07bfc25

prevalence, age, or trusted list criteria

Use advanced protection against ransomware c1db55ab-c21a-4637-bb3f-a12568109d35

Block credential stealing from the Windows local security 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

authority subsystem (lsass.exe)

Block process creations originating from PSExec and WMI d1e49aac-8f56-4280-b9ba-993a6d77406c

commands

Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

Block Office communication applications from creating child 26190899-1602-49e8-8b27-eb1d0a1ce869

processes

Block Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

Block persistence through WMI event subscription e6db77e5-3df2-4cf1-b95a-636979351e5b

See the attack surface reduction topic for details on each rule.
Use Group Policy to exclude files and folders
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Windows Defender
Exploit Guard > Attack surface reduction.
4. Double-click the Exclude files and paths from Attack surface reduction Rules setting and set the
option to Enabled. Click Show and enter each file or folder in the Value name column. Enter 0 in the
Value column for each item.
Use PowerShell to exclude files and folders
1. Type powershell in the Start menu, right-click Windows PowerShell and click Run as administrator
2. Enter the following cmdlet:
 Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"

Continue to use Add-MpPreference -AttackSurfaceReductionOnlyExclusions to add more folders to the list.

IMPORTANT
Use Add-MpPreference to append or add apps to the list. Using the Set-MpPreference cmdlet will overwrite the existing
list.

Use MDM CSPs to exclude files and folders

Use the ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions configuration service
provider (CSP ) to add exclusions.

Customize the notification

See the Windows Security topic for more information about customizing the notification when a rule is triggered
and blocks an app or file.

Related topics
Reduce attack surfaces with attack surface reduction rules
Enable attack surface reduction rules
Evaluate attack surface reduction rules
 Windows Defender Firewall with Advanced Security
Deployment Guide
12/3/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least
Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
You can use Windows Defender Firewall to control access to the device from the network. You can create rules that
allow or block network traffic in either direction based on your business requirements. You can also create IPsec
connection security rules to help protect your data as it travels across the network from device to device.

About this guide

This guide is intended for use by system administrators and system engineers. It provides detailed guidance for
deploying a Windows Defender Firewall with Advanced Security design that you or an infrastructure specialist or
system architect in your organization has selected.
Begin by reviewing the information in Planning to Deploy Windows Defender Firewall with Advanced Security.
If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until
after you have reviewed the design options in the Windows Defender Firewall with Advanced Security Design
Guide and selected the one most appropriate for your organization.
After you select your design and gather the required information about the zones (isolation, boundary, and
encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows
Defender Firewall with Advanced Security design in your production environment. This guide provides steps for
deploying any of the following primary designs that are described in the Design Guide:
Basic Firewall Policy Design
Domain Isolation Policy Design
Server Isolation Policy Design
Certificate-based Isolation Policy Design
Use the checklists in Implementing Your Windows Defender Firewall with Advanced Security Design Plan to
determine how best to use the instructions in this guide to deploy your particular design.

Caution: We recommend that you use the techniques documented in this guide only for GPOs that must be
deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active
Directory ___domain does not match the deployment needs of these GPOs. These characteristics are typical of
GPOs for server and ___domain isolation scenarios, but are not typical of most other GPOs. When the OU
hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to
which the GPO applies.

In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs
can result in user or device accounts that are members of an excessive number of groups; this can result in
network connectivity problems if network protocol limits are exceeded.

What this guide does not provide

This guide does not provide:
Guidance for creating firewall rules for specific network applications. For this information, see Planning
Settings for a Basic Firewall Policy in the Windows Defender Firewall with Advanced Security Design
Guide.
Guidance for setting up Active Directory Domain Services (AD DS ) to support Group Policy.
Guidance for setting up certification authorities (CAs) to create certificates for certificate-based
authentication.

Overview of Windows Defender Firewall with Advanced Security

Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows
Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you
to create rules that determine which network traffic is permitted to enter the device from the network and which
network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet
Protocol security (IPsec), which you can use to require authentication from any device that is attempting to
communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted
device cannot communicate with your device. You can also use IPsec to require that certain network traffic is
encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a
malicious user.
The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more
functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both
interfaces interact with the same underlying services, but provide different levels of control over those services.
While the Windows Defender Firewall Control Panel program can protect a single device in a home environment,
it does not provide enough centralized management or security features to help secure more complex network
traffic found in a typical business enterprise environment.
For more information about Windows Defender Firewall with Advanced Security, see Windows Defender Firewall
with Advanced Security Overview.
 Configure Windows Defender Antivirus features
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can configure Windows Defender Antivirus with a number of tools, including:
Microsoft Intune
System Center Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instrumentation (WMI)
The following broad categories of features can be configured:
Cloud-delivered protection
Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
How end-users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each
topic includes instructions for the applicable configuration tool (or tools).
You can also review the Reference topics for management and configuration tools topic for an overview of each
tool and links to further help.

In this section
TOPIC DESCRIPTION

Utilize Microsoft cloud-provided Windows Defender Antivirus Cloud-delivered protection provides an advanced level of fast,
protection robust antivirus detection

Configure behavioral, heuristic, and real-time protection Enable behavior-based, heuristic, and real-time antivirus
protection

Configure end-user interaction with Windows Defender Configure how end-users interact with Windows Defender
Antivirus Antivirus, what notifications they see, and whether they can
override settings
 Use next-gen technologies in Windows Defender
Antivirus through cloud-delivered protection
11/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Microsoft next-generation technologies in Windows Defender Antivirus provide near-instant, automated
protection against new and emerging threats. To dynamically identify new threats, these technologies work with
large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence
(AI) systems driven by advanced machine learning models.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time,
and intelligent protection. Get to know the advanced technologies at the core of Microsoft Defender ATP next
generation protection.

To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works
seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced
Protection Service (MAPS ), enhances standard real-time protection, providing arguably the best antivirus
defense.

NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than
traditional Security intelligence updates.

With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes
even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender
Antivirus in action:
https://www.microsoft.com/videoplayer/embed/re1yu4b
To understand how next-gen technologies shorten protection delivery time through the cloud, watch the
following video:
https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59
Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
Why Windows Defender Antivirus is the most deployed in the enterprise
Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign
How artificial intelligence stopped an Emotet outbreak
Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen
malware

Get cloud-delivered protection

Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as
part of previous organizational policies.
Organizations running Windows 10 E5, version 1803 can also take advantage of emergency dynamic intelligence
updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered
protection on, we can deliver a fix for a malware issue via the cloud within minutes instead of waiting for the next
update.

TIP
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working
and see how it works.

The following table describes the differences in cloud-delivered protection between recent versions of Windows
and System Center Configuration Manager.

SYSTEM
SYSTEM CENTER
WINDOWS 10, WINDOWS 10, CENTER CONFIGURATI
WINDOWS 8.1 VERSION 1607 VERSION 1703 CONFIGURATI ON MANAGER
(GROUP (GROUP (GROUP ON MANAGER (CURRENT MICROSOFT
FEATURE POLICY) POLICY) POLICY) 2012 BRANCH) INTUNE

Cloud- Microsoft Microsoft Cloud-based NA Cloud Microsoft

protection Advanced Advanced Protection protection Advanced
service label Protection Protection service Protection
Service Service Service

Reporting Basic, Advanced Advanced Dependent on Dependent on Dependent on

level (MAPS Advanced Windows Windows Windows
membership version version version
level)

Cloud block No No Configurable Not Configurable Configurable

timeout configurable
period

You can also configure Windows Defender AV to automatically receive new protection updates based on reports
from our cloud service.
In this section
TOPIC DESCRIPTION

Enable cloud-delivered protection You can enable cloud-delivered protection with System
Center Configuration Manager, Group Policy, Microsoft
Intune, and PowerShell cmdlets.

Specify the cloud-delivered protection level You can specify the level of protection offered by the cloud
with Group Policy and System Center Configuration Manager.
The protection level will affect the amount of information
shared with the cloud and how aggressively new files are
blocked.

Configure and validate network connections for Windows There are certain Microsoft URLs that your network and
Defender Antivirus endpoints must be able to connect to for cloud-delivered
protection to work effectively. This topic lists the URLs that
should be allowed via firewall or network filtering rules, and
instructions for confirming your network is properly enrolled
in cloud-delivered protection.

Configure the block at first sight feature The Block at First Sight feature can block new malware within
seconds, without having to wait hours for traditional Security
intelligence . You can enable and configure it with System
Center Configuration Manager and Group Policy.

Configure the cloud block timeout period Windows Defender Antivirus can block suspicious files from
running while it queries our cloud-delivered protection
service. You can configure the amount of time the file will be
prevented from running with System Center Configuration
Manager and Group Policy.
 Enable cloud-delivered protection
12/4/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than
traditional Security intelligence updates.

Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time,
and intelligent protection. Get to know the advanced technologies at the core of Microsoft Defender ATP next
generation protection.

You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune,
System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the
Windows Security app.
See Use Microsoft cloud-delivered protection for an overview of Windows Defender Antivirus cloud-delivered
protection.
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-
delivered protection service. See Configure and validate network connections for more details.
 NOTE
In Windows 10, there is no difference between the Basic and Advanced options described in this topic. This is a legacy
distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in
the type or amount of information that is shared. See the Microsoft Privacy Statement for more information on what we
collect.

Use Intune to enable cloud-delivered protection

1. Sign in to the Azure portal.
2. Select All services > Intune.
3. In the Intune pane, select Device configuration > Profiles, and then select the Device restrictions
profile type you want to configure. If you haven't yet created a Device restrictions profile type, or if you
want to create a new one, see Configure device restriction settings in Microsoft Intune.
4. Select Properties, select Settings: Configure, and then select Windows Defender Antivirus.
5. On the Cloud-delivered protection switch, select Enable.
6. In the Prompt users before sample submission dropdown, select Send all data without prompting.
7. In the Submit samples consent dropdown, select one of the following:
Send safe samples automatically
Send all samples automatically

NOTE
Send safe samples automatically option means that most samples will be sent automatically. Files that
are likely to contain personal information will still prompt and require additional confirmation.

WARNING
Setting to Always Prompt will lower the protection state of the device. Setting to Never send means the
Block at First Sight feature will not function.

8. Click OK to exit the Windows Defender Antivirus settings pane, click OK to exit the Device
restrictions pane, and then click Save to save the changes to your Device restrictions profile.
For more information about Intune device profiles, including how to create and configure their settings, see
What are Microsoft Intune device profiles?
Use Configuration Manager to enable cloud-delivered protection:
See How to create and deploy antimalware policies: Cloud-protection service for details on configuring System
Center Configuration Manager (current branch).
Use Group Policy to enable cloud-delivered protection:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > MAPS
5. Double-click Join Microsoft MAPS and ensure the option is enabled and set to Basic MAPS or
Advanced MAPS. Click OK.
6. Double-click Send file samples when further analysis is required and ensure the option is set to
Enabled and the additional options are either of the following:
a. Send safe samples (1)
b. Send all samples (3)

NOTE
Send safe samples automatically option means that most samples will be sent automatically. Files that
are likely to contain personal information will still prompt and require additional confirmation.

WARNING
Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means
the Block at First Sight feature will not function.

7. Click OK.
Use PowerShell cmdlets to enable cloud-delivered protection:
Use the following cmdlets to enable cloud-delivered protection:

Set-MpPreference -MAPSReporting Advanced

Set-MpPreference -SubmitSamplesConsent AlwaysPrompt

NOTE
You can also set -SubmitSamplesConsent to None . Setting it to Never will lower the protection state of the device, and
setting it to 2 means the Block at First Sight feature will not function.

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to enable cloud-delivered protection:
Use the Set method of the MSFT_MpPreference class for the following properties:

MAPSReporting
SubmitSamplesConsent

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs
Enable cloud-delivered protection on individual clients with the Windows Security app
 NOTE
If the Configure local setting override for reporting Microsoft MAPS Group Policy setting is set to Disabled, then
the Cloud-based protection setting in Windows Settings will be greyed-out and unavailable. Changes made through a
Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows
Settings.

1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus &
threat protection settings label:

3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.

NOTE
If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and
unavailable.

Related topics
Configure the cloud block timeout period
Configure block at first sight
Use PowerShell cmdlets to manage Windows Defender Antivirus
Help secure Windows PCs with Endpoint Protection for Microsoft Intune]
Defender cmdlets
Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus
How to create and deploy antimalware policies: Cloud-protection service
Windows Defender Antivirus in Windows 10
 Specify the cloud-delivered protection level
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and
System Center Configuration Manager.

NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses
distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional
Security intelligence updates.

Use Intune to specify the level of cloud-delivered protection

1. Sign in to the Azure portal.
2. Select All services > Intune.
3. In the Intune pane, select Device configuration > Profiles, and then select the Device restrictions
profile type you want to configure. If you haven't yet created a Device restrictions profile type, or if you
want to create a new one, see Configure device restriction settings in Microsoft Intune.
4. Select Properties, select Settings: Configure, and then select Windows Defender Antivirus.
5. On the File Blocking Level switch, select one of the following:
a. High: Applies a strong level of detection.
b. High +: Uses the High level and applies additional protection measures (may impact client
performance).
c. Zero tolerance: Blocks all unknown executables.
6. Click OK to exit the Windows Defender Antivirus settings pane, click OK to exit the Device restrictions
pane, and then click Save to save the changes to your Device restrictions profile.
For more information about Intune device profiles, including how to create and configure their settings, see What
are Microsoft Intune device profiles?

Use Configuration Manager to specify the level of cloud-delivered

protection
See How to create and deploy antimalware policies: Cloud-protection service for details on configuring System
Center Configuration Manager (current branch).

Use Group Policy to specify the level of cloud-delivered protection

1. On your Group Policy management machine, open the Group Policy Management Console.
2. Right-click the Group Policy Object you want to configure, and then click Edit.
3. In the Group Policy Management Editor go to Computer configuration.
4. Click Administrative templates.
5. Expand the tree to Windows components > Windows Defender Antivirus > MpEngine.
6. Double-click the Select cloud protection level setting and set it to Enabled. Select the level of protection:
Default Windows Defender Antivirus blocking level provides strong detection without increasing
the risk of detecting legitimate files.
High blocking level applies a strong level of detection while optimizing client performance (greater
chance of false positives).
High + blocking level applies additional protection measures (may impact client performance and
increase risk of false positives).
Zero tolerance blocking level blocks all unknown executables.

WARNING
While unlikely, setting this switch to High or High + may cause some legitimate files to be detected (although you
will have the option to unblock or dispute that detection).

7. Click OK.

Related articles
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
How to create and deploy antimalware policies: Cloud-protection service
 Configure and validate Windows Defender Antivirus
network connections
12/4/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your
network to allow connections between your endpoints and certain Microsoft servers.
This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for
validating your connection. Configuring your protection properly helps ensure that you receive the best value from
your cloud-delivered protection services.
See the blog post Important changes to Microsoft Active Protection Services endpoint for some details about
network connectivity.

TIP
You can also visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm the following features are
working:
Cloud-delivered protection
Fast learning (including block at first sight)
Potentially unwanted application blocking

Allow connections to the Windows Defender Antivirus cloud service

The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the
cloud-delivered protection service is optional, however it is highly recommended because it provides important
protection against malware on your endpoints and across your network.

NOTE
The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and
endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed
resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security
intelligence updates.

See Enable cloud-delivered protection for details on enabling the service with Intune, System Center Configuration
Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it
and your endpoints.
Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine
learning services. Do not exclude the URL *.blob.core.windows.net from any kind of network inspection. The table
below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules
denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL
*.blob.core.windows.net ). Below mention URLs are using port 443 for communication.
 SERVICE DESCRIPTION URL

Windows Defender Antivirus cloud- Used by Windows Defender Antivirus to *.wdcp.microsoft.com

delivered protection service, also provide cloud-delivered protection *.wdcpalt.microsoft.com
referred to as Microsoft Active *.wd.microsoft.com
Protection Service (MAPS)

Microsoft Update Service (MU) Security intelligence and product *.update.microsoft.com

updates

Security intelligence updates Alternate Alternate ___location for Windows Defender *.download.microsoft.com
Download Location (ADL) Antivirus Security intelligence updates if
the installed Security intelligence is out
of date (7 or more days behind)

Malware submission storage Upload ___location for files submitted to ussus1eastprod.blob.core.windows.net

Microsoft via the Submission form or ussus1westprod.blob.core.windows.net
automatic sample submission usseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
ussuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
ussas1eastprod.blob.core.windows.net
ussas1southeastprod.blob.core.windows.net
ussau1eastprod.blob.core.windows.net
ussau1southeastprod.blob.core.windows.net

Certificate Revocation List (CRL) Used by Windows when creating the SSL https://www.microsoft.com/pkiops/crl/
connection to MAPS for updating the https://www.microsoft.com/pkiops/certs
CRL https://crl.microsoft.com/pki/crl/products
https://www.microsoft.com/pki/certs

Symbol Store Used by Windows Defender Antivirus to https://msdl.microsoft.com/download/symbols

restore certain critical files during
remediation flows

Universal Telemetry Client Used by Windows to send client This update uses SSL (TCP Port 443) to
diagnostic data; Windows Defender download manifests and upload
Antivirus uses this for product quality diagnostic data to Microsoft that uses
monitoring purposes the following DNS endpoints:
vortex-win.data.microsoft.com
settings-win.data.microsoft.com

Validate connections between your network and the cloud

After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud
service and are correctly reporting and receiving information to ensure you are fully protected.
Use the cmdline tool to validate cloud-delivered protection:
Use the following argument with the Windows Defender Antivirus command-line utility ( mpcmdrun.exe ) to verify
that your network can communicate with the Windows Defender Antivirus cloud service:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection

 NOTE
You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click Run as
administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.

For more information, see Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool.
Attempt to download a fake malware file from Microsoft:
You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected
to the cloud.
Download the file by visiting the following link:
https://aka.ms/ioavtest

NOTE
This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.

If you are properly connected, you will see a warning Windows Defender Antivirus notification:

If you are using Microsoft Edge, you'll also see a notification message:

A similar message occurs if you are using Internet Explorer:

You will also see a detection under Quarantined threats in the Scan history section in the Windows Security app:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan history
label:
3. Under the Quarantined threats section, click the See full history label to see the detected fake malware:

NOTE
Versions of Windows 10 before version 1703 have a different user interface. See Windows Defender Antivirus in the Windows
Security app.

The Windows event log will also show Windows Defender client event ID 2050.
 IMPORTANT
You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify
your proxy servers and any network filtering tools manually to ensure connectivity.

Related articles
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
Run an Windows Defender Antivirus scan from the command line and Command line arguments
Important changes to Microsoft Active Protection Services endpoint
 Protect security settings with Tamper Protection
12/7/2019 • 5 minutes to read • Edit Online

Applies to:
Windows 10

Overview
During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on
your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data,
identity, and devices. Tamper Protection helps prevent this from occurring.
With Tamper Protection, malicious apps are prevented from taking actions like these:
Disabling virus and threat protection
Disabling real-time protection
Turning off behavior monitoring
Disabling antivirus (such as IOfficeAntivirus (IOAV ))
Disabling cloud-delivered protection
Removing security intelligence updates

How it works
Tamper Protection essentially locks Windows Defender Antivirus and prevents your security settings from being
changed through apps and methods like these:
Configuring settings in Registry Editor on your Windows machine
Changing settings through PowerShell cmdlets
Editing or removing security settings through group policies
and so on.
Tamper Protection doesn't prevent you from viewing your security settings. And, Tamper Protection doesn't affect
how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10
Enterprise E5, individual users can't change the Tamper Protection setting; this is managed by your security team.
What do you want to do?
Turn Tamper Protection on (or off) for an individual machine using Windows Security
Turn Tamper Protection on (or off) for your organization using Intune

Turn Tamper Protection on (or off) for an individual machine

If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows
Security app to turn Tamper Protection on or off. You must have appropriate admin permissions on your machine
to perform the following task.
1. Click Start, and start typing Defender. In the search results, select Windows Security.
2. Select Virus & threat protection > Virus & threat protection settings.
3. Set Tamper Protection to On or Off.
 NOTE
Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry.
To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts
that modify these settings, go to Windows Security and update Security intelligence to version 1.287.60.0 or later. (See
Security intelligence updates.)
Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to
modify them without returning errors.

Turn Tamper Protection on (or off) for your organization using Intune
If you are part of your organization's security team, you can turn Tamper Protection on (or off) for your
organization in the Microsoft 365 Device Management portal (Intune). (This feature is rolling out now; if you don't
have it yet, you should very soon, assuming your organization has Microsoft Defender Advanced Threat Protection
(Microsoft Defender ATP ) and that you meet the prerequisites listed below.)
You must have appropriate permissions, such as global admin, security admin, or security operations, to perform
the following task.
1. Make sure your organization meets the following requirements:
Your organization must have Microsoft Defender ATP E5 (this is included in Microsoft 365 E5. See
Microsoft 365 Enterprise overview for more details.)
Your organization's devices must be managed by Intune.
Your Windows machines must be running Windows OS 1903 or later.
You must be using Windows security with security intelligence updated to version 1.287.60.0 (or above)
Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware
engine version 1.1.15500.X (or above). (See Manage Windows Defender Antivirus updates and apply
baselines.)
2. Go to the Microsoft 365 Device Management portal ( https://devicemanagement.microsoft.com) and sign in
with your work or school account.
3. Select Device configuration > Profiles.
4. Create a profile that includes the following settings:
Platform: Windows 10 and later
ProfileType: Endpoint protection
Settings > Windows Defender Security Center > Tamper Protection
5. Assign the profile to one or more groups.

Frequently asked questions

To which Windows OS versions is configuring Tamper Protection is applicable?
Windows 1903 May release
Is configuring Tamper Protection in Intune supported on servers?
No
Will Tamper Protection have any impact on third party antivirus registration?
No, third-party antivirus will continue to register with the Windows Security application.
What happens if Microsoft Defender Antivirus is not active on a device?
Tamper Protection will not have any impact on such devices.
How can I turn Tamper Protection on/off?
If you are a home user, see Turn Tamper Protection on (or off) for an individual machine.
If you are an organization using Microsoft Defender ATP E5, you should be able to manage Tamper Protection in
Intune similar to how you manage other endpoint protection features. See Turn Tamper Protection on (or off) for
your organization using Intune.
How does configuring Tamper Protection in Intune affect how I manage Windows Defender Antivirus through
my group policy?
Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus
settings will be ignored when Tamper Protection is on.

NOTE
A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Windows
Defender Antivirus features protected by Tamper Protection. To avoid any potential delays, it is recommended to remove
settings that control Windows Defender Antivirus related behavior from GPO and simply allow Tamper Protection to protect
Windows Defender Antivirus settings.

Sample Windows Defender Antivirus settings:

Turn off Windows Defender Antivirus
Computer Configuration\Administrative Templates\Windows Components\Windows Defender
Value DisableAntiSpyware = 0

Turn off real-time protection

Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Real-time Protection
Value DisableRealtimeMonitoring = 0

For Microsoft Defender ATP E5, is configuring Tamper Protection in Intune targeted to the entire organization
only?
Configuring Tamper Protection in Intune can be targeted to your entire organization as well as to devices and user
groups with Intune.
Can I configure Tamper Protection in System Center Configuration Manager?
Currently we do not have support to manage Tamper Protection through System Center Configuration Manager.
I have the Windows E3 enrollment. Can I use configuring Tamper Protection in Intune?
Currently, configuring Tamper Protection in Intune is only available for customers who have Microsoft Defender
Advanced Threat Protection E5.
What happens if I try to change Microsoft Defender ATP settings in Intune, System Center Configuration
Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
You won’t be able to change the features that are protected by Tamper Protection; those change requests are
ignored.
I’m an enterprise customer. Can local admins change Tamper Protection on their devices?
No. Local admins cannot change or modify Tamper Protection settings.
What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state?
In this case, Tamper Protection status changes, and this feature is no longer applied.
Will there be an alert about Tamper Protection status changing in the Microsoft Defender Security Center?
Yes. The alert is shown in https://securitycenter.microsoft.com under Alerts.
In addition, your security operations team can use hunting queries, such as the following:
AlertEvents | where Title == "Tamper Protection bypass"

Will there be a group policy setting for Tamper Protection?

No.

Related resources
Windows 10 Enterprise Security
Help secure Windows PCs with Endpoint Protection for Microsoft Intune
Microsoft 365 Enterprise overview (at a glance)
Microsoft Defender ATP E5
 Enable block at first sight
11/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Block at first sight is a feature of next-generation protection that provides a way to detect and block new
malware within seconds. This protection is enabled by default when certain prerequisite settings are also
enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without
any intervention.
You can specify how long the file should be prevented from running while the cloud-based protection service
analyzes the file. And, you can customize the message displayed on users' desktops when a file is blocked. You
can change the company name, contact information, and message URL.

TIP
Visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm the features are working and see
how they work.

How it works
When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection
backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine
whether the files are malicious or clean.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time,
and intelligent protection. Get to know the advanced technologies at the core of Microsoft Defender ATP next
generation protection.

In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS,
or macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files
that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is
checked via the cloud backend to determine if this is a previously undetected file.
If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a
copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file
to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases, this process can reduce the response time for new malware from hours to seconds.

Confirm and validate that block at first sight is enabled

Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are
enabled by default in most enterprise Windows Defender Antivirus deployments.
Confirm block at first sight is enabled with Intune
1. In Intune, navigate to Device configuration - Profiles > Profile name > Device restrictions >
Windows Defender Antivirus.

NOTE
The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.

2. Verify these settings are configured as follows:

Cloud-delivered protection: Enable
File Blocking Level: High
Time extension for file scanning by the cloud: 50
Prompt users before sample submission: Send all data without prompting

WARNING
Setting the file blocking level to High will apply a strong level of detection. In the unlikely event that it causes a
false positive detection of legitimate files, use the option to restore the quarantined files.

For more information about configuring Windows Defender Antivirus device restrictions in Intune, see
Configure device restriction settings in Microsoft Intune.
For a list of Windows Defender Antivirus device restrictions in Intune, see Device restriction for Windows 10
(and newer) settings in Intune.
Enable block at first sight with SCCM
1. In System Center Configuration Manager, click Assets and Compliance > Endpoint Protection >
AntiMalware Policies.
2. Click Home > Create Antimalware Policy.
3. Enter a name and a description, and add these settings:
Real time protection
Advanced
Cloud Protection Service
4. In the left column, click Real time protection, set Enable real-time protection to Yes, and set Scan
system files to Scan incoming and outgoing files.

5. Click Advanced, set Enable real-time protection to Yes, and set Scan system files to Scan incoming
and outgoing files.
6. Click Cloud Protection Service, set Cloud Protection Service membership type to Advanced
membership, set Level for blocking malicious files to High, and set Allow extended cloud check
to block and scan suspicious files for up to (seconds) to 50 seconds.
7. Click OK to create the policy.
Confirm block at first sight is enabled with Group Policy
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > MAPS, configure the
following Group Policies, and then click OK:
Double-click Join Microsoft MAPS and ensure the option is set to Enabled. Click OK.
Double-click Send file samples when further analysis is required and ensure the option is set
to Enabled and the additional options are either Send safe samples (1) or Send all samples (3).

WARNING
Setting to Always prompt (0) will lower the protection state of the device. Setting to Never send (2) means block
at first sight will not function.

4. In the Group Policy Management Editor, expand the tree to Windows components > Windows
Defender Antivirus > Real-time Protection:
a. Double-click Scan all downloaded files and attachments and ensure the option is set to
Enabled, and then click OK.
 b. Double-click Turn off real-time protection and ensure the option is set to Disabled, and then
click OK.
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to
ensure all endpoints are covered.
Confirm block at first sight is enabled with the Windows Security app
You can confirm that block at first sight is enabled in Windows Settings.
Block at first sight is automatically enabled as long as Cloud-based protection and Automatic sample
submission are both turned on.
Confirm Block at First Sight is enabled on individual clients
1. Open the Windows Security app by clicking the shield icon in the task bar.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then click Manage
Settings under Virus & threat protection settings:

3. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.

NOTE
If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be
greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be
deployed to individual endpoints before the setting will be updated in Windows Settings.

Validate block at first sight is working

You can validate that the feature is working by following the steps outlined in Validate connections between your
network and the cloud.

Disable block at first sight

WARNING
Disabling block at first sight will lower the protection state of the endpoint and your network.

You may choose to disable block at first sight if you want to retain the prerequisite settings without using block
at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the
feature's impact on your network.
Disable block at first sight with Group Policy
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure, and then click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree through Windows components > Windows Defender Antivirus > MAPS.
4. Double-click Configure the 'Block at First Sight' feature and set the option to Disabled.

NOTE
Disabling block at first sight will not disable or alter the prerequisite group policies.

Related topics
Windows Defender Antivirus in Windows 10
Enable cloud-delivered protection
 Configure the cloud block timeout period
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the
Windows Defender Antivirus cloud service.
The default period that the file will be blocked is 10 seconds. You can specify an additional period of time to wait
before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from
the Windows Defender Antivirus cloud service.

Prerequisites to use the extended cloud block timeout

Block at first sight and its prerequisites must be enabled before you can specify an extended timeout period.

Specify the extended timeout period

You can use Group Policy to specify an extended timeout for cloud checks.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > MpEngine
4. Double-click Configure extended cloud check and ensure the option is enabled. Specify the additional
amount of time to prevent the file from running while waiting for a cloud determination. You can specify
the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10
seconds.
5. Click OK.

Related topics
Windows Defender Antivirus in Windows 10
Use next-generation antivirus technologies through cloud-delivered protection
Configure block at first sight
Enable cloud-delivered protection
 Configure behavioral, heuristic, and real-time
protection
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus uses several methods to provide threat protection:
Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time
protection")
Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-
depth threat resistance research
You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center
Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed
unsafe, but may not be detected as malware.
See Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection for how to
enable and configure Windows Defender Antivirus cloud-delivered protection.

In this section
TOPIC DESCRIPTION

Detect and block potentially unwanted applications Detect and block apps that may be unwanted in your
network, such as adware, browser modifiers and toolbars, and
rogue or fake antivirus apps

Enable and configure Windows Defender Antivirus protection Enable and configure real-time protection, heuristics, and
capabilities other always-on Windows Defender Antivirus monitoring
features
 Detect and block potentially unwanted applications
12/4/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Microsoft Edge
Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might
perform actions on endpoints which adversely affect endpoint performance or use. PUA can also refer to an
application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable
behavior.
For example:
Advertising software: Software that displays advertisements or promotions, including software that inserts
advertisements to webpages.
Bundling software: Software that offers to install other software that is not digitally signed by the same entity.
Also, software that offers to install other software that qualify as PUA.
Evasion software: Software that actively tries to evade detection by security products, including software that
behaves differently in the presence of security products.
For more examples and a discussion of the criteria we use to label applications for special attention from security
features, see How Microsoft identifies malware and potentially unwanted applications.
Potentially unwanted applications can increase the risk of your network being infected with actual malware, make
malware infections harder to identify, or waste IT resources in cleaning them up.

How it works
Microsoft Edge
The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application
downloads and associated resource URLs. This feature is provided via Windows Defender SmartScreen.
Enable PUA protection in Chromium-based Microsoft Edge
Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can
easily be turned on from within the browser.
1. From the tool bar, select Settings and more > Settings
2. Select Privacy and services
3. Under the Services section, you can toggle Potentially unwanted app blocking on or off

TIP
If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by
testing it out on one of our Windows Defender SmartScreen demo pages.

Blocking URLs with Windows Defender SmartScreen

In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from
PUA-associated URLs.
Admins can configure how Microsoft Edge and Windows Defender SmartScreen work together to protect groups
of users from PUA-associated URLs. There are several group policy settings explicitly for Windows Defender
SmartScreen available, including one for blocking PUA. In addition, admins can configure Windows Defender
SmartScreen as a whole, using group policy settings to turn Windows Defender SmartScreen on or off.
Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can
customize this list based on your own threat intelligence. If you create and manage indicators in the Microsoft
Defender ATP portal, Windows Defender SmartScreen will respect the new settings.
Windows Defender Antivirus
The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and
block PUAs on endpoints in your network.

NOTE
This feature is only available in Windows 10.

Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them.
Blocked PUA files are then moved to quarantine.
When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user (unless
notifications have been disabled) in the same format as other threat detections. The notification will be prefaced
with PUA: to indicate its content.
The notification will appear in the usual quarantine list within the Windows Security app.
Configure PUA protection in Windows Defender Antivirus
You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via
PowerShell cmdlets.
You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the
Windows event log.

TIP
You can visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm that the feature is working,
and see it in action.

PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd
like to avoid any false positives.
U se I n t u n e t o c o n fi g u r e P U A p r o t e c t i o n

See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction
settings for Windows 10 in Intune for more details.
U se C o n fi g u r a t i o n M a n a g e r t o c o n fi g u r e P U A p r o t e c t i o n

PUA protection is enabled by default in the System Center Configuration Manager (Current Branch), starting with
version 1606.
See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring System
Center Configuration Manager (Current Branch).
For Configuration Manager 2012, see How to Deploy Potentially Unwanted Application Protection Policy for
Endpoint Protection in Configuration Manager.
 NOTE
PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center
Configuration Manager.

U se G r o u p P o l i c y t o c o n fi g u r e P U A p r o t e c t i o n

1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure, and select Edit.
2. In the Group Policy Management Editor, go to Computer configuration and select Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus.
4. Double-click Configure protection for potentially unwanted applications.
5. Select Enabled to enable PUA protection.
6. In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the
setting will work in your environment. Select OK.
U se P o w e r Sh e l l c m d l e t s t o c o n fi g u r e P U A p r o t e c t i o n

Use the following cmdlet:

Set-MpPreference -PUAProtection

Setting the value for this cmdlet to Enabled will turn the feature on if it has been disabled.
Setting AuditMode will detect PUAs without blocking them.
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
View PUA events
PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in
Intune.
You can turn on email notifications to receive mail about PUA detections.
See Troubleshoot event IDs for details on viewing Windows Defender Antivirus events. PUA events are recorded
under event ID 1160.
Allow-listing apps
Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In
these cases, a file can be allow -listed. See How to Configure Endpoint Protection in Configuration Manager for
information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus.

Related articles
Next-generation protection
Configure behavioral, heuristic, and real-time protection
 Enable and configure Windows Defender Antivirus
always-on protection in Group Policy
12/16/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify
malware based on known suspicious and malicious activities.
These activities include events, such as processes making unusual changes to existing files, modifying or
creating automatic startup registry keys and startup locations (also known as auto-start extensibility points,
or ASEPs), and other changes to the file system or file structure.

Enable and configure always-on protection in Group Policy

You can use Local Group Policy Editor to enable and configure Windows Defender Antivirus always-on
protection settings.
To enable and configure always-on protection:
1. Open Local Group Policy Editor. To do this:
a. In your Windows 10 taskbar search box, type gpedit.
b. Under Best match, click Edit group policy to launch Local Group Policy Editor.
2. In the left pane of Local Group Policy Editor, expand the tree to Computer Configuration >
Administrative Templates > Windows Components > Windows Defender Antivirus.
3. Configure the Windows Defender Antivirus antimalware service policy settings. To do this:
a. In the Windows Defender Antivirus details pane on right, double-click the policy setting as
specified in the following table:

SETTING DESCRIPTION DEFAULT SETTING

Allow antimalware service to You can lower the priority of the Enabled
startup with normal priority Windows Defender Antivirus
engine, which may be useful in
lightweight deployments where
you want to have as lean a startup
process as possible. This may
impact protection on the endpoint.

Allow antimalware service to If protection updates have been Disabled

remain running always disabled, you can set Windows
Defender Antivirus to still run. This
lowers the protection on the
endpoint.

b. Configure the setting as appropriate, and click OK.

c. Repeat the previous steps for each setting in the table.
4. Configure the Windows Defender Antivirus real-time protection policy settings. To do this:
a. In the Windows Defender Antivirus details pane, double-click Real-time Protection. Or, from
the Windows Defender Antivirus tree on left pane, click Real-time Protection.

b. In the Real-time Protection details pane on right, double-click the policy setting as specified in
the following table:

SETTING DESCRIPTION DEFAULT SETTING

Turn on behavior monitoring The AV engine will monitor file Enabled

processes, file and registry
changes, and other events on your
endpoints for suspicious and
known malicious activity.
SETTING DESCRIPTION DEFAULT SETTING

Scan all downloaded files and Downloaded files and attachments Enabled
attachments are automatically scanned. This
operates in addition to the
Windows Defender SmartScreen
filter, which scans files before and
during downloading.

Monitor file and program activity The Windows Defender Antivirus Enabled
on your computer engine makes note of any file
changes (file writes, such as moves,
copies, or modifications) and
general program activity (programs
that are opened or running and
that cause other programs to run).

Turn on raw volume write Information about raw volume Enabled

notifications writes will be analyzed by behavior
monitoring.

Turn on process scanning You can independently enable the Enabled

whenever real-time protection is Microsoft Defender Antivirus
enabled engine to scan running processes
for suspicious modifications or
behaviors. This is useful if you have
temporarily disabled real-time
protection and want to
automatically scan processes that
started while it was disabled.

Define the maximum size of You can define the size in kilobytes. Enabled
downloaded files and attachments
to be scanned

Configure local setting override for Configure a local override for the Enabled
turn on behavior monitoring configuration of behavior
monitoring. This setting can only
be set by Group Policy. If you
enable this setting, the local
preference setting will take priority
over Group Policy. If you disable or
do not configure this setting,
Group Policy will take priority over
the local preference setting.

Configure local setting override for Configure a local override for the Enabled
scanning all downloaded files and configuration of scanning for all
attachments downloaded files and attachments.
This setting can only be set by
Group Policy. If you enable this
setting, the local preference setting
will take priority over Group Policy.
If you disable or do not configure
this setting, Group Policy will take
priority over the local preference
setting.
 SETTING DESCRIPTION DEFAULT SETTING

Configure local setting override for Configure a local override for the Enabled
monitoring file and program configuration of monitoring for file
activity on your computer and program activity on your
computer. This setting can only be
set by Group Policy. If you enable
this setting, the local preference
setting will take priority over Group
Policy. If you disable or do not
configure this setting, Group Policy
will take priority over the local
preference setting.

Configure local setting override to Configure a local override for the Enabled
turn on real-time protection configuration to turn on real-time
protection. This setting can only be
set by Group Policy. If you enable
this setting, the local preference
setting will take priority over Group
Policy. If you disable or do not
configure this setting, Group Policy
will take priority over the local
preference setting.

Configure local setting override for Configure a local override for the Enabled
monitoring for incoming and configuration of monitoring for
outgoing file activity incoming and outgoing file activity.
This setting can only be set by
Group Policy. If you enable this
setting, the local preference setting
will take priority over Group Policy.
If you disable or do not configure
this setting, Group Policy will take
priority over the local preference
setting.

Configure monitoring for incoming Specify whether monitoring should Enabled (both directions)
and outgoing file and program occur on incoming, outgoing, both,
activity or neither direction. This is relevant
for Windows Server installations
where you have defined specific
servers or Server Roles that see
large amounts of file changes in
only one direction and you want to
improve network performance.
Fully updated endpoints (and
servers) on a network will see little
performance impact irrespective of
the number or direction of file
changes.

c. Configure the setting as appropriate, and click OK.

d. Repeat the previous steps for each setting in the table.
5. Configure the Windows Defender Antivirus scanning policy setting. To do this:
a. From the Windows Defender Antivirus tree on left pane, click Scan.
 b. In the Scan details pane on right, double-click the policy setting as specified in the following
table:

SETTING DESCRIPTION DEFAULT SETTING

Turn on heuristics Heuristic protection will disable or Enabled

block suspicious activity
immediately before the Windows
Defender Antivirus engine is asked
to detect the activity.

c. Configure the setting as appropriate, and click OK.

6. Close Local Group Policy Editor.

Disable real-time protection in Group Policy

WARNING
Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.

The main real-time protection capability is enabled by default, but you can disable it by using Local Group
Policy Editor.
To disable real-time protection in Group policy:
1. Open Local Group Policy Editor.
a. In your Windows 10 taskbar search box, type gpedit.
b. Under Best match, click Edit group policy to launch Local Group Policy Editor.
2. In the left pane of Local Group Policy Editor, expand the tree to Computer Configuration >
Administrative Templates > Windows Components > Windows Defender Antivirus > Real-
time Protection.
3. In the Real-time Protection details pane on right, double-click Turn off real-time protection.
4. In the Turn off real-time protection setting window, set the option to Enabled.

5. Click OK.
6. Close Local Group Policy Editor.

Related articles
Configure behavioral, heuristic, and real-time protection
Windows Defender Antivirus in Windows 10
 Windows Defender Antivirus on Windows Server
2016
9/11/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint
Protection - however, the protection engine is the same.
While the functionality, configuration, and management is largely the same for Windows Defender AV either on
Windows 10 or Windows Server 2016, there are a few key differences:
In Windows Server 2016, automatic exclusions are applied based on your defined Server Role.
In Windows Server 2016, Windows Defender AV will not disable itself if you are running another antivirus
product.
This topic includes the following instructions for setting up and running Windows Defender AV on a server
platform:
Enable the interface
Verify Windows Defender AV is running
Update antimalware Security intelligence
Submit Samples
Configure automatic exclusions

Enable or disable the interface on Windows Server 2016

By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is
installed by default on some SKUs, but is not required.

NOTE
You can't uninstall the Windows Security app, but you can disable the interface with these instructions.

If the interface is not installed, you can add it in the Add Roles and Features Wizard at the Features step, under
Windows Defender Features by selecting the GUI for Windows Defender option.
See the Install or uninstall roles, role services, or features topic for information on using the wizard.
The following PowerShell cmdlet will also enable the interface:

Install-WindowsFeature -Name Windows-Defender-GUI

To hide the interface, use the Remove Roles and Features Wizard and deselect the GUI for Windows
Defender option at the Features step, or use the following PowerShell cmdlet:

Uninstall-WindowsFeature -Name Windows-Defender-GUI

IMPORTANT
Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you
disable the core Windows Defender feature.

Install or uninstall Windows Defender AV on Windows Server 2016

You can also uninstall Windows Defender AV completely with the Remove Roles and Features Wizard by
deselecting the Windows Defender Features option at the Features step in the wizard.
This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products
can cause problems when installed and actively running on the same machine. See the question "Should I run
Microsoft security software at the same time as other security products?" on the Windows Defender Security
Intelligence Antivirus and antimalware software FAQ.
 NOTE
Deselecting Windows Defender on its own under the Windows Defender Features section will automatically prompt you
to remove the interface option GUI for Windows Defender.

The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016:

Uninstall-WindowsFeature -Name Windows-Defender

To install Windows Defender AV again, use the Add Roles and Features Wizard and ensure the Windows
Defender feature is selected. You can also enable the interface by selecting the GUID for Windows Defender
option.
You can also use the following PowerShell cmdlet to install Windows Defender AV:

Install-WindowsFeature -Name Windows-Defender

TIP
Event messages for the antimalware engine included with Windows Defender AV can be found in Windows Defender AV
Events.

Verify Windows Defender is running

To verify that Windows Defender AV is running on the server, run the following PowerShell cmdlet:

Get-Service -Name windefend

To verify that firewall protection through Windows Defender is turned on, run the following PowerShell cmdlet:

Get-Service -Name mpssvc

As an alternative to PowerShell, you can use Command Prompt to verify that Windows Defender AV is running.
To do that, run the following command from a command prompt:

sc query Windefend

The sc query command returns information about the Windows Defender service. If Windows Defender is
running, the STATE value displays RUNNING .

Update antimalware Security intelligence

In order to get updated antimalware Security intelligence , you must have the Windows Update service running. If
you use an update management service, like Windows Server Update Services (WSUS ), make sure that updates
for Windows Defender Antivirus Security intelligence are approved for the computers you manage.
By default, Windows Update does not download and install updates automatically on Windows Server 2016. You
can change this configuration by using one of the following methods:
Windows Update in Control Panel.
 Install updates automatically results in all updates being automatically installed, including
Windows Defender Security intelligence updates.
Download updates but let me choose whether to install them allows Windows Defender to
download and install Security intelligence updates automatically, but other updates are not
automatically installed.
Group Policy. You can set up and manage Windows Update by using the settings available in Group
Policy, in the following path: Administrative Templates\Windows Components\Windows
Update\Configure Automatic Updates
The AUOptions registry key. The following two values allow Windows Update to automatically download
and install Security intelligence updates.
4 Install updates automatically. This value results in all updates being automatically installed,
including Windows Defender Security intelligence updates.
3 Download updates but let me choose whether to install them. This value allows Windows
Defender to download and install Security intelligence updates automatically, but other updates are
not automatically installed.
To ensure that protection from malware is maintained, we recommend that you enable the following services:
Windows Error Reporting service
Windows Update service
The following table lists the services for Windows Defender and the dependent services.

SERVICE NAME FILE LOCATION DESCRIPTION

Windows Defender Service (Windefend) C:\Program Files\Windows This is the main Windows Defender
Defender\MsMpEng.exe Antivirus service that needs to be
running at all times.

Windows Error Reporting Service C:\WINDOWS\System32\svchost.exe -k This service sends error reports back to
(Wersvc) WerSvcGroup Microsoft.

Windows Defender Firewall (MpsSvc) C:\WINDOWS\system32\svchost.exe -k We recommend leaving the Windows

LocalServiceNoNetwork Defender Firewall service enabled.

Windows Update (Wuauserv) C:\WINDOWS\system32\svchost.exe -k Windows Update is needed to get

netsvcs Security intelligence updates and
antimalware engine updates

Submit Samples
Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide
continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and
produce updated antimalware Security intelligence.
We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal
data, like Microsoft Word documents and PDF files.
Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the
SubmitSamplesConsent value data according to one of the following settings:
 0 Always prompt. The Windows Defender service prompts you to confirm submission of all required files.
This is the default setting for Windows Defender, but is not recommended for Windows Server 2016
installations without a GUI.
1 Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and
prompts for the remainder of the files.
2 Never send. The Windows Defender service does not prompt and does not send any files.
3 Send all samples automatically. The Windows Defender service sends all files without a prompt for
confirmation.

Configure automatic exclusions

To help ensure security and performance, certain exclusions are automatically added based on the roles and
features you install when using Windows Defender AV on Server 2016.
See the Configure exclusions in Windows Defender AV on Windows Server topic for more information.

Related topics
Windows Defender Antivirus in Windows 10
Configure exclusions in Windows Defender AV on Windows Server
 Windows Defender Antivirus compatibility
11/20/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are
running Windows 10.
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app,
Windows Defender Antivirus will automatically disable itself.
If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender AV will enter
a passive mode. Important: Real time protection and and threats will not be remediated by Windows
Defender AV.
The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus
products or Microsoft Defender ATP are also used.

ORGANIZATION ENROLLED
ANTIMALWARE PROTECTION IN MICROSOFT DEFENDER WINDOWS DEFENDER AV
WINDOWS VERSION OFFERED BY ATP STATE

Windows 10 A third-party product that Yes Passive mode

is not offered or developed
by Microsoft

Windows 10 A third-party product that No Automatic disabled mode

is not offered or developed
by Microsoft

Windows 10 Windows Defender AV Yes Active mode

Windows 10 Windows Defender AV No Active mode

Windows Server 2016 A third-party product that Yes Active mode[1]

is not offered or developed
by Microsoft

Windows Server 2016 A third-party product that No Active mode[1]

is not offered or developed
by Microsoft

Windows Server 2016 Windows Defender AV Yes Active mode

Windows Server 2016 Windows Defender AV No Active mode

(1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have
also installed a third-party antivirus product. If you install a third-party antivirus product, you should
uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple
antivirus products installed on a machine. If you are Using Windows Server, version 1803 and Windows
2019, you can enable passive mode by setting this registry key:
 Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: ForceDefenderPassiveMode
Value: 1
See the Windows Defender Antivirus on Windows Server 2016 topic for key differences and management
options for Windows Server installations.

IMPORTANT
Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as System Center
Endpoint Protection, which is managed through System Center Configuration Manager.
Windows Defender is also offered for consumer devices on Windows 8.1 and Windows Server 2012, although it does
not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).

This table indicates the functionality and features that are available in each state:

FILE
REAL-TIME SCANNING
PROTECTION LIMITED AND
AND CLOUD- PERIODIC DETECTION SECURITY
DELIVERED SCANNING INFORMATIO THREAT INTELLIGENCE
STATE DESCRIPTION PROTECTION AVAILABILITY N REMEDIATION UPDATES

Passive Windows
mode Defender AV
will not be
used as the
antivirus app,
and threats
will not be
remediated
by Windows
Defender AV.
Files will be
scanned and
reports will
be provided
for threat
detections
which are
shared with
the Microsoft
Defender
ATP service.

Automatic Windows
disabled Defender AV
mode will not be
used as the
antivirus app.
Files will not
be scanned
and threats
will not be
remediated.
 FILE
REAL-TIME SCANNING
PROTECTION LIMITED AND
AND CLOUD- PERIODIC DETECTION SECURITY
DELIVERED SCANNING INFORMATIO THREAT INTELLIGENCE
STATE DESCRIPTION PROTECTION AVAILABILITY N REMEDIATION UPDATES

Active mode Windows

Defender AV
is used as
the antivirus
app on the
machine. All
configuration
made with
Configuratio
n Manager,
Group Policy,
Intune, or
other
management
products will
apply. Files
will be
scanned and
threats
remediated,
and
detection
information
will be
reported in
your
configuration
tool (such as
Configuratio
n Manager
or the
Windows
Defender AV
app on the
machine
itself).

If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then
passive mode is enabled because the service requires common information sharing from the Windows
Defender AV service in order to properly monitor your devices and network for intrusion attempts and
attacks.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product
expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows
Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It
also allows you to enable limited periodic scanning, which uses the Windows Defender AV engine to
periodically check for threats in addition to your main antivirus app.
In passive and automatic disabled mode, you can still manage updates for Windows Defender AV, however
you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date
third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your
endpoints, Windows Defender AV will automatically return to its normal active mode.
 WARNING
You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV,
Microsoft Defender ATP, or the Windows Security app.
This includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and process.
Manually modifying these services can cause severe instability on your endpoints and open your network to
infections and attacks.
It can also cause problems when using third-party antivirus apps and how their information is displayed in the
Windows Security app.

Related topics
Windows Defender Antivirus in Windows 10
Windows Defender Antivirus on Windows Server 2016
 Use limited periodic scanning in Windows Defender
Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have
installed another antivirus product on a Windows 10 device.
It can only be enabled in certain situations. For more information about limited periodic scanning and how
Microsoft Defender Antivirus works with other antivirus products, see Windows Defender Antivirus compatibility.
Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily
intended for consumers. This feature only uses a limited subset of the Windows Defender Antivirus capabilities
to detect malware, and will not be able to detect most malware and potentially unwanted software. Also,
management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary
antivirus solution and use it exclusively.

How to enable limited periodic scanning

By default, Windows Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus
product installed, or if the other product is out-of-date, expired, or not working correctly.
If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device:
If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The
Windows Security app will change the Virus & threat protection section to show status about the AV product,
and provide a link to the product's configuration options:
Underneath any third party AV products, a new link will appear as Windows Defender Antivirus options.
Clicking this link will expand to show the toggle that enables limited periodic scanning.

Sliding the switch to On will show the standard Windows Defender AV options underneath the third party AV
product. The limited periodic scanning option will appear at the bottom of the page.
Related articles
Configure behavioral, heuristic, and real-time protection
Windows Defender Antivirus in Windows 10
 Deploy, manage, and report on Windows Defender
Antivirus
11/20/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional
deployment of a client to your endpoints does not apply.
However, in most cases you will still need to enable the protection service on your endpoints with Microsoft
Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is
described in the following table.
You'll also see additional links for:
Managing Windows Defender Antivirus protection, including managing product and protection updates
Reporting on Windows Defender Antivirus protection

IMPORTANT
In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running
and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will
function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows
Defender Antivirus.

MANAGEMENT OPTIONS
(NETWORK-WIDE
CONFIGURATION AND POLICY
OR BASELINE DEPLOYMENT)
TOOL DEPLOYMENT OPTIONS (2) (3) REPORTING OPTIONS

Microsoft Intune Add endpoint protection Configure device restriction Use the Intune console to
settings in Intune settings in Intune manage devices

System Center Use the Endpoint With default and With the default
Configuration Manager (1) Protection point site customized antimalware Configuration Manager
system role and enable policies and client Monitoring workspace and
Endpoint Protection with management email alerts
custom client settings

Group Policy and Active Use a Group Policy Object Use Group Policy Objects Endpoint reporting is not
Directory (___domain-joined) to deploy configuration (GPOs) to Configure available with Group Policy.
changes and ensure update options for You can generate a list of
Windows Defender Windows Defender Group Policies to determine
Antivirus is enabled. Antivirus and Configure if any settings or policies
Windows Defender features are not applied
 MANAGEMENT OPTIONS
(NETWORK-WIDE
CONFIGURATION AND POLICY
OR BASELINE DEPLOYMENT)
TOOL DEPLOYMENT OPTIONS (2) (3) REPORTING OPTIONS

PowerShell Deploy with Group Policy, Use the Set-MpPreference Use the appropriate Get-
System Center and Update-MpSignature cmdlets available in the
Configuration Manager, or cmdlets available in the Defender module
manually on individual Defender module.
endpoints.

Windows Management Deploy with Group Policy, Use the Set method of the Use the
Instrumentation System Center MSFT_MpPreference class MSFT_MpComputerStatus
Configuration Manager, or and the Update method of class and the get method
manually on individual the MSFT_MpSignature of associated classes in the
endpoints. class Windows Defender WMIv2
Provider

Microsoft Azure Deploy Microsoft Configure Microsoft Use Microsoft Antimalware

Antimalware for Azure in Antimalware for Virtual for Virtual Machines and
the Azure portal, by using Machines and Cloud Cloud Services with Azure
Visual Studio virtual Services with Azure PowerShell cmdlets to
machine configuration, or PowerShell cmdlets or use enable monitoring. You can
using Azure PowerShell code samples also review usage reports
cmdlets. You can also in Azure Active Directory to
Install Endpoint protection determine suspicious
in Azure Security Center activity, including the
Possibly infected devices
report and configure an
SIEM tool to report on
Windows Defender
Antivirus events and add
that tool as an app in AAD.

1. The availability of some functions and features, especially related to cloud-delivered protection, differ
between System Center Configuration Manager (Current Branch) and System Center Configuration
Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System
Center Configuration Manager (Current Branch). See Use Microsoft cloud-provided protection in
Windows Defender Antivirus for a table that describes the major differences. (Return to table)
2. In Windows 10, Windows Defender Antivirus is a component available without installation or
deployment of an additional client or service. It will automatically be enabled when third-party antivirus
products are either uninstalled or out of date (except on Windows Server 2016). Traditional deployment
therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus
component is available and enabled on endpoints or servers. (Return to table)
3. Configuration of features and protection, including configuring product and protection updates, are
further described in the Configure Windows Defender Antivirus features section in this library. (Return
to table)

In this section
TOPIC DESCRIPTION
TOPIC DESCRIPTION

Deploy and enable Windows Defender Antivirus protection While the client is installed as a core part of Windows 10,
and traditional deployment does not apply, you will still
need to enable the client on your endpoints with System
Center Configuration Manager, Microsoft Intune, or Group
Policy Objects.

Manage Windows Defender Antivirus updates and apply There are two parts to updating Windows Defender
baselines Antivirus: updating the client on endpoints (product
updates), and updating Security intelligence (protection
updates). You can update Security intelligence in a number
of ways, using System Center Configuration Manager,
Group Policy, PowerShell, and WMI.

Monitor and report on Windows Defender Antivirus You can use Microsoft Intune, System Center Configuration
protection Manager, the Update Compliance add-in for Microsoft
Operations Management Suite, or a third-party SIEM
product (by consuming Windows event logs) to monitor
protection status and create reports about endpoint
protection.
 Deploy and enable Windows Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Depending on the management tool you are using, you may need to specifically enable or configure Windows
Defender Antivirus protection.
See the table in Deploy, manage, and report on Windows Defender Antivirus for instructions on how to enable
protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft
Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender
Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
The remaining topic in this section provides end-to-end advice and best practices for setting up Windows
Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS ) environment.

Related topics
Windows Defender Antivirus in Windows 10
Deploy, manage updates, and report on Windows Defender Antivirus
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
 Deployment guide for Windows Defender Antivirus
in a virtual desktop infrastructure (VDI) environment
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in
a remote desktop (RDS ) or virtual desktop infrastructure (VDI) environment.
See the Microsoft Desktop virtualization site for more details on Microsoft Remote Desktop Services and VDI
support.
For Azure-based virtual machines, you can also review the Install Endpoint Protection in Azure Security Center
topic.
With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you
can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a
periodic basis, as updates are expanded into their component bits on the host server and then downloaded
directly to the VM when it's turned on.
This guide will show you how to configure your VMs for optimal protection and performance, including how to:
Set up a dedicated VDI file share for security intelligence updates
Randomize scheduled scans
Use quick scans
Prevent notifications
Disable scans from occurring after every update
Scan out-of-date machines or machines that have been offline for a while
Apply exclusions
You can also download the whitepaper Windows Defender Antivirus on Virtual Desktop Infrastructure which
looks at the new shared security intelligence update feature, alongside performance testing and guidance on how
you can test antivirus performance on your own VDI.

IMPORTANT
While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be
running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in
earlier versions of Windows.

NOTE
There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines
in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview
build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.

Set up a dedicated VDI file share

In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the
 unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk,
and memory resources on individual machines.
You can set this feature with Intune, Group Policy, or PowerShell.
Open the Intune management portal either by searching for Intune on https://portal.azure.com or going to
https://devicemanagement.microsoft.com and logging in.
1. To create a group with only the devices or users you specify:
2. Go to Groups. Click New group. Use the following values:
a. Group type: Security
b. Group name: VDI test VMs
c. Group description: Optional
d. Membership type: Assigned
3. Add the devices or users you want to be a part of this test and then click Create to save the group. It’s a
good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the
shared security intelligence update feature enabled, and another with VMs that are running Windows 10
1809 or earlier versions. This will help when you create dashboards to test the performance changes.
4. To create a group that will include any machine in your tenant that is a VM, even when they are newly
created:
5. Go to Groups. Click New group. Use the following values:
a. Group type: Security
b. Group name: VDI test VMs
c. Group description: Optional
d. Membership type: Dynamic Device
6. Click Simple rule, and select deviceModel, Equals, and enter Virtual Machine. Click Add query and
then Create to save the group.
7. Go to Device configuration, then Profiles. You can modify an existing custom profile or create a new
one. In this demo I’m going to create a new one by clicking Create profile.
8. Name it, choose Windows 10 and later as the Platform and – most importantly – select Custom as the
profile type.
9. The Custom OMA -URI Settings blade is opened automatically. Click Add then enter the following values:
a. Name: VDI shared sig ___location
b. Description: Optional
c. OMA-URI: ./Vendor/MSFT/Defender/SharedSignatureRoot
d. Data type: String
e. Value: *\<sharedlocation>\wdav -update* (see the Download and unpackage section for what this will
be)
10. Click Ok to close the details blade, then OK again to close the Custom OMA -URI Settings blade. Click
Create to save the new profile. The profile details page now appears.
11. Click Assignments. The Include tab is automatically selected. In the drop-down menu, select Selected
Groups, then click Select groups to include. Click the VDI test VMs group and then Select.
12. Click Evaluate to see how many users/devices will be impacted. If the number makes sense, click Save. If
the number doesn’t make sense, go back to the groups blade and confirm the group contains the right
users or devices.
13. The profile will now be deployed to the impacted devices. Note that this may take some time.
Use Group Policy to enable the shared security intelligence feature:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Security Intelligence
Updates
5. Double-click Define security intelligence ___location for VDI clients and set the option to Enabled. A field
automatically appears, enter *\<sharedlocation>\wdav-update *(see the Download and unpackage section for
what this will be). Click OK.
6. Deploy the GPO to the VMs you want to test.
Use PowerShell to enable the shared security intelligence feature:
Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push
PowerShell-based configuration policies onto the VMs:

Set-MpPreference -SharedSignaturesPath \\<shared ___location>\wdav-update

See the Download and unpackage section for what the <shared ___location> will be.
Download and unpackage the latest updates
Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script
for you below. This script is the easiest way to download new updates and get them ready for your VMs. You
should then set the script to run at a certain time on the management machine by using a scheduled task (or, if
you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).

$vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-'
$vdmpathtime = Get-Date -format "yMMddHHmmss"
$vdmpath = $vdmpathbase + $vdmpathtime + '}'
$vdmpackage = $vdmpath + '\mpam-fe.exe'
$args = @("/x")

New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null

Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage

cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"

You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then
the VMs will receive the new update. We suggest starting with once a day – but you should experiment with
increasing or decreasing the frequency to understand the impact. Note that security intelligence packages are
typically published once every three to four hours, so setting a frequency shorter than four hours isn’t advised as
it will increase the network overhead on your management machine for no benefit.
Set a scheduled task to run the powershell script
1. On the management machine, open the Start menu and type Task Scheduler. Open it and select Create
task… on the side panel.
2. Enter the name as Security intelligence unpacker. Go to the Trigger tab. Click New… Select Daily and
click OK.
3. Go to the Actions tab. Click New… Enter PowerShell in the Program/Script field. Enter
-ExecutionPolicy Bypass c:\wdav -update\vdmdlunpack.ps1
in the Add arguments field. Click OK. You can choose to configure additional settings if you wish. Click OK to
save the scheduled task.
You can initiate the update manually by right-clicking on the task and clicking Run.
Download and unpackage manually
If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior:
1. Create a new folder on the system root called wdav_update to store intelligence updates, for example, create
the folder c:\wdav_update
2. Create a subfolder under wdav_update with a GUID name, such as {00000000 -0000 -0000 -0000 -
000000000000 }; for example c:\wdav_update{00000000 -0000 -0000 -0000 -000000000000 } (note, in the script
we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so
that a new folder is created each time. You can change this so that the file is downloaded to the same folder
each time)
3. Download a security intelligence package from https://www.microsoft.com/wdsi/definitions into the GUID
folder. The file should be named mpam -fe.exe.
4. Open a cmd prompt window and navigate to the GUID folder you created. Use the /X extraction command to
extract the files, for example mpam -fe.exe /X. Note: The VMs will pick up the updated package whenever a
new GUID folder is created with an extracted update package or whenever an existing folder is updated with a
new extracted package.
Randomize scheduled scans
Scheduled scans run in addition to real-time protection and scanning.
The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime,
ScheduleQuickScanTime. Randomization will cause Windows Defender AV to start a scan on each machine within
a 4 hour window from the time set for the scheduled scan.
See Schedule scans for other configuration options available for scheduled scans.
Use quick scans
You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred
approach as they are designed to look in all places where malware needs to reside to be active.
1. Expand the tree to Windows components > Windows Defender > Scan and configure the following
setting:
Double-click Specify the scan type to use for a scheduled scan and set the option to Enabled and
Quick scan. Click OK.
Prevent notifications
Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order
to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface.
1. Expand the tree to Windows components > Windows Defender > Client Interface and configure the
following settings:
Double-click Suppress all notifications and set the option to Enabled. Click OK. This prevents
notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or
remediation is performed.
Disable scans after an update
This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the
base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again
(as you've already scanned it when you created the base image).
 IMPORTANT
Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates.
Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying
the base image.

1. Expand the tree to Windows components > Windows Defender > Signature Updates and configure
the following setting:
Double-click Turn on scan after signature update and set the option to Disabled. Click OK. This
prevents a scan from running immediately after an update.
Scan VMs that have been offline
1. Expand the tree to Windows components > Windows Defender > Scan and configure the following
setting:
2. Double-click the Turn on catch-up quick scan setting and set the option to Enabled. Click OK. This
forces a scan if the VM has missed two or more consecutive scheduled scans.
Enable headless UI mode
Double-click Enable headless UI mode and set the option to Enabled. Click OK. This hides the entire
Windows Defender AV user interface from users.
Exclusions
On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers
running a VDI environment. However, if you are running an older Windows server version, you can refer to the
exclusions that are applied on this page:
Configure Windows Defender Antivirus exclusions on Windows Server

Additional resources
Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012
manages VDI and integrates with App-V
TechNet forums on Remote Desktop Services and VDI
SignatureDownloadCustomTask PowerShell script
 Report on Windows Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can
use System Center Configuration Manager to monitor Windows Defender Antivirus or create email alerts. Or, you
can monitor protection using Microsoft Intune.
Microsoft Operations Management Suite has an Update Compliance add-in that reports on key Windows
Defender Antivirus issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM ) server, you can also consume
Windows Defender client events.
Windows events comprise several security event sources, including Security Account Manager (SAM ) events
(enhanced for Windows 10, also see the Security auditing topic) and Windows Defender events.
These events can be centrally aggregated using the Windows event collector. Often, SIEM servers have connectors
for Windows events, allowing you to correlate all security events in your SIEM server.
You can also monitor malware events using the Malware Assessment solution in Log Analytics.
For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the (Deployment,
management, and reporting options table).

Related articles
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
 Troubleshoot Windows Defender Antivirus reporting
in Update Compliance
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro
licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal. To learn more about
licensing options, see Windows 10 product licensing options.
When you use Windows Analytics Update Compliance to obtain reporting into the protection status of devices or
endpoints in your network that are using Windows Defender Antivirus, you might encounter problems or issues.
Typically, the most common indicators of a problem are:
You only see a small number or subset of all the devices you were expecting to see
You do not see any devices at all
The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Windows Defender Antivirus service that are not related to
Update Compliance, see Windows Defender Antivirus events.
There are three steps to troubleshooting these problems:
1. Confirm that you have met all prerequisites
2. Check your connectivity to the Windows Defender cloud-based service
3. Submit support logs

IMPORTANT
It typically takes 3 days for devices to start appearing in Update Compliance.

Confirm prerequisites
In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the
Update Compliance service and for Windows Defender Antivirus:
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus
app will cause Windows Defender AV to disable itself and the endpoint will not be reported in Update
Compliance.
Cloud-delivered protection is enabled.
Endpoints can connect to the Windows Defender AV cloud
If the endpoint is running Windows 10 version 1607 or earlier, Windows 10 diagnostic data must be set to the
Enhanced level.
It has been 3 days since all requirements have been met
“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro
licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal
(https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To
learn more about licensing options, see Windows 10 product licensing options"
If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic
information and send it to us.
Collect diagnostic data for Update Compliance troubleshooting

Related topics
Windows Defender Antivirus in Windows 10
Deploy Windows Defender Antivirus
 Manage Windows Defender Antivirus updates and
apply baselines
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
There are two types of updates related to keeping Windows Defender Antivirus up to date:
1. Protection updates
2. Product updates
You can also apply Windows security baselines to quickly bring your endpoints up to a uniform level of
protection.

Protection updates
Windows Defender Antivirus uses both cloud-delivered protection (also called the Microsoft Advanced
Protection Service or MAPS ) and periodically downloaded protection updates to provide protection. These
protection updates are also known as Security intelligence updates.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while
the protection updates generally occur once a day (although this can be configured). See the Utilize Microsoft
cloud-provided protection in Windows Defender Antivirus topic for more details about enabling and
configuring cloud-provided protection.

Product updates
Windows Defender Antivirus requires monthly updates (known as "engine updates" and "platform updates"),
and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS ), with System
Center Configuration Manager, or in the normal manner that you deploy Microsoft and Windows updates to
endpoints in your network.

In this section
TOPIC DESCRIPTION

Manage how protection updates are downloaded and Protection updates can be delivered through a number of
applied sources.

Manage when protection updates should be downloaded You can schedule when protection updates should be
and applied downloaded.

Manage updates for endpoints that are out of date If an endpoint misses an update or scheduled scan, you can
force an update or scan at the next log on.
TOPIC DESCRIPTION

Manage event-based forced updates You can set protection updates to be downloaded at startup
or after certain cloud-delivered protection events.

Manage updates for mobile devices and virtual machines You can specify settings, such as whether updates should
(VMs) occur on battery power, that are especially useful for mobile
devices and virtual machines.
 Manage the sources for Windows Defender Antivirus
protection updates
10/19/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection
Keeping your antivirus protection up to date is critical. There are two components to managing protection
updates for Windows Defender Antivirus:
Where the updates are downloaded from; and
When updates are downloaded and applied.
This article describes the where - how to specify where updates should be downloaded from (this is also known
as the fallback order). See Manage Windows Defender Antivirus updates and apply baselines topic for an
overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).

IMPORTANT
Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday,
October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to
support SHA-2 in order to update your security intelligence. To learn more, see 2019 SHA-2 Code Signing Support
requirement for Windows and WSUS.

Fallback order
Typically, you configure endpoints to individually download updates from a primary source, followed by other
sources in order of priority, based on your network configuration. Updates are obtained from sources in the order
you specify. If a source is not available, the next source in the list is used.
When updates are published, some logic is applied to minimize the size of the update. In most cases, only the
differences between the latest update and the update that is currently installed (this is referred to as the delta) on
the device is downloaded and applied. However, the size of the delta depends on two main factors:
The age of the last update on the device; and
The source used to download and apply updates.
The older the updates on an endpoint, the larger the download will be. However, you must also consider
download frequency as well. A more frequent update schedule can result in more network usage, whereas a less-
frequent schedule can result in larger file sizes per download.
There are five locations where you can specify where an endpoint should obtain updates:
Microsoft Update
Windows Server Update Service
System Center Configuration Manager
Network file share
Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (Your policy
and registry might have this listed as Microsoft Malware Protection Center (MMPC ) security intelligence, its
former name.)
To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller
downloads on a frequent basis. The Windows Server Update Service, System Center Configuration Manager, and
Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger,
resulting in larger downloads.

IMPORTANT
If you have set Microsoft Malware Protection Center Security intelligence page (MMPC) updates as a fallback source after
Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when
the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates
from the Windows Server Update Service or Microsoft Update services). You can, however, set the number of days before
protection is reported as out-of-date.
Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated
to support SHA-2 in order to get the latest security intelligence updates. To learn more, see 2019 SHA-2 Code Signing
Support requirement for Windows and WSUS.

Each source has typical scenarios that depend on how your network is configured, in addition to how often they
publish updates, as described in the following table:

LOCATION SAMPLE SCENARIO

Windows Server Update Service You are using Windows Server Update Service to manage
updates for your network.

Microsoft Update You want your endpoints to connect directly to Microsoft

Update. This can be useful for endpoints that irregularly
connect to your enterprise network, or if you do not use
Windows Server Update Service to manage your updates.

File share You have non-Internet-connected devices (such as VMs). You

can use your Internet-connected VM host to download the
updates to a network share, from which the VMs can obtain
the updates. See the VDI deployment guide for how file
shares can be used in virtual desktop infrastructure (VDI)
environments.

System Center Configuration Manager You are using System Center Configuration Manager to
update your endpoints.

Security intelligence updates for Windows Defender Antivirus Make sure your devices are updated to support SHA-2.
and other Microsoft antimalware (formerly referred to as Microsoft Defender Antivirus Security intelligence updates are
MMPC) delivered through Windows Update, and starting Monday
October 21, 2019 security intelligence updates will be SHA-2
signed exclusively.
Download the latest protection updates because of a recent
infection or to help provision a strong, base image for VDI
deployment. This option should generally be used only as a
final fallback source, and not the primary source. It will only
be used if updates cannot be downloaded from Windows
Server Update Service or Microsoft Update for a specified
number of days.

You can manage the order in which update sources are used with Group Policy, System Center Configuration
Manager, PowerShell cmdlets, and WMI.
 IMPORTANT
If you set Windows Server Update Service as a download ___location, you must approve the updates, regardless of the
management tool you use to specify the ___location. You can set up an automatic approval rule with Windows Server Update
Service, which might be useful as updates arrive at least once a day. To learn more, see synchronize endpoint protection
updates in standalone Windows Server Update Service.

The procedures in this article first describe how to set the order, and then how to set up the File share option if
you have enabled it.

Use Group Policy to manage the update ___location

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender > Signature updates and configure
the following settings:
a. Double-click the Define the order of sources for downloading security intelligence updates
setting and set the option to Enabled.
b. Enter the order of sources, separated by a single pipe, for example:
InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC , as shown in the following screenshot.
 c. Click OK. This will set the order of protection update sources.
d. Double-click the Define file shares for downloading security intelligence updates setting and
set the option to Enabled.
e. Enter the file share source. If you have multiple sources, enter each source in the order they should
be used, separated by a single pipe. Use standard UNC notation for denoting the path, for example:
\\host-name1\share-name\object-name|\\host-name2\share-name\object-name . If you do not enter any
paths then this source will be skipped when the VM downloads updates.
f. Click OK. This will set the order of file shares when that source is referenced in the Define the
order of sources... group policy setting.

NOTE
For Windows 10, versions 1703 up to and including 1809, the policy path is Windows Components > Windows
Defender Antivirus > Signature Updates For Windows 10, version 1903, the policy path is Windows Components >
Windows Defender Antivirus > Security Intelligence Updates

Use Configuration Manager to manage the update ___location

See Configure Security intelligence Updates for Endpoint Protection for details on configuring System Center
Configuration Manager (current branch).

Use PowerShell cmdlets to manage the update ___location

Use the following PowerShell cmdlets to set the update order.

Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}

Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}

See the following for more information:

Set-MpPreference -SignatureFallbackOrder
Set-MpPreference -SignatureDefinitionUpdateFileSharesSource
Use PowerShell cmdlets to configure and run Windows Defender Antivirus
Defender cmdlets

Use Windows Management Instruction (WMI) to manage the update

___location
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSource

See the following for more information:

Windows Defender WMIv2 APIs

Use Mobile Device Management (MDM) to manage the update

___location
See Policy CSP - Defender/SignatureUpdateFallbackOrder for details on configuring MDM.

Related articles
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
Windows Defender Antivirus in Windows 10
 Manage the schedule for when protection updates
should be downloaded and applied
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus lets you determine when it should look for and download updates.
You can schedule updates for your endpoints by:
Specifying the day of the week to check for protection updates
Specifying the interval to check for protection updates
Specifying the time to check for protection updates
You can also randomize the times when each endpoint checks and downloads protection updates. See the
Schedule scans topic for more information.

Use Configuration Manager to schedule protection updates

1. On your System Center Configuration Manager console, open the antimalware policy you want to change
(click Assets and Compliance in the navigation pane on the left, then expand the tree to Overview >
Endpoint Protection > Antimalware Policies)
2. Go to the Security intelligence updates section.
3. To check and download updates at a certain time:
a. Set Check for Endpoint Protection security intelligence updates at a specific interval... to 0.
b. Set Check for Endpoint Protection security intelligence updates daily at... to the time when
updates should be checked. 3
4. To check and download updates on a continual interval, Set Check for Endpoint Protection security
intelligence updates at a specific interval... to the number of hours that should occur between
updates.
5. Deploy the updated policy as usual.

Use Group Policy to schedule protection updates

IMPORTANT
By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans.
Enabling these settings will override that default.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates and
configure the following settings:
a. Double-click the Specify the interval to check for security intelligence updates setting and set
the option to Enabled. Enter the number of hours between updates. Click OK.
b. Double-click the Specify the day of the week to check for security intelligence updates setting
and set the option to Enabled. Enter the day of the week to check for updates. Click OK.
c. Double-click the Specify the time to check for security intelligence updates setting and set the
option to Enabled. Enter the time when updates should be checked. The time is based on the local
time of the endpoint. Click OK.

Use PowerShell cmdlets to schedule protection updates

Use the following cmdlets:

Set-MpPreference -SignatureScheduleDay
Set-MpPreference -SignatureScheduleTime
Set-MpPreference -SignatureUpdateInterval

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to schedule protection

updates
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureScheduleDay
SignatureScheduleTime
SignatureUpdateInterval

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Related articles
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
 Manage Windows Defender Antivirus updates and
scans for endpoints that are out of date
11/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it
can miss before it is required to update and scan itself. This is especially useful in environments where devices
are not often connected to a corporate or external network, or devices that are not used on a daily basis.
For example, an employee that uses a particular PC is on break for three days and does not log on to their PC
during that time.
When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and
download the latest protection updates, and run a scan.

Set up catch-up protection updates for endpoints that haven't

updated for a while
If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to
automatically check and download the latest update at the next log on. This is useful if you have globally
disabled automatic update downloads on startup.
Use Configuration Manager to configure catch-up protection updates
1. On your System Center Configuration Manager console, open the antimalware policy you want to change
(click Assets and Compliance in the navigation pane on the left, then expand the tree to Overview >
Endpoint Protection > Antimalware Policies)
2. Go to the Security intelligence updates section and configure the following settings:
a. Set Force a security intelligence update if the client computer is offline for more than two
consecutive scheduled updates to Yes.
b. For the If Configuration Manager is used as a source for security intelligence updates...,
specify the hours before which the protection updates delivered by Configuration Manager should be
considered out-of-date. This will cause the next update ___location to be used, based on the defined
fallback source order.
3. Click OK.
4. Deploy the updated policy as usual.
Use Group Policy to enable and configure the catch-up update feature
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates.
5. Double-click the Define the number of days after which a catch-up security intelligence update is
required setting and set the option to Enabled. Enter the number of days after which you want Windows
Defender AV to check for and download the latest protection update.
6. Click OK.
Use PowerShell cmdlets to configure catch-up protection updates
Use the following cmdlets:

Set-MpPreference -SignatureUpdateCatchupInterval

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure catch-up protection updates
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureUpdateCatchupInterval

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Set the number of days before protection is reported as out-of-date

You can also specify the number of days after which Windows Defender Antivirus protection is considered old or
out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to
the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other
sources (based on the defined fallback source order), such as when using MMPC as a secondary source after
setting WSUS or Microsoft Update as the first source.
Use Group Policy to specify the number of days before protection is considered out-of-date
1. On your Group Policy management machine, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates
and configure the following settings:
a. Double-click Define the number of days before spyware definitions are considered out of
date and set the option to Enabled. Enter the number of days after which you want Windows
Defender AV to consider spyware Security intelligence to be out-of-date.
b. Click OK.
c. Double-click Define the number of days before virus definitions are considered out of date
and set the option to Enabled. Enter the number of days after which you want Windows Defender
AV to consider virus Security intelligence to be out-of-date.
d. Click OK.

Set up catch-up scans for endpoints that have not been scanned for a
while
You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus
will force a scan.
The process for enabling this feature is:
1. Set up at least one scheduled scan (see the Schedule scans topic).
2. Enable the catch-up scan feature.
3. Define the number of scans that can be skipped before a catch-up scan occurs.
This feature can be enabled for both full and quick scans.
Use Group Policy to enable and configure the catch-up scan feature
1. Ensure you have set up at least one scheduled scan.
2. On your Group Policy management machine, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
3. In the Group Policy Management Editor go to Computer configuration.
4. Click Policies then Administrative templates.
5. Expand the tree to Windows components > Windows Defender Antivirus > Scan and configure the
following settings:
a. If you have set up scheduled quick scans, double-click the Turn on catch-up quick scan setting and
set the option to Enabled.
b. If you have set up scheduled full scans, double-click the Turn on catch-up full scan setting and set
the option to Enabled. Click OK.
c. Double-click the Define the number of days after which a catch-up scan is forced setting and set
the option to Enabled.
d. Enter the number of scans that can be missed before a scan will be automatically run when the user
next logs on to the PC. The type of scan that is run is determined by the Specify the scan type to use
for a scheduled scan (see the Schedule scans topic). Click OK.

NOTE
The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not
days) before the catch-up scan will be run.

Use PowerShell cmdlets to configure catch-up scans

Use the following cmdlets:

Set-MpPreference -DisableCatchupFullScan
Set-MpPreference -DisableCatchupQuickScan

See Use PowerShell cmdlets to manage Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to configure catch-up scans
Use the Set method of the MSFT_MpPreference class for the following properties:
 DisableCatchupFullScan
DisableCatchupQuickScan

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs
Use Configuration Manager to configure catch-up scans
1. On your System Center Configuration Manager console, open the antimalware policy you want to change
(click Assets and Compliance in the navigation pane on the left, then expand the tree to Overview >
Endpoint Protection > Antimalware Policies)
2. Go to the Scheduled scans section and Force a scan of the selected scan type if client computer is
offline... to Yes.
3. Click OK.
4. Deploy the updated policy as usual.

Related articles
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Manage event-based forced updates
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
 Manage event-based forced updates
11/20/2019 • 4 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain
events, such as at startup or after receiving specific reports from the cloud-delivered protection service.

Check for protection updates before running a scan

You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force
Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
Use Configuration Manager to check for protection updates before running a scan
1. On your System Center Configuration Manager console, open the antimalware policy you want to change
(click Assets and Compliance in the navigation pane on the left, then expand the tree to Overview >
Endpoint Protection > Antimalware Policies)
2. Go to the Scheduled scans section and set Check for the latest security intelligence updates before
running a scan to Yes.
3. Click OK.
4. Deploy the updated policy as usual.
Use Group Policy to check for protection updates before running a scan
1. On your Group Policy management machine, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. Using the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Scan.
5. Double-click Check for the latest virus and spyware definitions before running a scheduled scan
and set the option to Enabled.
6. Click OK.
Use PowerShell cmdlets to check for protection updates before running a scan
Use the following cmdlets:

Set-MpPreference -CheckForSignaturesBeforeRunningScan

For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
Use Windows Management Instruction (WMI ) to check for protection updates before running a scan
Use the Set method of the MSFT_MpPreference class for the following properties:
 CheckForSignaturesBeforeRunningScan

For more information, see Windows Defender WMIv2 APIs.

Check for protection updates on startup

You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when
the machine is started.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. Using the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates.
5. Double-click Check for the latest virus and spyware definitions on startup and set the option to
Enabled.
6. Click OK.
You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for
updates at startup even when it is not running.
Use Group Policy to download updates when Windows Defender Antivirus is not present
1. On your Group Policy management machine, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. Using the Group Policy Management Editor, go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Security Intelligence
Updates.
5. Double-click Initiate security intelligence update on startup and set the option to Enabled.
6. Click OK.
Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present
Use the following cmdlets:

Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine

For more information, see Use PowerShell cmdlets to manage Windows Defender Antivirus and Defender
cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to download updates when Windows Defender Antivirus is not
present
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureDisableUpdateOnStartupWithoutEngine

For more information, see Windows Defender WMIv2 APIs.

Allow ad hoc changes to protection based on cloud-delivered
protection
Windows Defender AV can make changes to its protection based on cloud-delivered protection. Such changes
can occur outside of normal or scheduled protection updates.
If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the
Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent
protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that
protection update. Other important protection updates can also be applied.
Use Group Policy to automatically download recent updates based on cloud-delivered protection
1. On your Group Policy management machine, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. Using the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates.
5. Double-click Allow real-time security intelligence updates based on reports to Microsoft MAPS
and set the option to Enabled. Then click OK.
6. Allow notifications to disable definitions-based reports to Microsoft MAPS and set the option to
Enabled. Then click OK.

NOTE
"Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to
cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work.

Related articles
Deploy Windows Defender Antivirus
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Manage updates for endpoints that are out of date
Manage updates for mobile devices and virtual machines (VMs)
Windows Defender Antivirus in Windows 10
 Manage updates for mobile devices and virtual
machines (VMs)
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
There are two settings that are particularly useful for these devices:
Opt-in to Microsoft Update on mobile computers without a WSUS connection
Prevent Security intelligence updates when running on battery power
The following topics may also be useful in these situations:
Configuring scheduled and catch-up scans
Manage updates for endpoints that are out of date
Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment

Opt-in to Microsoft Update on mobile computers without a WSUS

connection
You can use Microsoft Update to keep Security intelligence on mobile devices running Windows Defender
Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS
connection.
This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set
WSUS to override Microsoft Update.
You can opt-in to Microsoft Update on the mobile device in one of the following ways:
1. Change the setting with Group Policy
2. Use a VBScript to create a script, then run it on each computer in your network.
3. Manually opt-in every computer on your network through the Settings menu.
Use Group Policy to opt-in to Microsoft Update
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates.
5. Double-click the Allow security intelligence updates from Microsoft Update setting and set the
option to Enabled. Click OK.
Use a VBScript to opt-in to Microsoft Update
1. Use the instructions in the MSDN article Opt-In to Microsoft Update to create the VBScript.
2. Run the VBScript you created on each computer in your network.
Manually opt-in to Microsoft Update
1. Open Windows Update in Update & security settings on the computer you want to opt-in.
2. Click Advanced options.
3. Select the checkbox for Give me updates for other Microsoft products when I update Windows.

Prevent Security intelligence updates when running on battery power

You can configure Windows Defender Antivirus to only download protection updates when the PC is connected
to a wired power source.
Use Group Policy to prevent security intelligence updates on battery power
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Policies then Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus > Signature Updates and
configure the following setting:
a. Double-click the Allow security intelligence updates when running on battery power setting and
set the option to Disabled.
b. Click OK. This will prevent protection updates from downloading when the PC is on battery power.

Related articles
Manage Windows Defender Antivirus updates and apply baselines
Update and manage Windows Defender Antivirus in Windows 10
 Customize, initiate, and review the results of Windows
Defender Antivirus scans and remediation
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows
Defender Antivirus scans.

In this section
TOPIC DESCRIPTION

Configure and validate file, folder, and process-opened file You can exclude files (including files modified by specified
exclusions in Windows Defender Antivirus scans processes) and folders from on-demand scans, scheduled
scans, and always-on real-time protection monitoring and
scanning

Configure Windows Defender Antivirus scanning options You can configure Windows Defender Antivirus to include
certain types of email storage files, back-up or reparse points,
and archived files (such as .zip files) in scans. You can also
enable network file scanning

Configure remediation for scans Configure what Windows Defender Antivirus should do when
it detects a threat, and how long quarantined files should be
retained in the quarantine folder

Configure scheduled scans Set up recurring (scheduled) scans, including when they should
run and whether they run as full or quick scans

Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app

Review scan results Review the results of scans using System Center Configuration
Manager, Microsoft Intune, or the Windows Security app
 Configure and validate exclusions for Windows
Defender Antivirus scans
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans.
The exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring.
Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the
Windows Defender Antivirus exclusions on Windows Server 2016 topic for more information and a list of the
automatic exclusions.

WARNING
Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that
are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.

In this section
TOPIC DESCRIPTION

Configure and validate exclusions based on file name, Exclude files from Windows Defender Antivirus scans based on
extension, and folder ___location their file extension, file name, or ___location

Configure and validate exclusions for files opened by processes Exclude files from scans that have been opened by a specific
process

Configure Windows Defender Antivirus exclusions on Windows Windows Server 2016 includes automatic exclusions, based on
Server the defined server role. You can also add custom exclusions.
 Configure and validate exclusions based on file
extension and folder ___location
11/20/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including endpoint detection
and response (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the
methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the
Microsoft Defender ATP custom indicators.

Exclusion lists
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. Generally, you
shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions
based on known operating system behaviors and typical management files, such as those used in enterprise
management, database management, and other enterprise scenarios and situations.

NOTE
Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft
doesn't set any exclusions by default.

This topic describes how to configure exclusion lists for the files and folders.

EXCLUSION EXAMPLES EXCLUSION LIST

Any file with a specific extension All files with the .test extension, Extension exclusions
anywhere on the machine

Any file under a specific folder All files under the c:\test\sample File and folder exclusions
folder

A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions

A specific process The executable file File and folder exclusions

c:\test\process.exe

Exclusion lists have the following characteristics:

Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point.
Reparse point subfolders must be excluded separately.
File extensions will apply to any file name with the defined extension if a path or folder is not defined.
 IMPORTANT
The use of wildcards such as the asterisk (*) will alter how the exclusion rules are interpreted. See the Use wildcards in the file
name and folder path or extension exclusion lists section for important information about how wildcards work.
You cannot exclude mapped network drives. You must specify the actual network path.
Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been
added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points
to be recognized as a valid exclusion target.

To exclude files opened by a specific process, see Configure and validate exclusions for files opened by processes.
The exclusions apply to scheduled scans, on-demand scans, and real-time protection.

IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.

By default, local changes made to the lists (by users with administrator privileges, including changes made with
PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.

Configure the list of exclusions based on folder name or file extension

Use Intune to configure file name, folder, or file extension exclusions
See the following articles:
Configure device restriction settings in Microsoft Intune
Windows Defender Antivirus device restriction settings for Windows 10 in Intune
Use Configuration Manager to configure file name, folder, or file extension exclusions
See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center
Configuration Manager (current branch).
Use Group Policy to configure folder or file extension exclusions

NOTE
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files
and subdirectories under that folder are excluded.

1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click the Path Exclusions setting and add the exclusions:
 a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each folder on its own line under the Value name column. If you are entering a file, ensure you
enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter
0 in the Value column.
5. Click OK.

6. Double-click the Extension Exclusions setting and add the exclusions:

a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each file extension on its own line under the Value name column. Enter 0 in the Value column.
7. Click OK.
Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
Using PowerShell to add or remove exclusions for files based on the extension, ___location, or file name requires using
a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the Defender
module.
The format for the cmdlets is:

<cmdlet> -<exclusion list> "<item>"

The following are allowed as the <cmdlet>:

CONFIGURATION ACTION POWERSHELL CMDLET

Create or overwrite the list Set-MpPreference

Add to the list Add-MpPreference

Remove item from the list Remove-MpPreference

The following are allowed as the <exclusion list>:

EXCLUSION TYPE POWERSHELL PARAMETER

All files with a specified file extension -ExclusionExtension

 EXCLUSION TYPE POWERSHELL PARAMETER

All files under a folder (including files in subdirectories), or a -ExclusionPath

specific file

IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again
will overwrite the existing list.

For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the
.test file extension:

Add-MpPreference -ExclusionExtension ".test"

For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
Use Windows Management Instruction (WMI ) to configure file name, folder, or file extension exclusions
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:

ExclusionExtension
ExclusionPath

The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .

For more information, see Windows Defender WMIv2 APIs.

Use the Windows Security app to configure file name, folder, or file extension exclusions
See Add exclusions in the Windows Security app for instructions.

Use wildcards in the file name and folder path or extension exclusion
lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as wildcards
when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted
differs from their usual usage in other apps and languages. Make sure to read this section to understand their
specific limitations.

IMPORTANT
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT
AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion will stand in place for a single folder. Use multiple instances of \*\ to indicate
multiple nested folders with unspecified names.

The following table describes how the wildcards can be used and provides some examples.
WILDCARD USE IN FILE NAME AND USE IN FOLDER EXAMPLE USE EXAMPLE MATCHES
FILE EX TENSION EXCLUSIONS
EXCLUSIONS

* (asterisk) Replaces any number Replaces a single 1. C:\MyData\*.tx 1. C:\MyData\no

of characters. folder. t tes.txt
Only applies to files in Use multiple * with 2. C:\somepath\* 2. Any file in:
the last folder defined folder slashes \ to \Data C:\som
in the argument. indicate multiple, 3. C:\Serv\*\*\Bac epath\
nested folders. kup Archiv
After matching the es\Dat
number of wild carded a and
and named folders, all its
subfolders will also be subfold
included. ers
C:\som
epath\
Author
ized\D
ata and
its
subfold
ers
3. Any file in:
C:\Serv
\Prima
ry\Den
ied\Bac
kup
and its
subfold
ers
C:\Serv
\Secon
dary\A
llowed
\Backu
p and
its
subfold
ers

? (question mark) Replaces a single Replaces a single 1. C:\MyData\my 1. C:\MyData\my

character. character in a folder ?.zip 1.zip
Only applies to files in name. 2. C:\somepath\? 2. Any file in
the last folder defined After matching the \Data C:\somepath\P
in the argument. number of wild carded 3. C:\somepath\t \Data and its
and named folders, all est0?\Data subfolders
subfolders will also be 3. Any file in
included. C:\somepath\t
est01\Data
and its
subfolders

Environment variables The defined variable Same as file and 1. %ALLUSERSP 1. C:\ProgramD
will be populated as a extension use. ROFILE%\Cust ata\CustomLo
path when the omLogFiles gFiles\Folder1\
exclusion is evaluated. file1.txt
 IMPORTANT
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the
matched folder, and will not look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked and
c:\data\review\marked by using the rule argument c:\data\*\marked\date*.*.

This argument, however, will not match any files in subfolders under c:\data\final\marked or c:\data\review\marked .

Review the list of exclusions

You can retrieve the items in the exclusion list using one of the following methods:
Intune
System Center Configuration Manager
MpCmdRun
PowerShell
Windows Security app

IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.

If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate
lines, but the items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are
interested in. Each use of Add-MpPreference is written to a new line.
Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:

MpCmdRun.exe -CheckExclusion -path <path>

NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December
2018) or later.

Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:

Get-MpPreference

In the following example, the items contained in the ExclusionExtension list are highlighted:
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label
you want to name the variable:

$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath

In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:

For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.

Validate exclusions lists with the EICAR test file

You can validate that your exclusion lists are working by using PowerShell with either the Invoke-WebRequest
cmdlet or the .NET WebClient class to download a test file.
In the following PowerShell snippet, replace test.txt with a file that conforms to your exclusion rules. For example, if
you have excluded the .testing extension, replace test.txt with test.testing . If you are testing a path, ensure
you run the cmdlet within that path.

Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"

If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and
the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same
as what is described on the EICAR test file website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as
with the Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:

$client = new-object System.Net.WebClient

$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")

If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new
text file with the following PowerShell command:

[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')

You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are
attempting to exclude.

Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure exclusions for files opened by processes
11/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
This topic describes how to configure exclusion lists for the following:

EXCLUSION EXAMPLE

Any file on the machine that is opened by any process with a Specifying "test.exe" would exclude files opened by:
specific file name c:\sample\test.exe
d:\internal\files\test.exe

Any file on the machine that is opened by any process under a Specifying "c:\test\sample\*" would exclude files opened by:
specific folder c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe

Any file on the machine that is opened by a specific process in Specifying "c:\test\process.exe" would exclude files only opened
a specific folder by c:\test\process.exe

When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that
process, no matter where the files are located. The process itself, however, will be scanned unless it has also been
added to the file exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-
demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app.
However, changes made in the Windows Security app will not show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager,
Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with
PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to override
managed deployment settings.

Configure the list of exclusions for files opened by specified processes

Use Microsoft Intune to exclude files that have been opened by specified processes from scans
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction
settings for Windows 10 in Intune for more details.
Use System Center Configuration Manager to exclude files that have been opened by specified processes from
scans
See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center
Configuration Manager (current branch).
Use Group Policy to exclude files that have been opened by specified processes from scans
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click Process Exclusions and add the exclusions:
a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each process on its own line under the Value name column. See the example table for the different
types of process exclusions. Enter 0 in the Value column for all processes.
5. Click OK.

Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a
combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is:

<cmdlet> -ExclusionProcess "<item>"

The following are allowed as the <cmdlet>:

CONFIGURATION ACTION POWERSHELL CMDLET

Create or overwrite the list Set-MpPreference

Add to the list Add-MpPreference

Remove items from the list Remove-MpPreference

IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet again
will overwrite the existing list.

For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is
opened by the specified process:

Add-MpPreference -ExclusionProcess "c:\internal\test.exe"

See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender

Antivirus.md) and Defender cmdlets for more information on how to use PowerShell with Windows Defender
Antivirus.
Use Windows Management Instruction (WMI ) to exclude files that have been opened by specified processes
from scans
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:

ExclusionProcess

The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs
Use the Windows Security app to exclude files that have been opened by specified processes from scans
See Add exclusions in the Windows Security app for instructions.

Use wildcards in the process exclusion list

The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
In particular, you cannot use the question mark ? wildcard, and the asterisk * wildcard can only be used at the end
of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when
defining items in the process exclusion list.
The following table describes how the wildcards can be used in the process exclusion list:
 WILDCARD USE EXAMPLE USE EXAMPLE MATCHES

* (asterisk) Replaces any number of C:\MyData\* Any file opened by

characters C:\MyData\file.exe

? (question mark) Not available - -

Environment variables The defined variable will be %ALLUSERSPROFILE Any file opened by
populated as a path when %\CustomLogFiles\fil C:\ProgramData\Cust
the exclusion is evaluated e.exe omLogFiles\file.exe

Review the list of exclusions

You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, System Center Configuration
Manager, Intune, or the Windows Security app.
If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate
lines, but the items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are
interested in. Each use of Add-MpPreference is written to a new line.
Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:

MpCmdRun.exe -CheckExclusion -path <path>

NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December
2018) or later.

Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:

Get-MpPreference

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label
you want to name the variable:

$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Related articles
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder ___location
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure Windows Defender Antivirus exclusions on
Windows Server
11/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions,
as defined by your specified server role. See the end of this topic for a list of these exclusions.
These exclusions will not appear in the standard exclusion lists shown in the Windows Security app.
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as
described in these exclusion-related topics:
Configure and validate exclusions based on file name, extension, and folder ___location
Configure and validate exclusions for files opened by processes
Custom exclusions take precedence over automatic exclusions.

TIP
Custom and duplicate exclusions do not conflict with automatic exclusions.

Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM ) tools to determine
which roles are installed on your computer.

Opt out of automatic exclusions

In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the
default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually
control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence
updates.

WARNING
Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are
delivered automatically are optimized for Windows Server 2016 roles.

NOTE
This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on
exclusions.
 TIP
Since the predefined exclusions only exclude default paths, if you move NTDS and SYSVOL to another drive or path different
than the original one, you would have to manually add the exclusions using the information here .

You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
Use Group Policy to disable the auto -exclusions list on Windows Server 2016
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click Turn off Auto Exclusions and set the option to Enabled. Click OK.
Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:
Use the following cmdlets:

Set-MpPreference -DisableAutoExclusions $true

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to disable the auto -exclusions list on Windows Server 2016
Use the Set method of the MSFT_MpPreference class for the following properties:

DisableAutoExclusions

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

List of automatic exclusions

The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
Default exclusions for all roles
This section lists the default exclusions for all Windows Server 2016 roles.
Windows "temp.edb" files:
%windir%\SoftwareDistribution\Datastore\*\tmp.edb
%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log
Windows Update files or Automatic Update files:
%windir%\SoftwareDistribution\Datastore\*\Datastore.edb
%windir%\SoftwareDistribution\Datastore\*\edb.chk
%windir%\SoftwareDistribution\Datastore\*\edb*.log
%windir%\SoftwareDistribution\Datastore\*\Edb*.jrs
 %windir%\SoftwareDistribution\Datastore\*\Res*.log
Windows Security files:
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
Group Policy files:
%allusersprofile%\NTUser.pol
%SystemRoot%\System32\GroupPolicy\Machine\registry.pol
%SystemRoot%\System32\GroupPolicy\User\registry.pol
WINS files:
%systemroot%\System32\Wins\*\*.chk
%systemroot%\System32\Wins\*\*.log
%systemroot%\System32\Wins\*\*.mdb
%systemroot%\System32\LogFiles\
%systemroot%\SysWow64\LogFiles\
File Replication Service (FRS ) exclusions:
Files in the File Replication Service (FRS ) working folder. The FRS working folder is specified in the
registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory

%windir%\Ntfrs\jet\sys\*\edb.chk
%windir%\Ntfrs\jet\*\Ntfrs.jdb
%windir%\Ntfrs\jet\log\*\*.log
FRS Database log files. The FRS Database log file folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory

-%windir%\Ntfrs\*\Edb*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica
Sets\GUID\Replica Set Stage

%systemroot%\Sysvol\*\Nntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory

%systemroot%\SYSVOL\___domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\
The Distributed File System Replication (DFSR ) database and working folders. These folders
are specified by the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication
Groups\GUID\Replica Set Configuration File
 NOTE
For custom locations, see Opt out of automatic exclusions.

%systemdrive%\System Volume Information\DFSR\$db_normal$

%systemdrive%\System Volume Information\DFSR\FileIDTable_*
%systemdrive%\System Volume Information\DFSR\SimilarityTable_*
%systemdrive%\System Volume Information\DFSR\*.XML
%systemdrive%\System Volume Information\DFSR\$db_dirty$
%systemdrive%\System Volume Information\DFSR\$db_clean$
%systemdrive%\System Volume Information\DFSR\$db_lostl$
%systemdrive%\System Volume Information\DFSR\Dfsr.db
%systemdrive%\System Volume Information\DFSR\*.frx
%systemdrive%\System Volume Information\DFSR\*.log
%systemdrive%\System Volume Information\DFSR\Fsr*.jrs
%systemdrive%\System Volume Information\DFSR\Tmp.edb
Process exclusions
%systemroot%\System32\dfsr.exe
%systemroot%\System32\dfsrs.exe
Hyper-V exclusions:
This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered
automatically when you install the Hyper-V role
File type exclusions:
*.vhd
*.vhdx
*.avhd
*.avhdx
*.vsv
*.iso
*.rct
*.vmcx
*.vmrs
Folder exclusions:
%ProgramData%\Microsoft\Windows\Hyper-V
%ProgramFiles%\Hyper-V
 %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
%Public%\Documents\Hyper-V\Virtual Hard Disks
Process exclusions:
%systemroot%\System32\Vmms.exe
%systemroot%\System32\Vmwp.exe
SYSVOL files:
%systemroot%\Sysvol\Domain\*.adm
%systemroot%\Sysvol\Domain\*.admx
%systemroot%\Sysvol\Domain\*.adml
%systemroot%\Sysvol\Domain\Registry.pol
%systemroot%\Sysvol\Domain\*.aas
%systemroot%\Sysvol\Domain\*.inf
%systemroot%\Sysvol\Domain\*.Scripts.ini
%systemroot%\Sysvol\Domain\*.ins
%systemroot%\Sysvol\Domain\Oscfilter.ini
Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
NTDS database files. The database files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File

%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files. The transaction log files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files

%windir%\Ntds\EDB*.log
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\EDB*.log
%windir%\Ntds\TEMP.edb
The NTDS working folder. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

%windir%\Ntds\Temp.edb
%windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS -related support files:
%systemroot%\System32\ntfrs.exe
 %systemroot%\System32\lsass.exe
DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP
Server file locations are specified by the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters in
the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you
install the DNS Server role.
File and folder exclusions for the DNS Server role:
%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role:
%systemroot%\System32\dns.exe
File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage
Services role. The exclusions listed below do not include exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered
automatically when you install the Print Server role.
File type exclusions:
*.shd
*.spl
Folder exclusions. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory

%system32%\spool\printers\*
Process exclusions:
spoolsv.exe
Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install
the Web Server role.
Folder exclusions:
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions:
%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update
Services (WSUS ) role. The WSUS folder is specified in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup

%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download

Related articles
Configure and validate exclusions for Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder ___location
Configure and validate exclusions for files opened by processes
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure Windows Defender Antivirus scanning options
11/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Use Microsoft Intune to configure scanning options
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for
Windows 10 in Intune for more details.
Use Configuration Manager to configure scanning options:
See How to create and deploy antimalware policies: Scan settings for details on configuring System Center Configuration
Manager (current branch).
Use Group Policy to configure scanning options
To configure the Group Policy settings described in the following table:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy
Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location specified in the
table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click OK,
and repeat for any other settings.

POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS

See Email scanning limitations) Scan > Turn on e-mail scanning Disabled -DisableEmailScanning
below

Scan reparse points Scan > Turn on reparse point Disabled Not available
scanning

Scan mapped network drives Scan > Run full scan on mapped Disabled -
network drives DisableScanningMappedNetworkDrivesForFullSca

Scan archive files (such as .zip or Scan > Scan archive files Enabled -DisableArchiveScanning
.rar files). The extensions
exclusion list will take
precedence over this setting.

Scan files on the network Scan > Scan network files Disabled -
DisableScanningNetworkFiles

Scan packed executables Scan > Scan packed executables Enabled Not available

Scan removable drives during Scan > Scan removable drives Disabled -
full scans only DisableRemovableDriveScanning

Specify the level of subfolders Scan > Specify the maximum 0 Not available
within an archive folder to scan depth to scan archive files
 POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS

Specify the maximum CPU load Scan > Specify the maximum 50 -ScanAvgCPULoadFactor
(as a percentage) during a scan. percentage of CPU utilization
Note: This is not a hard limit but during a scan
rather a guidance for the
scanning engine to not exceed
this maximum on average.

Specify the maximum size (in Scan > Specify the maximum No limit Not available
kilobytes) of archive files that size of archive files to be
should be scanned. The default, scanned
0, applies no limit

Configure low CPU priority for Scan > Configure low CPU Disabled Not available
scheduled scans priority for scheduled scans

NOTE
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including
those on mounted removable devices such as USB drives.

Use PowerShell to configure scanning options

See Manage Windows Defender Antivirus with PowerShell cmdlets and Defender cmdlets for more information on how to use
PowerShell with Windows Defender Antivirus.
Use WMI to configure scanning options
For using WMI classes, see Windows Defender WMIv2 APIs.
Email scanning limitations
We recommend using always-on real-time protection to protect against email-based malware.
Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This
provides the strongest form of protection and is the recommended setting for scanning emails.
You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand
and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The
following file format types can be scanned and remediated:
DBX
MBX
MIME
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows
Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using always-on real-
time protection to protect against email-based malware.
If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in
identifying the compromised email, so you can remediate the threat:
Email subject
Attachment name
 WARNING
There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks
associated with scanning Outlook files and email messages in the following articles:
Scanning Outlook files in Outlook 2013
Scanning email messages in Outlook 2013

Related topics
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Configure and run on-demand Windows Defender Antivirus scans
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
 Configure remediation for Windows Defender
Antivirus scans
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can
configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point
before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use System Center
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.

Configure remediation options

You can configure how remediation works with the Group Policy settings described in this section.
To configure these settings:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location
specified in the table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK, and repeat for any other settings.

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Create a system restore A system restore point will Disabled

point be created each day before
cleaning or scanning is
attempted

Scan Turn on removal of items Specify how many days 30 days

from scan history folder items should be kept in the
scan history

Root Turn off routine remediation You can specify whether Disabled (threats are
Windows Defender Antivirus remediated automatically)
automatically remediates
threats, or if it should ask
the endpoint user what to
do.
 DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)

Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed

Threats Specify threat alert levels at Every threat that is detected Not applicable
which default action should by Windows Defender
not be taken when detected Antivirus is assigned a threat
level (low, medium, high, or
severe). You can use this
setting to define how all
threats for each of the threat
levels should be remediated
(quarantined, removed, or
ignored)

Threats Specify threats upon which Specify how specific threats Not applicable
default action should not be (using their threat ID) should
taken when detected be remediated. You can
specify whether the specific
threat should be
quarantined, removed, or
ignored

IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all
additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-
windows-defender-antivirus.md).
To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows
Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).

Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more remediation-
related settings.

Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Configure and run on-demand Windows Defender Antivirus scans
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure scheduled quick or full Windows Defender
Antivirus scans
11/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can
Manage the schedule for when protection updates should be downloaded and applied to override this default.

In addition to always-on real-time protection and on-demand scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a protection
update or if the endpoint is being used. You can also specify when special scans to complete remediation should
occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can
also configure schedules scans with System Center Configuration Manager or Microsoft Intune.
To configure the Group Policy settings described in this topic:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus and then the Location
specified in the table below.
5. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK, and repeat for any other settings.
Also see the Manage when protection updates should be downloaded and applied and Prevent or allow users to
locally modify policy settings topics.

Quick scan versus full scan and custom scan

When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
Quick scans look at all the locations where there could be malware registered to start with the system, such as
registry keys and known Windows startup folders.
Combined with always-on real-time protection capability - which reviews files when they are opened and closed,
and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts
with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time
protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive
components that require a more thorough clean-up. In this instance, you may want to use a full scan when running
an on-demand scan.
A custom scan allows you to specify the files and folders to scan, such as a USB drive.

NOTE
By default, quick scans run on mounted removable devices, such as USB drives.

Set up scheduled scans

Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to
configure scheduled scans.

NOTE
If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event
1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next
scheduled time.

Use Group Policy to schedule scans:

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Specify the scan type to use Quick scan

for a scheduled scan

Scan Specify the day of the week Specify the day (or never) to Never
to run a scheduled scan run a scan.

Scan Specify the time of day to Specify the number of 2 am

run a scheduled scan minutes after midnight (for
example, enter 60 for 1 am).

Root Randomize scheduled task In Windows Defender Enabled

times Antivirus: Randomize the
start time of the scan to any
interval from 0 to 4 hours.
In FEP/SCEP: randomize to
any interval plus or minus
30 minutes. This can be
useful in VM or VDI
deployments.

Use PowerShell cmdlets to schedule scans:

Use the following cmdlets:

Set-MpPreference -ScanParameters
Set-MpPreference -ScanScheduleDay
Set-MpPreference -ScanScheduleTime
Set-MpPreference -RandomizeScheduleTaskTimes
See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule scans:
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Start scheduled scans only when the endpoint is not in use

You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy,
PowerShell, or WMI.
Use Group Policy to schedule scans

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Start the scheduled scan Scheduled scans will not run, Enabled
only when computer is on unless the computer is on
but not in use but not in use

Use PowerShell cmdlets:

Use the following cmdlets:

Set-MpPreference -ScanOnlyIfIdleEnabled

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ):
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Configure when full scans should be run to complete remediation

Some threats may require a full scan to complete their removal and remediation. You can schedule when these
scans should occur with Group Policy, PowerShell, or WMI.
Use Group Policy to schedule remediation-required scans
 DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)

Remediation Specify the day of the week Specify the day (or never) to Never
to run a scheduled full scan run a scan.
to complete remediation

Remediation Specify the time of day to Specify the number of 2 am

run a scheduled full scan to minutes after midnight (for
complete remediation example, enter 60 for 1 am)

Use PowerShell cmdlets:

Use the following cmdlets:

Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ):
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Set up daily quick scans

You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy,
PowerShell, or WMI.
Use Group Policy to schedule daily scans:

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Specify the interval to run Specify how many hours Never
quick scans per day should elapse before the
next quick scan. For example,
to run every two hours,
enter 2, for once a day, enter
24. Enter 0 to never run a
daily quick scan.

Scan Specify the time for a daily Specify the number of 2 am

quick scan minutes after midnight (for
example, enter 60 for 1 am)

Use PowerShell cmdlets to schedule daily scans:

Use the following cmdlets:
 Set-MpPreference -ScanScheduleQuickTime

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule daily scans:
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Enable scans after protection updates

You can force a scan to occur after every protection update with Group Policy.
Use Group Policy to schedule scans after protection updates

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Signature updates Turn on scan after Security A scan will occur immediately Enabled
intelligence update after a new protection
update is downloaded

Related topics
Prevent or allow users to locally modify policy settings
Configure and run on-demand Windows Defender Antivirus scans
Configure Windows Defender Antivirus scanning options
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Windows Defender Antivirus in Windows 10
 Configure and run on-demand Windows Defender
Antivirus scans
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define
parameters for the scan, such as the ___location or type.

Quick scan versus full scan

Quick scan looks at all the locations where there could be malware registered to start with the system, such as
registry keys and known Windows startup folders.
Combined with always-on real-time protection capability--which reviews files when they are opened and closed,
and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts
with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time
protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive
components that require a more thorough clean-up, and can be ideal when running on-demand scans.

NOTE
By default, quick scans run on mounted removable devices, such as USB drives.

Use Configuration Manager to run a scan

See Antimalware and firewall tasks: How to perform an on-demand scan for details on using System Center
Configuration Manager (current branch) to run a scan.

Use the mpcmdrun.exe command-line utility to run a scan

Use the following -scan parameter:

mpcmdrun.exe -scan -scantype 1

See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for more
information on how to use the tool and additional parameters, including starting a full scan or defining paths.

Use Microsoft Intune to run a scan

1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Select ...More and then select Quick Scan or Full Scan.
Use the Windows Security app to run a scan
See Run a scan in the Windows Security app for instructions on running a scan on individual endpoints.

Use PowerShell cmdlets to run a scan

Use the following cmdlet:

Start-MpScan

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to run a scan

Use the Start method of the MSFT_MpScan class.
See the following for more information and allowed parameters:
Windows Defender WMIv2 APIs

Related articles
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
 Review Windows Defender Antivirus scan results
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results
are recorded and you can view the results.

Use Microsoft Intune to review scan results

1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Click the scan results in Device actions status.

Use Configuration Manager to review scan results

See How to monitor Endpoint Protection status.

Use the Windows Security app to review scan results

1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan history
label.
Click See full history for any of the sections to see previous detections and the action taken. You can
also clear the list.
Information about the last scan is displayed at the bottom of the page.

Use PowerShell cmdlets to review scan results

The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat,
each detection will be listed separately, based on the time of each detection:

Get-MpThreatDetection
You can specify -ThreatID to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the
following cmdlet:

Get-MpThreat

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to review scan results

Use the Get method of the MSFT_MpThreat and MSFT_MpThreatDetection classes.
Related articles
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Run and review the results of a Windows Defender
Offline scan
11/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted
environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to
bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR ).
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean
of the endpoint after a malware outbreak.
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the
endpoint, and load the bootable media.

prerequisites and requirements

Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
For more information about Windows 10 requirements, see the following topics:
Minimum hardware requirements
Hardware component guidelines

NOTE
Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.

To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.

Windows Defender Offline updates

Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated
whenever Windows Defender Antivirus is updated.

NOTE
Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an
update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install
the latest protection updates from the Microsoft Malware Protection Center.

See the Manage Windows Defender Antivirus Security intelligence updates topic for more information.

Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender
determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it
to manage your endpoints.
The prompt can occur via a notification, similar to the following:

The user will also be notified within the Windows Defender client:

In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Overview >
Security > Endpoint Protection Status > System Center Endpoint Protection Status.
Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required.
Configure notifications
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV
notifications.
For more information about notifications in Windows Defender, see the Configure the notifications that appear on
endpoints topic.

Run a scan
IMPORTANT
Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows
Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan
performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.

You can run a Windows Defender Offline scan with the following:
PowerShell
Windows Management Instrumentation (WMI)
The Windows Security app
Use PowerShell cmdlets to run an offline scan
Use the following cmdlets:

Start-MpWDOScan

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to run an offline scan
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the
endpoint to restart, run the offline scan, and then restart and boot into Windows.

wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start

See the following for more information:

Windows Defender WMIv2 APIs
Use the Windows Defender Security app to run an offline scan
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Advanced
scan label:
3. Select Windows Defender Offline scan and click Scan now.
 NOTE
In Windows 10, version 1607, the offline scan could be run from under Windows Settings > Update & security >
Windows Defender or from the Windows Defender client.

Review scan results

Windows Defender Offline scan results will be listed in the Scan history section of the Windows Security app.

Related articles
Customize, initiate, and review the results of scans and remediation
Windows Defender Antivirus in Windows 10
 Restore quarantined files in Windows Defender AV
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender
Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open Windows Security.
2. Click Virus & threat protection and then click Threat History.
3. Under Quarantined threats, click See full history.
4. Click an item you want to keep, then click Restore. (If you prefer to remove the item, you can click Remove.)

NOTE
You can also use the dedicated command-line tool mpcmdrun.exe to restore quarantined files in Windows Defender AV.

Related articles
Configure remediation for scans
Review scan results
Configure and validate exclusions based on file name, extension, and folder ___location
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
 Manage Windows Defender Antivirus in your business
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can manage and configure Windows Defender Antivirus with the following tools:
Microsoft Intune
System Center Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instrumentation (WMI)
The mpcmdrun.exe utility
The topics in this section provide further information, links, and resources for using these tools to manage and
configure Windows Defender Antivirus.

In this section
TOPIC DESCRIPTION

Manage Windows Defender Antivirus with Microsoft Intune Information about using Intune and System Center
and System Center Configuration Manager Configuration Manager to deploy, manage, report, and
configure Windows Defender Antivirus

Manage Windows Defender Antivirus with Group Policy List of all Group Policy settings located in ADMX templates
settings

Manage Windows Defender Antivirus with PowerShell cmdlets Instructions for using PowerShell cmdlets to manage Windows
Defender Antivirus, plus links to documentation for all cmdlets
and allowed parameters

Manage Windows Defender Antivirus with Windows Instructions for using WMI to manage Windows Defender
Management Instrumentation (WMI) Antivirus, plus links to documentation for the WMIv2 APIs
(including all classes, methods, and properties)

Manage Windows Defender Antivirus with the mpcmdrun.exe Instructions on using the dedicated command-line tool to
command-line tool manage and use Windows Defender Antivirus
 Use Group Policy settings to configure and manage
Windows Defender Antivirus
11/20/2019 • 9 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy
settings:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object (GPO ) you want to configure and click Edit.
2. Using the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus.
5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to
configure, double-click the setting to open it, and make configuration changes.
6. Deploy the updated GPO as you normally do.
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides
links to the appropriate topic in this documentation library (where applicable).

LOCATION SETTING ARTICLE

Client interface Enable headless UI mode Prevent users from seeing or interacting
with the Windows Defender Antivirus
user interface

Client interface Display additional text to clients when Configure the notifications that appear
they need to perform an action on endpoints

Client interface Suppress all notifications Configure the notifications that appear
on endpoints

Client interface Suppresses reboot notifications Configure the notifications that appear
on endpoints

Exclusions Extension Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans

Exclusions Path Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans

Exclusions Process Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans
LOCATION SETTING ARTICLE

Exclusions Turn off Auto Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans

MAPS Configure the 'Block at First Sight' Enable block at first sight
feature

MAPS Join Microsoft MAPS Enable cloud-delivered protection

MAPS Send file samples when further analysis Enable cloud-delivered protection
is required

MAPS Configure local setting override for Prevent or allow users to locally modify
reporting to Microsoft MAPS policy settings

MpEngine Configure extended cloud check Configure the cloud block timeout
period

MpEngine Select cloud protection level Specify the cloud-delivered protection

level

Network inspection system Specify additional definition sets for Not used
network traffic inspection

Network inspection system Turn on definition retirement Not used

Network inspection system Turn on protocol recognition Not used

Quarantine Configure local setting override for the Prevent or allow users to locally modify
removal of items from Quarantine folder policy settings

Quarantine Configure removal of items from Configure remediation for Windows

Quarantine folder Defender Antivirus scans

Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring file and program activity on policy settings
your computer

Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring for incoming and outgoing policy settings
file activity

Real-time protection Configure local setting override for Prevent or allow users to locally modify
scanning all downloaded files and policy settings
attachments

Real-time protection Configure local setting override for turn Prevent or allow users to locally modify
on behavior monitoring policy settings

Real-time protection Configure local setting override to turn Prevent or allow users to locally modify
on real-time protection policy settings

Real-time protection Define the maximum size of Enable and configure Windows
downloaded files and attachments to be Defender Antivirus always-on protection
scanned and monitoring
LOCATION SETTING ARTICLE

Real-time protection Monitor file and program activity on Enable and configure Windows
your computer Defender Antivirus always-on protection
and monitoring

Real-time protection Scan all downloaded files and Enable and configure Windows
attachments Defender Antivirus always-on protection
and monitoring

Real-time protection Turn off real-time protection Enable and configure Windows
Defender Antivirus always-on protection
and monitoring

Real-time protection Turn on behavior monitoring Enable and configure Windows

Defender Antivirus always-on protection
and monitoring

Real-time protection Turn on process scanning whenever Enable and configure Windows
real-time protection is enabled Defender Antivirus always-on protection
and monitoring

Real-time protection Turn on raw volume write notifications Enable and configure Windows
Defender Antivirus always-on protection
and monitoring

Real-time protection Configure monitoring for incoming and Enable and configure Windows
outgoing file and program activity Defender Antivirus always-on protection
and monitoring

Remediation Configure local setting override for the Prevent or allow users to locally modify
time of day to run a scheduled full scan policy settings
to complete remediation

Remediation Specify the day of the week to run a Configure scheduled Windows Defender
scheduled full scan to complete Antivirus scans
remediation

Remediation Specify the time of day to run a Configure scheduled Windows Defender
scheduled full scan to complete Antivirus scans
remediation

Reporting Configure Watson events Not used

Reporting Configure Windows software trace Not used

preprocessor components

Reporting Configure WPP tracing level Not used

Reporting Configure time out for detections in Not used

critically failed state

Reporting Configure time out for detections in Not used

non-critical failed state

Reporting Configure time out for detections in Not used

recently remediated state
LOCATION SETTING ARTICLE

Reporting Configure time out for detections Not used

requiring additional action

Reporting Turn off enhanced notifications Configure the notifications that appear
on endpoints

Root Turn off Windows Defender Antivirus Not used (This setting must be set to
Not configured to ensure any installed
third-party antivirus apps work
correctly)

Root Define addresses to bypass proxy server Not used

Root Define proxy autoconfig (.pac) for Not used

connecting to the network

Root Define proxy server for connecting to Not used

the network

Root Configure local administrator merge Prevent or allow users to locally modify
behavior for lists policy settings

Root Allow antimalware service to start up Configure remediation for Windows

with normal priority Defender Antivirus scans

Root Allow antimalware service to remain Configure remediation for Windows

running always Defender Antivirus scans

Root Turn off routine remediation Configure remediation for Windows

Defender Antivirus scans

Root Randomize scheduled task times Configure scheduled scans for Windows
Defender Antivirus

Scan Allow users to pause scan Prevent users from seeing or interacting
with the Windows Defender Antivirus
user interface

Scan Check for the latest virus and spyware Manage event-based forced updates
definitions before running a scheduled
scan

Scan Define the number of days after which a Manage updates for endpoints that are
catch-up scan is forced out of date

Scan Turn on catch up full scan Manage updates for endpoints that are
out of date

Scan Turn on catch up quick scan Manage updates for endpoints that are
out of date
LOCATION SETTING ARTICLE

Scan Configure local setting override for Prevent or allow users to locally modify
maximum percentage of CPU utilization policy settings

Scan Configure local setting override for Prevent or allow users to locally modify
schedule scan day policy settings

Scan Configure local setting override for Prevent or allow users to locally modify
scheduled quick scan time policy settings

Scan Configure local setting override for Prevent or allow users to locally modify
scheduled scan time policy settings

Scan Configure local setting override for the Prevent or allow users to locally modify
scan type to use for a scheduled scan policy settings

Scan Create a system restore point Configure remediation for Windows

Defender Antivirus scans

Scan Turn on removal of items from scan Configure remediation for Windows
history folder Defender Antivirus scans

Scan Turn on heuristics Enable and configure Windows

Defender Antivirus always-on protection
and monitoring

Scan Turn on e-mail scanning Configure scanning options in Windows

Defender Antivirus

Scan Turn on reparse point scanning Configure scanning options in Windows

Defender Antivirus

Scan Run full scan on mapped network drives Configure scanning options in Windows
Defender Antivirus

Scan Scan archive files Configure scanning options in Windows

Defender Antivirus

Scan Scan network files Configure scanning options in Windows

Defender Antivirus

Scan Scan packed executables Configure scanning options in Windows

Defender Antivirus

Scan Scan removable drives Configure scanning options in Windows

Defender Antivirus

Scan Specify the maximum depth to scan Configure scanning options in Windows
archive files Defender Antivirus

Scan Specify the maximum percentage of Configure scanning options in Windows

CPU utilization during a scan Defender Antivirus

Scan Specify the maximum size of archive files Configure scanning options in Windows
to be scanned Defender Antivirus
LOCATION SETTING ARTICLE

Scan Specify the day of the week to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus

Scan Specify the interval to run quick scans Configure scheduled scans for Windows
per day Defender Antivirus

Scan Specify the scan type to use for a Configure scheduled scans for Windows
scheduled scan Defender Antivirus

Scan Specify the time for a daily quick scan Configure scheduled scans for Windows
Defender Antivirus

Scan Specify the time of day to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus

Scan Start the scheduled scan only when Configure scheduled scans for Windows
computer is on but not in use Defender Antivirus

Security intelligence updates Allow security intelligence updates from Manage updates for mobile devices and
Microsoft Update virtual machines (VMs)

Security intelligence updates Allow security intelligence updates when Manage updates for mobile devices and
running on battery power virtual machines (VMs)

Security intelligence updates Allow notifications to disable definitions- Manage event-based forced updates
based reports to Microsoft MAPS

Security intelligence updates Allow real-time security intelligence Manage event-based forced updates
updates based on reports to Microsoft
MAPS

Security intelligence updates Check for the latest virus and spyware Manage event-based forced updates
definitions on startup

Security intelligence updates Define file shares for downloading Manage Windows Defender Antivirus
security intelligence updates protection and security intelligence
updates

Security intelligence updates Define the number of days after which a Manage updates for endpoints that are
catch up security intelligence update is out of date
required

Security intelligence updates Define the number of days before Manage updates for endpoints that are
spyware definitions are considered out out of date
of date

Security intelligence updates Define the number of days before virus Manage updates for endpoints that are
definitions are considered out of date out of date

Security intelligence updates Define the order of sources for Manage Windows Defender Antivirus
downloading security intelligence protection and security intelligence
updates updates
 LOCATION SETTING ARTICLE

Security intelligence updates Initiate security intelligence update on Manage event-based forced updates
startup

Security intelligence updates Specify the day of the week to check for Manage when protection updates
security intelligence updates should be downloaded and applied

Security intelligence updates Specify the interval to check for security Manage when protection updates
intelligence updates should be downloaded and applied

Security intelligence updates Specify the time to check for security Manage when protection updates
intelligence updates should be downloaded and applied

Security intelligence updates Turn on scan after Security intelligence Configure scheduled scans for Windows
update Defender Antivirus

Threats Specify threat alert levels at which Configure remediation for Windows
default action should not be taken when Defender Antivirus scans
detected

Threats Specify threats upon which default Configure remediation for Windows
action should not be taken when Defender Antivirus scans
detected

Related articles
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Use System Center Configuration Manager and
Microsoft Intune to configure and manage Windows
Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your
network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used
by Windows Defender Antivirus.
See the Endpoint Protection library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the Microsoft Intune library and Configure device restriction settings in Intune.

Related articles
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Use PowerShell cmdlets to configure and manage
Windows Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or
command line, PowerShell is a task-based command-line shell and scripting language designed especially for
system administration, and you can read more about it at the PowerShell hub on MSDN.
For a list of the cmdlets and their functions and available parameters, see the Defender cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface
(GUI) to configure software.

NOTE
PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as System
Center Configuration Manager, Group Policy Management Console, or Windows Defender Antivirus Group Policy ADMX
templates.

Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made.
This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft
Intune can overwrite changes made with PowerShell.
You can configure which settings can be overridden locally with local policy overrides.
PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell.

Use Windows Defender Antivirus PowerShell cmdlets

1. Click Start, type powershell, and press Enter.
2. Click Windows PowerShell to open the interface.
3. Enter the command and parameters.

NOTE
You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click Run as
administrator and click Yes at the permissions prompt.

To open online help for any of the cmdlets type the following:

Get-Help <cmdlet> -Online

Omit the -online parameter to get locally cached help.

Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Use Windows Management Instrumentation (WMI) to
configure and manage Windows Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and
update settings.
Read more about WMI at the Microsoft Developer Network System Administration library.
Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same
functions as Group Policy and other management tools. Many of the classes are analogous to Defender PowerShell
cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Windows
Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This
means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune
can overwrite changes made with WMI.
You can configure which settings can be overridden locally with local policy overrides.

Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Configure and manage Windows Defender Antivirus
with the mpcmdrun.exe command-line tool
12/4/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can perform various Windows Defender Antivirus functions with the dedicated command-line tool
mpcmdrun.exe.
This utility can be useful when you want to automate Windows Defender Antivirus use.
You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must run it from a command
prompt.

NOTE
You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click
Run as administrator and click Yes at the permissions prompt.

The utility has the following commands:

MpCmdRun.exe [command] [-options]

Here's an example:

MpCmdRun.exe -scan -2

COMMAND DESCRIPTION

-? or -h Displays all available options for this tool

-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [- Scans for malicious software. Values for ScanType are: 0
DisableRemediation] [-BootSectorScan]] [-Timeout Default, according to your configuration, -1 Quick scan, -2 Full
<days>] [-Cancel]
scan, -3 File and directory custom scan.

-Trace [-Grouping #] [-Level #] Starts diagnostic tracing

-GetFiles Collects support information

-GetFilesDiagTrack Same as -GetFiles , but outputs to temporary DiagTrack

folder

-RemoveDefinitions [-All] Restores the installed Security intelligence to a previous

backup copy or to the original default set

-RemoveDefinitions [-DynamicSignatures] Removes only the dynamically downloaded Security

intelligence
 COMMAND DESCRIPTION

-RemoveDefinitions [-Engine] Restores the previous installed engine

-SignatureUpdate [-UNC \| -MMPC] Checks for new Security intelligence updates

-Restore [-ListAll \| [[-Name <name>] [-All] \| [- Restores or lists quarantined item(s)

FilePath <filePath>]] [-Path <path>]]

-AddDynamicSignature [-Path] Loads dynamic Security intelligence

-ListAllDynamicSignatures Lists the loaded dynamic Security intelligence

-RemoveDynamicSignature [-SignatureSetID] Removes dynamic Security intelligence

-CheckExclusion -path <path> Checks whether a path is excluded

Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Customize, initiate, and review the results of
Windows Defender Antivirus scans and remediation
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure
Windows Defender Antivirus scans.

In this section
TOPIC DESCRIPTION

Configure and validate file, folder, and process-opened file You can exclude files (including files modified by specified
exclusions in Windows Defender Antivirus scans processes) and folders from on-demand scans, scheduled
scans, and always-on real-time protection monitoring and
scanning

Configure Windows Defender Antivirus scanning options You can configure Windows Defender Antivirus to include
certain types of email storage files, back-up or reparse
points, and archived files (such as .zip files) in scans. You can
also enable network file scanning

Configure remediation for scans Configure what Windows Defender Antivirus should do
when it detects a threat, and how long quarantined files
should be retained in the quarantine folder

Configure scheduled scans Set up recurring (scheduled) scans, including when they
should run and whether they run as full or quick scans

Configure and run scans Run and configure on-demand scans using PowerShell,
Windows Management Instrumentation, or individually on
endpoints with the Windows Security app

Review scan results Review the results of scans using System Center
Configuration Manager, Microsoft Intune, or the Windows
Security app
 Configure and validate exclusions for Windows
Defender Antivirus scans
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus
scans.
The exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring.
Exclusions for process-opened files only apply to real-time protection.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization.
Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See
the Windows Defender Antivirus exclusions on Windows Server 2016 topic for more information and a list of
the automatic exclusions.

WARNING
Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks
that are associated with implementing exclusions, and you should only exclude files that you are confident are not
malicious.

In this section
TOPIC DESCRIPTION

Configure and validate exclusions based on file name, Exclude files from Windows Defender Antivirus scans based
extension, and folder ___location on their file extension, file name, or ___location

Configure and validate exclusions for files opened by Exclude files from scans that have been opened by a specific
processes process

Configure Windows Defender Antivirus exclusions on Windows Server 2016 includes automatic exclusions, based
Windows Server on the defined server role. You can also add custom
exclusions.
 Configure and validate exclusions based on file
extension and folder ___location
11/20/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including endpoint
detection and response (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude
using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add
them to the Microsoft Defender ATP custom indicators.

Exclusion lists
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. Generally,
you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic
exclusions based on known operating system behaviors and typical management files, such as those used in
enterprise management, database management, and other enterprise scenarios and situations.

NOTE
Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at
Microsoft doesn't set any exclusions by default.

This topic describes how to configure exclusion lists for the files and folders.

EXCLUSION EXAMPLES EXCLUSION LIST

Any file with a specific extension All files with the .test extension, Extension exclusions
anywhere on the machine

Any file under a specific folder All files under the c:\test\sample File and folder exclusions
folder

A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions

A specific process The executable file File and folder exclusions

c:\test\process.exe

Exclusion lists have the following characteristics:

Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point.
Reparse point subfolders must be excluded separately.
File extensions will apply to any file name with the defined extension if a path or folder is not defined.
 IMPORTANT
The use of wildcards such as the asterisk (*) will alter how the exclusion rules are interpreted. See the Use wildcards in the
file name and folder path or extension exclusion lists section for important information about how wildcards work.
You cannot exclude mapped network drives. You must specify the actual network path.
Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been
added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse
points to be recognized as a valid exclusion target.

To exclude files opened by a specific process, see Configure and validate exclusions for files opened by
processes.
The exclusions apply to scheduled scans, on-demand scans, and real-time protection.

IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.

By default, local changes made to the lists (by users with administrator privileges, including changes made with
PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration
Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to
override managed deployment settings.

Configure the list of exclusions based on folder name or file extension

Use Intune to configure file name, folder, or file extension exclusions
See the following articles:
Configure device restriction settings in Microsoft Intune
Windows Defender Antivirus device restriction settings for Windows 10 in Intune
Use Configuration Manager to configure file name, folder, or file extension exclusions
See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center
Configuration Manager (current branch).
Use Group Policy to configure folder or file extension exclusions

NOTE
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files
and subdirectories under that folder are excluded.

1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click the Path Exclusions setting and add the exclusions:
 a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each folder on its own line under the Value name column. If you are entering a file, ensure you
enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension.
Enter 0 in the Value column.
5. Click OK.

6. Double-click the Extension Exclusions setting and add the exclusions:

a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each file extension on its own line under the Value name column. Enter 0 in the Value column.
7. Click OK.
Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
Using PowerShell to add or remove exclusions for files based on the extension, ___location, or file name requires
using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the
Defender module.
The format for the cmdlets is:

<cmdlet> -<exclusion list> "<item>"

The following are allowed as the <cmdlet>:

CONFIGURATION ACTION POWERSHELL CMDLET

Create or overwrite the list Set-MpPreference

Add to the list Add-MpPreference

Remove item from the list Remove-MpPreference

The following are allowed as the <exclusion list>:

EXCLUSION TYPE POWERSHELL PARAMETER

All files with a specified file extension -ExclusionExtension

 EXCLUSION TYPE POWERSHELL PARAMETER

All files under a folder (including files in subdirectories), or a -ExclusionPath

specific file

IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet
again will overwrite the existing list.

For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the
.test file extension:

Add-MpPreference -ExclusionExtension ".test"

For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
Use Windows Management Instruction (WMI ) to configure file name, folder, or file extension exclusions
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:

ExclusionExtension
ExclusionPath

The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .

For more information, see Windows Defender WMIv2 APIs.

Use the Windows Security app to configure file name, folder, or file extension exclusions
See Add exclusions in the Windows Security app for instructions.

Use wildcards in the file name and folder path or extension exclusion
lists
You can use the asterisk * , question mark ? , or environment variables (such as %ALLUSERSPROFILE% ) as
wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards
are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to
understand their specific limitations.

IMPORTANT
There are key limitations and usage scenarios for these wildcards:
Environment variable usage is limited to machine variables and those applicable to processes running as an NT
AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
An asterisk * in a folder exclusion will stand in place for a single folder. Use multiple instances of \*\ to indicate
multiple nested folders with unspecified names.

The following table describes how the wildcards can be used and provides some examples.
WILDCARD USE IN FILE NAME AND USE IN FOLDER EXAMPLE USE EXAMPLE MATCHES
FILE EX TENSION EXCLUSIONS
EXCLUSIONS

* (asterisk) Replaces any number Replaces a single 1. C:\MyData\*.t 1. C:\MyData\n

of characters. folder. xt otes.txt
Only applies to files Use multiple * with 2. C:\somepath\ 2. Any file in:
in the last folder folder slashes \ to *\Data C:\so
defined in the indicate multiple, 3. C:\Serv\*\*\Ba mepat
argument. nested folders. ckup h\Arc
After matching the hives\
number of wild Data
carded and named and its
folders, all subfolders subfol
will also be included. ders
C:\so
mepat
h\Aut
horize
d\Dat
a and
its
subfol
ders
3. Any file in:
C:\Ser
v\Pri
mary\
Denie
d\Back
up
and its
subfol
ders
C:\Ser
v\Sec
ondar
y\Allo
wed\B
ackup
and its
subfol
ders

? (question mark) Replaces a single Replaces a single 1. C:\MyData\m 1. C:\MyData\m

character. character in a folder y?.zip y1.zip
Only applies to files name. 2. C:\somepath\ 2. Any file in
in the last folder After matching the ?\Data C:\somepath\
defined in the number of wild 3. C:\somepath\ P\Data and
argument. carded and named test0?\Data its subfolders
folders, all subfolders 3. Any file in
will also be included. C:\somepath\
test01\Data
and its
subfolders

Environment The defined variable Same as file and 1. %ALLUSERSP 1. C:\Program

variables will be populated as a extension use. ROFILE%\Cus Data\Custom
path when the tomLogFiles LogFiles\Folde
exclusion is r1\file1.txt
evaluated.
 IMPORTANT
If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the
matched folder, and will not look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked and
c:\data\review\marked by using the rule argument c:\data\*\marked\date*.*.

This argument, however, will not match any files in subfolders under c:\data\final\marked or
c:\data\review\marked .

Review the list of exclusions

You can retrieve the items in the exclusion list using one of the following methods:
Intune
System Center Configuration Manager
MpCmdRun
PowerShell
Windows Security app

IMPORTANT
Exclusion list changes made with Group Policy will show in the lists in the Windows Security app.
Changes made in the Windows Security app will not show in the Group Policy lists.

If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on
separate lines, but the items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are
interested in. Each use of Add-MpPreference is written to a new line.
Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:

MpCmdRun.exe -CheckExclusion -path <path>

NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in
December 2018) or later.

Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using
PowerShell
Use the following cmdlet:

Get-MpPreference

In the following example, the items contained in the ExclusionExtension list are highlighted:
For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever
label you want to name the variable:

$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath

In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:

For more information, see Use PowerShell cmdlets to configure and run Windows Defender Antivirus and
Defender cmdlets.

Validate exclusions lists with the EICAR test file

You can validate that your exclusion lists are working by using PowerShell with either the Invoke-WebRequest
cmdlet or the .NET WebClient class to download a test file.
In the following PowerShell snippet, replace test.txt with a file that conforms to your exclusion rules. For
example, if you have excluded the .testing extension, replace test.txt with test.testing . If you are testing a
path, ensure you run the cmdlet within that path.

Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"

If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware,
and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are
the same as what is described on the EICAR test file website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file -
as with the Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:

$client = new-object System.Net.WebClient

$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")

If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new
text file with the following PowerShell command:

[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')

You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you
are attempting to exclude.

Related topics
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure exclusions for files opened by processes
11/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
This topic describes how to configure exclusion lists for the following:

EXCLUSION EXAMPLE

Any file on the machine that is opened by any process with a Specifying "test.exe" would exclude files opened by:
specific file name c:\sample\test.exe
d:\internal\files\test.exe

Any file on the machine that is opened by any process under Specifying "c:\test\sample\*" would exclude files opened by:
a specific folder c:\test\sample\test.exe
c:\test\sample\test2.exe
c:\test\sample\utility.exe

Any file on the machine that is opened by a specific process Specifying "c:\test\process.exe" would exclude files only
in a specific folder opened by c:\test\process.exe

When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by
that process, no matter where the files are located. The process itself, however, will be scanned unless it has also
been added to the file exclusion list.
The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or
on-demand scans.
Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app.
However, changes made in the Windows Security app will not show in the Group Policy lists.
You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager,
Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made
with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy,
Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can configure how locally and globally defined exclusions lists are merged to allow local changes to
override managed deployment settings.

Configure the list of exclusions for files opened by specified processes

Use Microsoft Intune to exclude files that have been opened by specified processes from scans
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction
settings for Windows 10 in Intune for more details.
Use System Center Configuration Manager to exclude files that have been opened by specified processes
from scans
See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center
Configuration Manager (current branch).
Use Group Policy to exclude files that have been opened by specified processes from scans
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click Process Exclusions and add the exclusions:
a. Set the option to Enabled.
b. Under the Options section, click Show....
c. Enter each process on its own line under the Value name column. See the example table for the
different types of process exclusions. Enter 0 in the Value column for all processes.
5. Click OK.

Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a
combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender
module.
The format for the cmdlets is:

<cmdlet> -ExclusionProcess "<item>"

The following are allowed as the <cmdlet>:

CONFIGURATION ACTION POWERSHELL CMDLET

Create or overwrite the list Set-MpPreference

Add to the list Add-MpPreference

Remove items from the list Remove-MpPreference

IMPORTANT
If you have created a list, either with Set-MpPreference or Add-MpPreference , using the Set-MpPreference cmdlet
again will overwrite the existing list.

For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is
opened by the specified process:

Add-MpPreference -ExclusionProcess "c:\internal\test.exe"

See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows

Defender Antivirus.md) and Defender cmdlets for more information on how to use PowerShell with Windows
Defender Antivirus.
Use Windows Management Instruction (WMI ) to exclude files that have been opened by specified processes
from scans
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:

ExclusionProcess

The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference ,
Add-MpPreference , and Remove-MpPreference .

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs
Use the Windows Security app to exclude files that have been opened by specified processes from scans
See Add exclusions in the Windows Security app for instructions.

Use wildcards in the process exclusion list

The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
In particular, you cannot use the question mark ? wildcard, and the asterisk * wildcard can only be used at the
end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards
when defining items in the process exclusion list.
The following table describes how the wildcards can be used in the process exclusion list:

WILDCARD USE EXAMPLE USE EXAMPLE MATCHES

* (asterisk) Replaces any number of C:\MyData\* Any file opened by

characters C:\MyData\file.exe

? (question mark) Not available - -

Environment variables The defined variable will be %ALLUSERSPROFILE Any file opened by
populated as a path when %\CustomLogFiles\fi C:\ProgramData\Cus
the exclusion is evaluated le.exe tomLogFiles\file.exe

Review the list of exclusions

You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, System Center Configuration
Manager, Intune, or the Windows Security app.
If you use PowerShell, you can retrieve the list in two ways:
Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on
separate lines, but the items within each list will be combined into the same line.
Write the status of all preferences to a variable, and use that variable to only call the specific list you are
interested in. Each use of Add-MpPreference is written to a new line.
Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:

MpCmdRun.exe -CheckExclusion -path <path>

NOTE
Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in
December 2018) or later.

Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:

Get-MpPreference

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever
label you want to name the variable:

$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.

Related articles
Configure and validate exclusions in Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder ___location
Configure Windows Defender Antivirus exclusions on Windows Server
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure Windows Defender Antivirus exclusions
on Windows Server
11/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain
exclusions, as defined by your specified server role. See the end of this topic for a list of these exclusions.
These exclusions will not appear in the standard exclusion lists shown in the Windows Security app.
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as
described in these exclusion-related topics:
Configure and validate exclusions based on file name, extension, and folder ___location
Configure and validate exclusions for files opened by processes
Custom exclusions take precedence over automatic exclusions.

TIP
Custom and duplicate exclusions do not conflict with automatic exclusions.

Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM ) tools to
determine which roles are installed on your computer.

Opt out of automatic exclusions

In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the
default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually
control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence
updates.

WARNING
Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that
are delivered automatically are optimized for Windows Server 2016 roles.

NOTE
This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect
on exclusions.
 TIP
Since the predefined exclusions only exclude default paths, if you move NTDS and SYSVOL to another drive or path
different than the original one, you would have to manually add the exclusions using the information here .

You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
Use Group Policy to disable the auto -exclusions list on Windows Server 2016
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.
4. Double-click Turn off Auto Exclusions and set the option to Enabled. Click OK.
Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:
Use the following cmdlets:

Set-MpPreference -DisableAutoExclusions $true

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to disable the auto -exclusions list on Windows Server 2016
Use the Set method of the MSFT_MpPreference class for the following properties:

DisableAutoExclusions

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

List of automatic exclusions

The following sections contain the exclusions that are delivered with automatic exclusions file paths and file
types.
Default exclusions for all roles
This section lists the default exclusions for all Windows Server 2016 roles.
Windows "temp.edb" files:
%windir%\SoftwareDistribution\Datastore\*\tmp.edb
%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log
Windows Update files or Automatic Update files:
%windir%\SoftwareDistribution\Datastore\*\Datastore.edb
%windir%\SoftwareDistribution\Datastore\*\edb.chk
%windir%\SoftwareDistribution\Datastore\*\edb*.log
 %windir%\SoftwareDistribution\Datastore\*\Edb*.jrs
%windir%\SoftwareDistribution\Datastore\*\Res*.log
Windows Security files:
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
Group Policy files:
%allusersprofile%\NTUser.pol
%SystemRoot%\System32\GroupPolicy\Machine\registry.pol
%SystemRoot%\System32\GroupPolicy\User\registry.pol
WINS files:
%systemroot%\System32\Wins\*\*.chk
%systemroot%\System32\Wins\*\*.log
%systemroot%\System32\Wins\*\*.mdb
%systemroot%\System32\LogFiles\
%systemroot%\SysWow64\LogFiles\
File Replication Service (FRS ) exclusions:
Files in the File Replication Service (FRS ) working folder. The FRS working folder is specified in
the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory

%windir%\Ntfrs\jet\sys\*\edb.chk
%windir%\Ntfrs\jet\*\Ntfrs.jdb
%windir%\Ntfrs\jet\log\*\*.log
FRS Database log files. The FRS Database log file folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File
Directory

-%windir%\Ntfrs\*\Edb*.log
The FRS staging folder. The staging folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica
Sets\GUID\Replica Set Stage

%systemroot%\Sysvol\*\Nntfrs_cmp*\
The FRS preinstall folder. This folder is specified by the folder
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory

%systemroot%\SYSVOL\___domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\
The Distributed File System Replication (DFSR ) database and working folders. These
 folders are specified by the registry key
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication
Groups\GUID\Replica Set Configuration File

NOTE
For custom locations, see Opt out of automatic exclusions.

%systemdrive%\System Volume Information\DFSR\$db_normal$

%systemdrive%\System Volume Information\DFSR\FileIDTable_*
%systemdrive%\System Volume Information\DFSR\SimilarityTable_*
%systemdrive%\System Volume Information\DFSR\*.XML
%systemdrive%\System Volume Information\DFSR\$db_dirty$
%systemdrive%\System Volume Information\DFSR\$db_clean$
%systemdrive%\System Volume Information\DFSR\$db_lostl$
%systemdrive%\System Volume Information\DFSR\Dfsr.db
%systemdrive%\System Volume Information\DFSR\*.frx
%systemdrive%\System Volume Information\DFSR\*.log
%systemdrive%\System Volume Information\DFSR\Fsr*.jrs
%systemdrive%\System Volume Information\DFSR\Tmp.edb
Process exclusions
%systemroot%\System32\dfsr.exe
%systemroot%\System32\dfsrs.exe
Hyper-V exclusions:
This section lists the file type exclusions, folder exclusions, and process exclusions that are
delivered automatically when you install the Hyper-V role
File type exclusions:
*.vhd
*.vhdx
*.avhd
*.avhdx
*.vsv
*.iso
*.rct
*.vmcx
*.vmrs
Folder exclusions:
 %ProgramData%\Microsoft\Windows\Hyper-V
%ProgramFiles%\Hyper-V
%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
%Public%\Documents\Hyper-V\Virtual Hard Disks
Process exclusions:
%systemroot%\System32\Vmms.exe
%systemroot%\System32\Vmwp.exe
SYSVOL files:
%systemroot%\Sysvol\Domain\*.adm
%systemroot%\Sysvol\Domain\*.admx
%systemroot%\Sysvol\Domain\*.adml
%systemroot%\Sysvol\Domain\Registry.pol
%systemroot%\Sysvol\Domain\*.aas
%systemroot%\Sysvol\Domain\*.inf
%systemroot%\Sysvol\Domain\*.Scripts.ini
%systemroot%\Sysvol\Domain\*.ins
%systemroot%\Sysvol\Domain\Oscfilter.ini
Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain
Services.
NTDS database files. The database files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File

%windir%\Ntds\ntds.dit
%windir%\Ntds\ntds.pat
The AD DS transaction log files. The transaction log files are specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files

%windir%\Ntds\EDB*.log
%windir%\Ntds\Res*.log
%windir%\Ntds\Edb*.jrs
%windir%\Ntds\Ntds*.pat
%windir%\Ntds\EDB*.log
%windir%\Ntds\TEMP.edb
The NTDS working folder. This folder is specified in the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory

%windir%\Ntds\Temp.edb
 %windir%\Ntds\Edb.chk
Process exclusions for AD DS and AD DS -related support files:
%systemroot%\System32\ntfrs.exe
%systemroot%\System32\lsass.exe
DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The
DHCP Server file locations are specified by the DatabasePath, DhcpLogFilePath, and BackupDatabasePath
parameters in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
%systemroot%\System32\DHCP\*\*.mdb
%systemroot%\System32\DHCP\*\*.pat
%systemroot%\System32\DHCP\*\*.log
%systemroot%\System32\DHCP\*\*.chk
%systemroot%\System32\DHCP\*\*.edb
DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when
you install the DNS Server role.
File and folder exclusions for the DNS Server role:
%systemroot%\System32\Dns\*\*.log
%systemroot%\System32\Dns\*\*.dns
%systemroot%\System32\Dns\*\*.scc
%systemroot%\System32\Dns\*\BOOT
Process exclusions for the DNS Server role:
%systemroot%\System32\dns.exe
File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and
Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
%SystemDrive%\ClusterStorage
%clusterserviceaccount%\Local Settings\Temp
%SystemDrive%\mscs
Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered
automatically when you install the Print Server role.
File type exclusions:
*.shd
*.spl
Folder exclusions. This folder is specified in the registry key
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory

%system32%\spool\printers\*
Process exclusions:
spoolsv.exe
Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you
install the Web Server role.
Folder exclusions:
%SystemRoot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\ASP Compiled Templates
%systemDrive%\inetpub\logs
%systemDrive%\inetpub\wwwroot
Process exclusions:
%SystemRoot%\system32\inetsrv\w3wp.exe
%SystemRoot%\SysWOW64\inetsrv\w3wp.exe
%SystemDrive%\PHP5433\php-cgi.exe
Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server
Update Services (WSUS ) role. The WSUS folder is specified in the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup

%systemroot%\WSUS\WSUSContent
%systemroot%\WSUS\UpdateServicesDBFiles
%systemroot%\SoftwareDistribution\Datastore
%systemroot%\SoftwareDistribution\Download

Related articles
Configure and validate exclusions for Windows Defender Antivirus scans
Configure and validate exclusions based on file name, extension, and folder ___location
Configure and validate exclusions for files opened by processes
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure Windows Defender Antivirus scanning options
11/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Use Microsoft Intune to configure scanning options
See Configure device restriction settings in Microsoft Intune and Windows Defender Antivirus device restriction settings for
Windows 10 in Intune for more details.
Use Configuration Manager to configure scanning options:
See How to create and deploy antimalware policies: Scan settings for details on configuring System Center Configuration
Manager (current branch).
Use Group Policy to configure scanning options
To configure the Group Policy settings described in the following table:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group
Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location specified in
the table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired configuration. Click
OK, and repeat for any other settings.

POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS

See Email scanning limitations) Scan > Turn on e-mail Disabled -DisableEmailScanning
below scanning

Scan reparse points Scan > Turn on reparse point Disabled Not available
scanning

Scan mapped network drives Scan > Run full scan on Disabled -
mapped network drives DisableScanningMappedNetworkDrivesForFullS

Scan archive files (such as .zip Scan > Scan archive files Enabled -DisableArchiveScanning
or .rar files). The extensions
exclusion list will take
precedence over this setting.

Scan files on the network Scan > Scan network files Disabled -
DisableScanningNetworkFiles

Scan packed executables Scan > Scan packed Enabled Not available
executables

Scan removable drives during Scan > Scan removable drives Disabled -
full scans only DisableRemovableDriveScanning

Specify the level of subfolders Scan > Specify the maximum 0 Not available
within an archive folder to scan depth to scan archive files
 POWERSHELL SET-MPPREFERENCE
DEFAULT SETTING (IF NOT PARAMETER OR WMI PROPERTY
DESCRIPTION LOCATION AND SETTING CONFIGURED) FOR MSFT_MPPREFERENCE CLASS

Specify the maximum CPU load Scan > Specify the maximum 50 -ScanAvgCPULoadFactor
(as a percentage) during a percentage of CPU utilization
scan. Note: This is not a hard during a scan
limit but rather a guidance for
the scanning engine to not
exceed this maximum on
average.

Specify the maximum size (in Scan > Specify the maximum No limit Not available
kilobytes) of archive files that size of archive files to be
should be scanned. The default, scanned
0, applies no limit

Configure low CPU priority for Scan > Configure low CPU Disabled Not available
scheduled scans priority for scheduled scans

NOTE
If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files,
including those on mounted removable devices such as USB drives.

Use PowerShell to configure scanning options

See Manage Windows Defender Antivirus with PowerShell cmdlets and Defender cmdlets for more information on how to
use PowerShell with Windows Defender Antivirus.
Use WMI to configure scanning options
For using WMI classes, see Windows Defender WMIv2 APIs.
Email scanning limitations
We recommend using always-on real-time protection to protect against email-based malware.
Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system.
This provides the strongest form of protection and is the recommended setting for scanning emails.
You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-
demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also
scanned. The following file format types can be scanned and remediated:
DBX
MBX
MIME
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows
Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using always-on
real-time protection to protect against email-based malware.
If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in
identifying the compromised email, so you can remediate the threat:
Email subject
Attachment name
 WARNING
There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks
associated with scanning Outlook files and email messages in the following articles:
Scanning Outlook files in Outlook 2013
Scanning email messages in Outlook 2013

Related topics
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Configure and run on-demand Windows Defender Antivirus scans
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
 Configure remediation for Windows Defender
Antivirus scans
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can
configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point
before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use System Center
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.

Configure remediation options

You can configure how remediation works with the Group Policy settings described in this section.
To configure these settings:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location
specified in the table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK, and repeat for any other settings.

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Create a system restore A system restore point will Disabled

point be created each day before
cleaning or scanning is
attempted

Scan Turn on removal of items Specify how many days 30 days

from scan history folder items should be kept in the
scan history

Root Turn off routine remediation You can specify whether Disabled (threats are
Windows Defender Antivirus remediated automatically)
automatically remediates
threats, or if it should ask
the endpoint user what to
do.
 DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)

Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed

Threats Specify threat alert levels at Every threat that is detected Not applicable
which default action should by Windows Defender
not be taken when detected Antivirus is assigned a threat
level (low, medium, high, or
severe). You can use this
setting to define how all
threats for each of the threat
levels should be remediated
(quarantined, removed, or
ignored)

Threats Specify threats upon which Specify how specific threats Not applicable
default action should not be (using their threat ID) should
taken when detected be remediated. You can
specify whether the specific
threat should be
quarantined, removed, or
ignored

IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all
additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-
windows-defender-antivirus.md).
To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows
Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).

Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more remediation-
related settings.

Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Configure and run on-demand Windows Defender Antivirus scans
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure remediation for Windows Defender
Antivirus scans
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds.
You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a
restore point before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use System Center
Configuration Manager and Microsoft Intune.
You can also use the Set-MpPreference PowerShell cmdlet or MSFT_MpPreference WMI class to configure these
settings.

Configure remediation options

You can configure how remediation works with the Group Policy settings described in this section.
To configure these settings:
1. On your Group Policy management computer, open the Group Policy Management Console, right-click
the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Defender Antivirus and then the Location
specified in the table below.
4. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK, and repeat for any other settings.

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Create a system restore A system restore point will Disabled

point be created each day before
cleaning or scanning is
attempted

Scan Turn on removal of items Specify how many days 30 days

from scan history folder items should be kept in the
scan history

Root Turn off routine You can specify whether Disabled (threats are
remediation Windows Defender remediated automatically)
Antivirus automatically
remediates threats, or if it
should ask the endpoint
user what to do.
 DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)

Quarantine Configure removal of items Specify how many days Never removed
from Quarantine folder items should be kept in
quarantine before being
removed

Threats Specify threat alert levels at Every threat that is Not applicable
which default action should detected by Windows
not be taken when Defender Antivirus is
detected assigned a threat level (low,
medium, high, or severe).
You can use this setting to
define how all threats for
each of the threat levels
should be remediated
(quarantined, removed, or
ignored)

Threats Specify threats upon which Specify how specific threats Not applicable
default action should not (using their threat ID)
be taken when detected should be remediated. You
can specify whether the
specific threat should be
quarantined, removed, or
ignored

IMPORTANT
Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation
requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to
ensure all additional remediation steps have been completed.
If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from
quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-
files-windows-defender-antivirus.md).
To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows
Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).

Also see Configure remediation-required scheduled full Windows Defender Antivirus scans for more
remediation-related settings.

Related topics
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Configure and run on-demand Windows Defender Antivirus scans
Configure the notifications that appear on endpoints
Configure end-user Windows Defender Antivirus interaction
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Configure scheduled quick or full Windows
Defender Antivirus scans
11/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans.
You can Manage the schedule for when protection updates should be downloaded and applied to override this
default.

In addition to always-on real-time protection and on-demand scans, you can set up regular, scheduled
scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a
protection update or if the endpoint is being used. You can also specify when special scans to complete
remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI.
You can also configure schedules scans with System Center Configuration Manager or Microsoft Intune.
To configure the Group Policy settings described in this topic:
1. On your Group Policy management machine, open the Group Policy Management Console, right-
click the Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus and then the
Location specified in the table below.
5. Double-click the policy Setting as specified in the table below, and set the option to your desired
configuration. Click OK, and repeat for any other settings.
Also see the Manage when protection updates should be downloaded and applied and Prevent or allow
users to locally modify policy settings topics.

Quick scan versus full scan and custom scan

When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
Quick scans look at all the locations where there could be malware registered to start with the system,
such as registry keys and known Windows startup folders.
Combined with always-on real-time protection capability - which reviews files when they are opened and
closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for
malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time
protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any
inactive components that require a more thorough clean-up. In this instance, you may want to use a full
scan when running an on-demand scan.
A custom scan allows you to specify the files and folders to scan, such as a USB drive.

NOTE
By default, quick scans run on mounted removable devices, such as USB drives.

Set up scheduled scans

Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI
to configure scheduled scans.

NOTE
If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with
event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan
at the next scheduled time.

Use Group Policy to schedule scans:

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Specify the scan type to Quick scan

use for a scheduled scan

Scan Specify the day of the Specify the day (or never) Never
week to run a scheduled to run a scan.
scan

Scan Specify the time of day to Specify the number of 2 am

run a scheduled scan minutes after midnight
(for example, enter 60 for
1 am).

Root Randomize scheduled task In Windows Defender Enabled

times Antivirus: Randomize the
start time of the scan to
any interval from 0 to 4
hours.
In FEP/SCEP: randomize to
any interval plus or minus
30 minutes. This can be
useful in VM or VDI
deployments.

Use PowerShell cmdlets to schedule scans:

Use the following cmdlets:
 Set-MpPreference -ScanParameters
Set-MpPreference -ScanScheduleDay
Set-MpPreference -ScanScheduleTime
Set-MpPreference -RandomizeScheduleTaskTimes

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule scans:
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Start scheduled scans only when the endpoint is not in use

You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group
Policy, PowerShell, or WMI.
Use Group Policy to schedule scans

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Start the scheduled scan Scheduled scans will not Enabled
only when computer is on run, unless the computer
but not in use is on but not in use

Use PowerShell cmdlets:

Use the following cmdlets:

Set-MpPreference -ScanOnlyIfIdleEnabled

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ):
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Configure when full scans should be run to complete remediation

Some threats may require a full scan to complete their removal and remediation. You can schedule when
these scans should occur with Group Policy, PowerShell, or WMI.
Use Group Policy to schedule remediation-required scans

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Remediation Specify the day of the Specify the day (or never) Never
week to run a scheduled to run a scan.
full scan to complete
remediation

Remediation Specify the time of day to Specify the number of 2 am

run a scheduled full scan minutes after midnight
to complete remediation (for example, enter 60 for
1 am)

Use PowerShell cmdlets:

Use the following cmdlets:

Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ):
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Set up daily quick scans

You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group
Policy, PowerShell, or WMI.
Use Group Policy to schedule daily scans:

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Specify the interval to run Specify how many hours Never
quick scans per day should elapse before the
next quick scan. For
example, to run every two
hours, enter 2, for once a
day, enter 24. Enter 0 to
never run a daily quick
scan.
 DEFAULT SETTING (IF NOT
LOCATION SETTING DESCRIPTION CONFIGURED)

Scan Specify the time for a daily Specify the number of 2 am

quick scan minutes after midnight
(for example, enter 60 for
1 am)

Use PowerShell cmdlets to schedule daily scans:

Use the following cmdlets:

Set-MpPreference -ScanScheduleQuickTime

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to schedule daily scans:
Use the Set method of the MSFT_MpPreference class for the following properties:

SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce

See the following for more information and allowed parameters:

Windows Defender WMIv2 APIs

Enable scans after protection updates

You can force a scan to occur after every protection update with Group Policy.
Use Group Policy to schedule scans after protection updates

DEFAULT SETTING (IF NOT

LOCATION SETTING DESCRIPTION CONFIGURED)

Signature updates Turn on scan after A scan will occur Enabled

Security intelligence immediately after a new
update protection update is
downloaded

Related topics
Prevent or allow users to locally modify policy settings
Configure and run on-demand Windows Defender Antivirus scans
Configure Windows Defender Antivirus scanning options
Manage Windows Defender Antivirus updates and apply baselines
Manage when protection updates should be downloaded and applied
Windows Defender Antivirus in Windows 10
 Configure and run on-demand Windows Defender
Antivirus scans
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can
define parameters for the scan, such as the ___location or type.

Quick scan versus full scan

Quick scan looks at all the locations where there could be malware registered to start with the system, such as
registry keys and known Windows startup folders.
Combined with always-on real-time protection capability--which reviews files when they are opened and
closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for
malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time
protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any
inactive components that require a more thorough clean-up, and can be ideal when running on-demand
scans.

NOTE
By default, quick scans run on mounted removable devices, such as USB drives.

Use Configuration Manager to run a scan

See Antimalware and firewall tasks: How to perform an on-demand scan for details on using System Center
Configuration Manager (current branch) to run a scan.

Use the mpcmdrun.exe command-line utility to run a scan

Use the following -scan parameter:

mpcmdrun.exe -scan -scantype 1

See Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus for
more information on how to use the tool and additional parameters, including starting a full scan or defining
paths.

Use Microsoft Intune to run a scan

1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Select ...More and then select Quick Scan or Full Scan.

Use the Windows Security app to run a scan

See Run a scan in the Windows Security app for instructions on running a scan on individual endpoints.

Use PowerShell cmdlets to run a scan

Use the following cmdlet:

Start-MpScan

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for
more information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to run a scan

Use the Start method of the MSFT_MpScan class.
See the following for more information and allowed parameters:
Windows Defender WMIv2 APIs

Related articles
Configure Windows Defender Antivirus scanning options
Configure scheduled Windows Defender Antivirus scans
Windows Defender Antivirus in Windows 10
 Review Windows Defender Antivirus scan results
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
After an Windows Defender Antivirus scan completes, whether it is an on-demand or scheduled scan, the results
are recorded and you can view the results.

Use Microsoft Intune to review scan results

1. In Intune, go to Devices > All Devices and select the device you want to scan.
2. Click the scan results in Device actions status.

Use Configuration Manager to review scan results

See How to monitor Endpoint Protection status.

Use the Windows Security app to review scan results

1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Scan
history label.
Click See full history for any of the sections to see previous detections and the action taken. You can
also clear the list.
Information about the last scan is displayed at the bottom of the page.

Use PowerShell cmdlets to review scan results

The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same
threat, each detection will be listed separately, based on the time of each detection:

Get-MpThreatDetection
You can specify -ThreatID to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the
following cmdlet:

Get-MpThreat

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to review scan results

Use the Get method of the MSFT_MpThreat and MSFT_MpThreatDetection classes.
Related articles
Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
Windows Defender Antivirus in Windows 10
 Run and review the results of a Windows Defender
Offline scan
11/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted
environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to
bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR ).
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough
clean of the endpoint after a malware outbreak.
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Security app. In
previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the
endpoint, and load the bootable media.

prerequisites and requirements

Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
For more information about Windows 10 requirements, see the following topics:
Minimum hardware requirements
Hardware component guidelines

NOTE
Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.

To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.

Windows Defender Offline updates

Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated
whenever Windows Defender Antivirus is updated.

NOTE
Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an
update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install
the latest protection updates from the Microsoft Malware Protection Center.

See the Manage Windows Defender Antivirus Security intelligence updates topic for more information.

Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender
determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint.
The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using
it to manage your endpoints.
The prompt can occur via a notification, similar to the following:

The user will also be notified within the Windows Defender client:

In Configuration Manager, you can identify the status of endpoints by navigating to Monitoring > Overview >
Security > Endpoint Protection Status > System Center Endpoint Protection Status.
Windows Defender Offline scans are indicated under Malware remediation status as Offline scan required.
Configure notifications
Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV
notifications.
For more information about notifications in Windows Defender, see the Configure the notifications that appear on
endpoints topic.

Run a scan
IMPORTANT
Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows
Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is
performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan
performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.

You can run a Windows Defender Offline scan with the following:
PowerShell
Windows Management Instrumentation (WMI)
The Windows Security app
Use PowerShell cmdlets to run an offline scan
Use the following cmdlets:

Start-MpWDOScan

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more
information on how to use PowerShell with Windows Defender Antivirus.
Use Windows Management Instruction (WMI ) to run an offline scan
Use the MSFT_MpWDOScan class to run an offline scan.
The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the
endpoint to restart, run the offline scan, and then restart and boot into Windows.

wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start

See the following for more information:

Windows Defender WMIv2 APIs
Use the Windows Defender Security app to run an offline scan
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for
Defender.
2. Click the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Advanced
scan label:
3. Select Windows Defender Offline scan and click Scan now.
 NOTE
In Windows 10, version 1607, the offline scan could be run from under Windows Settings > Update & security >
Windows Defender or from the Windows Defender client.

Review scan results

Windows Defender Offline scan results will be listed in the Scan history section of the Windows Security app.

Related articles
Customize, initiate, and review the results of scans and remediation
Windows Defender Antivirus in Windows 10
 Restore quarantined files in Windows Defender AV
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender
Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
1. Open Windows Security.
2. Click Virus & threat protection and then click Threat History.
3. Under Quarantined threats, click See full history.
4. Click an item you want to keep, then click Restore. (If you prefer to remove the item, you can click Remove.)

NOTE
You can also use the dedicated command-line tool mpcmdrun.exe to restore quarantined files in Windows Defender AV.

Related articles
Configure remediation for scans
Review scan results
Configure and validate exclusions based on file name, extension, and folder ___location
Configure and validate exclusions for files opened by processes
Configure Windows Defender Antivirus exclusions on Windows Server
 Manage Windows Defender Antivirus in your
business
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can manage and configure Windows Defender Antivirus with the following tools:
Microsoft Intune
System Center Configuration Manager
Group Policy
PowerShell cmdlets
Windows Management Instrumentation (WMI)
The mpcmdrun.exe utility
The topics in this section provide further information, links, and resources for using these tools to manage and
configure Windows Defender Antivirus.

In this section
TOPIC DESCRIPTION

Manage Windows Defender Antivirus with Microsoft Intune Information about using Intune and System Center
and System Center Configuration Manager Configuration Manager to deploy, manage, report, and
configure Windows Defender Antivirus

Manage Windows Defender Antivirus with Group Policy List of all Group Policy settings located in ADMX templates
settings

Manage Windows Defender Antivirus with PowerShell Instructions for using PowerShell cmdlets to manage
cmdlets Windows Defender Antivirus, plus links to documentation for
all cmdlets and allowed parameters

Manage Windows Defender Antivirus with Windows Instructions for using WMI to manage Windows Defender
Management Instrumentation (WMI) Antivirus, plus links to documentation for the WMIv2 APIs
(including all classes, methods, and properties)

Manage Windows Defender Antivirus with the Instructions on using the dedicated command-line tool to
mpcmdrun.exe command-line tool manage and use Windows Defender Antivirus
 Use System Center Configuration Manager and
Microsoft Intune to configure and manage Windows
Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your
network, you can also use them to manage Windows Defender Antivirus scans.
In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used
by Windows Defender Antivirus.
See the Endpoint Protection library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the Microsoft Intune library and Configure device restriction settings in Intune.

Related articles
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Use Group Policy settings to configure and manage
Windows Defender Antivirus
11/20/2019 • 9 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can use Group Policy to configure and manage Windows Defender Antivirus on your endpoints.
In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy
settings:
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object (GPO ) you want to configure and click Edit.
2. Using the Group Policy Management Editor go to Computer configuration.
3. Click Administrative templates.
4. Expand the tree to Windows components > Windows Defender Antivirus.
5. Expand the section (referred to as Location in the table in this topic) that contains the setting you want to
configure, double-click the setting to open it, and make configuration changes.
6. Deploy the updated GPO as you normally do.
The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and
provides links to the appropriate topic in this documentation library (where applicable).

LOCATION SETTING ARTICLE

Client interface Enable headless UI mode Prevent users from seeing or

interacting with the Windows Defender
Antivirus user interface

Client interface Display additional text to clients when Configure the notifications that appear
they need to perform an action on endpoints

Client interface Suppress all notifications Configure the notifications that appear
on endpoints

Client interface Suppresses reboot notifications Configure the notifications that appear
on endpoints

Exclusions Extension Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans

Exclusions Path Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans

Exclusions Process Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans
LOCATION SETTING ARTICLE

Exclusions Turn off Auto Exclusions Configure and validate exclusions in

Windows Defender Antivirus scans

MAPS Configure the 'Block at First Sight' Enable block at first sight
feature

MAPS Join Microsoft MAPS Enable cloud-delivered protection

MAPS Send file samples when further analysis Enable cloud-delivered protection
is required

MAPS Configure local setting override for Prevent or allow users to locally modify
reporting to Microsoft MAPS policy settings

MpEngine Configure extended cloud check Configure the cloud block timeout
period

MpEngine Select cloud protection level Specify the cloud-delivered protection

level

Network inspection system Specify additional definition sets for Not used
network traffic inspection

Network inspection system Turn on definition retirement Not used

Network inspection system Turn on protocol recognition Not used

Quarantine Configure local setting override for the Prevent or allow users to locally modify
removal of items from Quarantine policy settings
folder

Quarantine Configure removal of items from Configure remediation for Windows

Quarantine folder Defender Antivirus scans

Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring file and program activity on policy settings
your computer

Real-time protection Configure local setting override for Prevent or allow users to locally modify
monitoring for incoming and outgoing policy settings
file activity

Real-time protection Configure local setting override for Prevent or allow users to locally modify
scanning all downloaded files and policy settings
attachments

Real-time protection Configure local setting override for turn Prevent or allow users to locally modify
on behavior monitoring policy settings

Real-time protection Configure local setting override to turn Prevent or allow users to locally modify
on real-time protection policy settings
LOCATION SETTING ARTICLE

Real-time protection Define the maximum size of Enable and configure Windows
downloaded files and attachments to Defender Antivirus always-on
be scanned protection and monitoring

Real-time protection Monitor file and program activity on Enable and configure Windows
your computer Defender Antivirus always-on
protection and monitoring

Real-time protection Scan all downloaded files and Enable and configure Windows
attachments Defender Antivirus always-on
protection and monitoring

Real-time protection Turn off real-time protection Enable and configure Windows
Defender Antivirus always-on
protection and monitoring

Real-time protection Turn on behavior monitoring Enable and configure Windows

Defender Antivirus always-on
protection and monitoring

Real-time protection Turn on process scanning whenever Enable and configure Windows
real-time protection is enabled Defender Antivirus always-on
protection and monitoring

Real-time protection Turn on raw volume write notifications Enable and configure Windows
Defender Antivirus always-on
protection and monitoring

Real-time protection Configure monitoring for incoming and Enable and configure Windows
outgoing file and program activity Defender Antivirus always-on
protection and monitoring

Remediation Configure local setting override for the Prevent or allow users to locally modify
time of day to run a scheduled full scan policy settings
to complete remediation

Remediation Specify the day of the week to run a Configure scheduled Windows
scheduled full scan to complete Defender Antivirus scans
remediation

Remediation Specify the time of day to run a Configure scheduled Windows

scheduled full scan to complete Defender Antivirus scans
remediation

Reporting Configure Watson events Not used

Reporting Configure Windows software trace Not used

preprocessor components

Reporting Configure WPP tracing level Not used

Reporting Configure time out for detections in Not used

critically failed state
LOCATION SETTING ARTICLE

Reporting Configure time out for detections in Not used

non-critical failed state

Reporting Configure time out for detections in Not used

recently remediated state

Reporting Configure time out for detections Not used

requiring additional action

Reporting Turn off enhanced notifications Configure the notifications that appear
on endpoints

Root Turn off Windows Defender Antivirus Not used (This setting must be set to
Not configured to ensure any installed
third-party antivirus apps work
correctly)

Root Define addresses to bypass proxy Not used

server

Root Define proxy autoconfig (.pac) for Not used

connecting to the network

Root Define proxy server for connecting to Not used

the network

Root Configure local administrator merge Prevent or allow users to locally modify
behavior for lists policy settings

Root Allow antimalware service to start up Configure remediation for Windows

with normal priority Defender Antivirus scans

Root Allow antimalware service to remain Configure remediation for Windows

running always Defender Antivirus scans

Root Turn off routine remediation Configure remediation for Windows

Defender Antivirus scans

Root Randomize scheduled task times Configure scheduled scans for Windows
Defender Antivirus

Scan Allow users to pause scan Prevent users from seeing or

interacting with the Windows Defender
Antivirus user interface

Scan Check for the latest virus and spyware Manage event-based forced updates
definitions before running a scheduled
scan

Scan Define the number of days after which Manage updates for endpoints that are
a catch-up scan is forced out of date

Scan Turn on catch up full scan Manage updates for endpoints that are
out of date
LOCATION SETTING ARTICLE

Scan Turn on catch up quick scan Manage updates for endpoints that are
out of date

Scan Configure local setting override for Prevent or allow users to locally modify
maximum percentage of CPU utilization policy settings

Scan Configure local setting override for Prevent or allow users to locally modify
schedule scan day policy settings

Scan Configure local setting override for Prevent or allow users to locally modify
scheduled quick scan time policy settings

Scan Configure local setting override for Prevent or allow users to locally modify
scheduled scan time policy settings

Scan Configure local setting override for the Prevent or allow users to locally modify
scan type to use for a scheduled scan policy settings

Scan Create a system restore point Configure remediation for Windows

Defender Antivirus scans

Scan Turn on removal of items from scan Configure remediation for Windows
history folder Defender Antivirus scans

Scan Turn on heuristics Enable and configure Windows

Defender Antivirus always-on
protection and monitoring

Scan Turn on e-mail scanning Configure scanning options in Windows

Defender Antivirus

Scan Turn on reparse point scanning Configure scanning options in Windows

Defender Antivirus

Scan Run full scan on mapped network Configure scanning options in Windows
drives Defender Antivirus

Scan Scan archive files Configure scanning options in Windows

Defender Antivirus

Scan Scan network files Configure scanning options in Windows

Defender Antivirus

Scan Scan packed executables Configure scanning options in Windows

Defender Antivirus

Scan Scan removable drives Configure scanning options in Windows

Defender Antivirus

Scan Specify the maximum depth to scan Configure scanning options in Windows
archive files Defender Antivirus

Scan Specify the maximum percentage of Configure scanning options in Windows

CPU utilization during a scan Defender Antivirus
LOCATION SETTING ARTICLE

Scan Specify the maximum size of archive Configure scanning options in Windows
files to be scanned Defender Antivirus

Scan Specify the day of the week to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus

Scan Specify the interval to run quick scans Configure scheduled scans for Windows
per day Defender Antivirus

Scan Specify the scan type to use for a Configure scheduled scans for Windows
scheduled scan Defender Antivirus

Scan Specify the time for a daily quick scan Configure scheduled scans for Windows
Defender Antivirus

Scan Specify the time of day to run a Configure scheduled scans for Windows
scheduled scan Defender Antivirus

Scan Start the scheduled scan only when Configure scheduled scans for Windows
computer is on but not in use Defender Antivirus

Security intelligence updates Allow security intelligence updates from Manage updates for mobile devices and
Microsoft Update virtual machines (VMs)

Security intelligence updates Allow security intelligence updates Manage updates for mobile devices and
when running on battery power virtual machines (VMs)

Security intelligence updates Allow notifications to disable Manage event-based forced updates
definitions-based reports to Microsoft
MAPS

Security intelligence updates Allow real-time security intelligence Manage event-based forced updates
updates based on reports to Microsoft
MAPS

Security intelligence updates Check for the latest virus and spyware Manage event-based forced updates
definitions on startup

Security intelligence updates Define file shares for downloading Manage Windows Defender Antivirus
security intelligence updates protection and security intelligence
updates

Security intelligence updates Define the number of days after which Manage updates for endpoints that are
a catch up security intelligence update out of date
is required

Security intelligence updates Define the number of days before Manage updates for endpoints that are
spyware definitions are considered out out of date
of date

Security intelligence updates Define the number of days before virus Manage updates for endpoints that are
definitions are considered out of date out of date
 LOCATION SETTING ARTICLE

Security intelligence updates Define the order of sources for Manage Windows Defender Antivirus
downloading security intelligence protection and security intelligence
updates updates

Security intelligence updates Initiate security intelligence update on Manage event-based forced updates
startup

Security intelligence updates Specify the day of the week to check for Manage when protection updates
security intelligence updates should be downloaded and applied

Security intelligence updates Specify the interval to check for security Manage when protection updates
intelligence updates should be downloaded and applied

Security intelligence updates Specify the time to check for security Manage when protection updates
intelligence updates should be downloaded and applied

Security intelligence updates Turn on scan after Security intelligence Configure scheduled scans for Windows
update Defender Antivirus

Threats Specify threat alert levels at which Configure remediation for Windows
default action should not be taken Defender Antivirus scans
when detected

Threats Specify threats upon which default Configure remediation for Windows
action should not be taken when Defender Antivirus scans
detected

Related articles
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Use PowerShell cmdlets to configure and
manage Windows Defender Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can use PowerShell to perform various functions in Windows Defender. Similar to the command
prompt or command line, PowerShell is a task-based command-line shell and scripting language
designed especially for system administration, and you can read more about it at the PowerShell hub on
MSDN.
For a list of the cmdlets and their functions and available parameters, see the Defender cmdlets topic.
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user
interface (GUI) to configure software.

NOTE
PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure,
such as System Center Configuration Manager, Group Policy Management Console, or Windows Defender
Antivirus Group Policy ADMX templates.

Changes made with PowerShell will affect local settings on the endpoint where the changes are
deployed or made. This means that deployments of policy with Group Policy, System Center
Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
You can configure which settings can be overridden locally with local policy overrides.
PowerShell is typically installed under the folder %SystemRoot%\system32\WindowsPowerShell.

Use Windows Defender Antivirus PowerShell cmdlets

1. Click Start, type powershell, and press Enter.
2. Click Windows PowerShell to open the interface.
3. Enter the command and parameters.

NOTE
You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click
Run as administrator and click Yes at the permissions prompt.

To open online help for any of the cmdlets type the following:

Get-Help <cmdlet> -Online

Omit the -online parameter to get locally cached help.

Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Use Windows Management Instrumentation (WMI)
to configure and manage Windows Defender
Antivirus
11/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and
update settings.
Read more about WMI at the Microsoft Developer Network System Administration library.
Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same
functions as Group Policy and other management tools. Many of the classes are analogous to Defender
PowerShell cmdlets.
The MSDN Windows Defender WMIv2 Provider reference library lists the available WMI classes for Windows
Defender Antivirus, and includes example scripts.
Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This
means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune
can overwrite changes made with WMI.
You can configure which settings can be overridden locally with local policy overrides.

Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Configure and manage Windows Defender Antivirus
with the mpcmdrun.exe command-line tool
12/4/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can perform various Windows Defender Antivirus functions with the dedicated command-line tool
mpcmdrun.exe.
This utility can be useful when you want to automate Windows Defender Antivirus use.
You can find the utility in %ProgramFiles%\Windows Defender\MpCmdRun.exe. You must run it from a
command prompt.

NOTE
You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu,
click Run as administrator and click Yes at the permissions prompt.

The utility has the following commands:

MpCmdRun.exe [command] [-options]

Here's an example:

MpCmdRun.exe -scan -2

COMMAND DESCRIPTION

-? or -h Displays all available options for this tool

-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [- Scans for malicious software. Values for ScanType are: 0
DisableRemediation] [-BootSectorScan]] [-Timeout Default, according to your configuration, -1 Quick scan, -2
<days>] [-Cancel]
Full scan, -3 File and directory custom scan.

-Trace [-Grouping #] [-Level #] Starts diagnostic tracing

-GetFiles Collects support information

-GetFilesDiagTrack Same as -GetFiles , but outputs to temporary DiagTrack

folder

-RemoveDefinitions [-All] Restores the installed Security intelligence to a previous

backup copy or to the original default set

-RemoveDefinitions [-DynamicSignatures] Removes only the dynamically downloaded Security

intelligence
 COMMAND DESCRIPTION

-RemoveDefinitions [-Engine] Restores the previous installed engine

-SignatureUpdate [-UNC \| -MMPC] Checks for new Security intelligence updates

-Restore [-ListAll \| [[-Name <name>] [-All] \| [- Restores or lists quarantined item(s)

FilePath <filePath>]] [-Path <path>]]

-AddDynamicSignature [-Path] Loads dynamic Security intelligence

-ListAllDynamicSignatures Lists the loaded dynamic Security intelligence

-RemoveDynamicSignature [-SignatureSetID] Removes dynamic Security intelligence

-CheckExclusion -path <path> Checks whether a path is excluded

Related topics
Reference topics for management and configuration tools
Windows Defender Antivirus in Windows 10
 Microsoft Defender Advanced Threat Protection for
Mac
11/27/2019 • 3 minutes to read • Edit Online

This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
Cau t i on

Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to
lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an
absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR
functionality after configuring MDATP for Mac antivirus functionality to run in Passive mode.

What’s new in the latest release

What's new in Microsoft Defender ATP
What's new in Microsoft Defender ATP for Mac

TIP
If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your
device and navigating to Help > Send feedback.

To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac
machines), configure your macOS machine running Microsoft Defender ATP to be an "Insider" machine. See
Enable Microsoft Defender ATP Insider Machine.

How to install Microsoft Defender ATP for Mac

Prerequisites
A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal
Beginner-level experience in macOS and BASH scripting
Administrative privileges on the device (in case of manual deployment)
Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender
ATP for Mac.
Third-party management tools:
Microsoft Intune-based deployment
JAMF -based deployment
Other MDM products
Command-line tool:
Manual deployment
System requirements
The three most recent major releases of macOS are supported.
 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
Disk space: 650 MB
Beta versions of macOS are not supported. macOS Sierra (10.12) support will end on January 1, 2020.
After you've enabled the service, you may need to configure your network or firewall to allow outbound
connections between it and your endpoints.
Network connections
The following table lists the services and their associated URLs that your network must be able to connect to.
You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or
you may need to create an allow rule specifically for them.

SERVICE LOCATION DNS RECORD

Common URLs for all locations x.cp.wd.microsoft.com

cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
*.blob.core.windows.net
officecdn-microsoft-com.akamaized.net
crl.microsoft.com
events.data.microsoft.com

European Union europe.x.cp.wd.microsoft.com

eu-v20.events.data.microsoft.com

United Kingdom unitedkingdom.x.cp.wd.microsoft.com

uk-v20.events.data.microsoft.com

United States unitedstates.x.cp.wd.microsoft.com

us-v20.events.data.microsoft.com

Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
Web Proxy Auto-discovery Protocol (WPAD )
Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the
previously listed URLs.
To test that a connection is not blocked, open https://x.cp.wd.microsoft.com/api/report and
https://cdn.x.cp.wd.microsoft.com/ping in a browser.
If you prefer the command line, you can also check the connection by running the following command in
Terminal:

$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report'

'https://cdn.x.cp.wd.microsoft.com/ping'

The output from this command should be similar to the following:

OK https://x.cp.wd.microsoft.com/api/report

OK https://cdn.x.cp.wd.microsoft.com/ping

Cau t i on

We recommend that you keep System Integrity Protection (SIP ) enabled on client machines. SIP is a built-in
macOS security feature that prevents low -level tampering with the OS, and is enabled by default.
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in
Terminal:

$ mdatp --connectivity-test

How to update Microsoft Defender ATP for Mac

Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To
update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU ) is used. To learn more,
see Deploy updates for Microsoft Defender ATP for Mac

How to configure Microsoft Defender ATP for Mac

Guidance for how to configure the product in enterprise environments is available in Set preferences for
Microsoft Defender ATP for Mac.

Resources
For more information about logging, uninstalling, or other topics, see the Resources page.
Privacy for Microsoft Defender ATP for Mac
 What's new in Microsoft Defender Advanced Threat
Protection for Mac
12/31/2019 • 2 minutes to read • Edit Online

100.80.42
Bug fixes

100.79.42
Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
Added a new switch to the command-line utility for testing the connectivity with the backend service

$ mdatp --connectivity-test

Added ability to view the full threat history in the user interface (can be accessed from the Protection history
view )
Performance improvements & bug fixes

100.72.15
Bug fixes

100.70.99
Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time
protection is enabled. This sporadic issue was caused by Microsoft Defender ATP locking files within Catalina
upgrade package while scanning them for threats, which led to failures in the upgrade sequence.

100.68.99
Added the ability to configure the antivirus functionality to run in passive mode
Performance improvements & bug fixes

100.65.28
Added support for macOS Catalina
Cau t i on

macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default,
applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without
explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
For manual deployments, see the updated instructions in the Manual deployment topic.
For managed deployments, see the updated instructions in the JAMF -based deployment and Microsoft Intune-
based deployment topics.
Performance improvements & bug fixes
 Intune-based deployment for Microsoft Defender
ATP for Mac
11/6/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment
requires the completion of all of the following steps:
Download installation and onboarding packages
Client device setup
Create System Configuration profiles
Publish application

Prerequisites and system requirements

Before you get started, see the main Microsoft Defender ATP for Mac page for a description of prerequisites and
system requirements for the current software version.

Download installation and onboarding packages

Download the installation and onboarding packages from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to Settings > Device Management > Onboarding.
2. In Section 1 of the page, set the operating system to Linux, macOS, iOS, or Android and the deployment
method to Mobile Device Management / Microsoft Intune.
3. In Section 2 of the page, select Download installation package. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select Download onboarding package. Save it as
WindowsDefenderATPOnboardingPackage.zip to the same directory.
5. Download IntuneAppUtil from https://docs.microsoft.com/intune/lob-apps-macos.
6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files:

$ ls -l
total 721688
-rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist

7. Make IntuneAppUtil an executable:

$ chmod +x IntuneAppUtil

8. Create the wdav.pkg.intunemac package from wdav.pkg:

$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"

Microsoft Intune Application Utility for Mac OS X
Version: 1.0.0.0
Copyright 2018 Microsoft Corporation

Creating intunemac file for /Users/test/Downloads/wdav.pkg

Composing the intunemac file output
Output written to ./wdav.pkg.intunemac.

IntuneAppUtil successfully processed "wdav.pkg",

to deploy refer to the product documentation.
Client device setup
You need no special provisioning for a Mac device beyond a standard Company Portal installation.
1. You are asked to confirm device management.

Select Open System Preferences, locate Management Profile on the list, and select Approve.... Your
Management Profile would be displayed as Verified:
2. Select Continue and complete the enrollment.
You may now enroll more devices. You can also enroll them later, after you have finished provisioning system
configuration and application packages.
3. In Intune, open Manage > Devices > All devices. Here you can see your device among those listed:

Create System Configuration profiles

1. In Intune, open Manage > Device configuration. Select Manage > Profiles > Create Profile.
2. Choose a name for the profile. Change Platform=macOS to Profile type=Custom. Select Configure.
3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding
sections.
4. Select OK.

5. Select Manage > Assignments. In the Include tab, select Assign to All Users & All devices.
6. Repeat steps 1 through 5 for more profiles.
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
Cau t i on

macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by
default, applications are not able to access certain locations on disk (such as Documents, Downloads,
Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to
fully protect your device.
The following configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously
configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this
configuration profile.
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDescription</key>
<string>Allows Microsoft Defender to access all files on Catalina+</string>
<key>PayloadDisplayName</key>
<string>TCC - Microsoft Defender</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav.tcc</string>
<key>PayloadOrganization</key>
<string>Microsoft Corp.</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>system</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C234DF2E-DFF6-11E9-B279-001C4299FB44</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Allows Microsoft Defender to access all files on Catalina+</string>
<key>PayloadDisplayName</key>
<string>TCC - Microsoft Defender</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav.tcc.C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
<key>PayloadOrganization</key>
<string>Microsoft Corp.</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>C233A5E6-DFF6-11E9-BDAD-001C4299FB44</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.microsoft.wdav" and anchor apple generic and certificate
1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /*
exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>Comment</key>
<string>Allow SystemPolicyAllFiles control for Microsoft Defender ATP</string>
<key>Identifier</key>
<string>com.microsoft.wdav</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
</dict>
</plist>

9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import
the following .mobileconfig as a custom payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>NotificationSettings</key>
<array>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
<dict>
<key>AlertType</key>
<integer>2</integer>
<key>BadgesEnabled</key>
<true/>
<key>BundleIdentifier</key>
<string>com.microsoft.wdavtray</string>
<key>CriticalAlertEnabled</key>
<false/>
<key>GroupingType</key>
<integer>0</integer>
<key>NotificationsEnabled</key>
<true/>
<key>ShowInLockScreen</key>
<false/>
<key>ShowInNotificationCenter</key>
<true/>
<key>SoundsEnabled</key>
<true/>
</dict>
</array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadType</key>
<string>com.apple.notificationsettings</string>
<key>PayloadUUID</key>
<string>BB977315-E4CB-4915-90C7-8334C75A7C64</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
 </array>
<key>PayloadDescription</key>
<string/>
<key>PayloadDisplayName</key>
<string>mdatp - allow notifications</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

10. Select Manage > Assignments. In the Include tab, select Assign to All Users & All devices.
Once the Intune changes are propagated to the enrolled devices, you can see them listed under Monitor >
Device status:

Publish application
1. In Intune, open the Manage > Client apps blade. Select Apps > Add.
2. Select App type=Other/Line-of-business app.
3. Select file=wdav.pkg.intunemac. Select OK to upload.
4. Select Configure and add the required information.
5. Use macOS High Sierra 10.13 as the minimum OS and set Ignore app version to Yes. Other settings can
be any arbitrary value.
Cau t i on

Failure to set Ignore app version to Yes impacts the ability of the application to receive updates through
Microsoft AutoUpdate. See Deploy updates for Microsoft Defender ATP for Mac for additional information
about how the product is updated.
6. Select OK and Add.

7. It may take a few moments to upload the package. After it's done, select the package from the list and go to
Assignments and Add group.

8. Change Assignment type to Required.

9. Select Included Groups. Select Make this app required for all devices=Yes. Click Select group to
include and add a group that contains the users you want to target. Select OK and Save.
10. After some time the application will be published to all enrolled devices. You can see it listed in Monitor >
Device, under Device install status:

Verify client device state

1. After the configuration profiles are deployed to your devices, open System Preferences > Profiles on your
Mac device.
2. Verify that the following configuration profiles are present and installed. The Management Profile should
be the Intune system profile. Wdav -config and wdav -kext are system configuration profiles that were added

in Intune:
3. You should also see the Microsoft Defender icon in the top-right corner:

Troubleshooting
Issue: No license found
Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml

Logging installation issues

For more information on how to find the automatically generated log that is created by the installer when an error
occurs, see Logging installation issues .

Uninstallation
See Uninstalling for details on how to remove Microsoft Defender ATP for Mac from client devices.
 JAMF-based deployment for Microsoft Defender ATP
for Mac
11/6/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment
requires the completion of all of the following steps:
Download installation and onboarding packages
Create JAMF policies
Client device setup
Deployment
Check onboarding status

Prerequisites and system requirements

Before you get started, please see the main Microsoft Defender ATP for Mac page for a description of
prerequisites and system requirements for the current software version.
In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant,
and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many
ways to complete the same task. These instructions provide an example for most common processes. Your
organization might use a different workflow.

Download installation and onboarding packages

Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to Settings > device Management > Onboarding.
2. In Section 1 of the page, set the operating system to Linux, macOS, iOS or Android and deployment
method to Mobile Device Management / Microsoft Intune.
3. In Section 2 of the page, select Download installation package. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select Download onboarding package. Save it as
WindowsDefenderATPOnboardingPackage.zip to the same directory.
5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:

$ ls -l
total 721160
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist

Create JAMF policies

You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client
devices.
Configuration Profile
The configuration profile contains a custom settings payload that includes:
Microsoft Defender ATP for Mac onboarding information
Approved Kernel Extensions payload, to enable running the Microsoft kernel driver
To set the onboarding information, add a property list file with the name,
jamf/WindowsDefenderATPOnboarding.plist, as a custom setting. You can do this by navigating to
Computers>Configuration Profiles, selecting New, then choosing Custom Settings>Configure. From there,
you can upload the property list.
 IMPORTANT
You must set the Preference Domain as "com.microsoft.wdav.atp"

Approved Kernel Extension

To approve the kernel extension:
1. In Computers > Configuration Profiles select Options > Approved Kernel Extensions.
2. Use UBF8T346G9 for Team Id.

Privacy Preferences Policy Control

Cau t i on

macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default,
applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without
explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
If you previously configured Microsoft Defender ATP through JAMF, we recommend applying the following
configuration.
Add the following JAMF policy to grant Full Disk Access to Microsoft Defender ATP.
1. Select Options > Privacy Preferences Policy Control.
2. Use any identifier and identifier type = Bundle.
3. Set Code Requirement to
identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6]
/* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate
leaf[subject.OU] = UBF8T346G9
.
4. Set app or service to SystemPolicyAllFiles and access to Allow.

Configuration Profile's Scope

Configure the appropriate scope to specify the devices that will receive the configuration profile.
Open Computers > Configuration Profiles, and select Scope > Targets. From there, select the devices you
want to target.

Save the Configuration Profile.

Use the Logs tab to monitor deployment status for each enrolled device.
Notification settings
Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable
notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate
configuration profile and assign it to all machines with Defender:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict><key>PayloadContent</key><array><dict><key>NotificationSettings</key><array><dict>
<key>AlertType</key><integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key>
<string>com.microsoft.autoupdate2</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key>
<integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/>
<key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict><dict><key>AlertType</key>
<integer>2</integer><key>BadgesEnabled</key><true/><key>BundleIdentifier</key>
<string>com.microsoft.wdavtray</string><key>CriticalAlertEnabled</key><false/><key>GroupingType</key>
<integer>0</integer><key>NotificationsEnabled</key><true/><key>ShowInLockScreen</key><false/>
<key>ShowInNotificationCenter</key><true/><key>SoundsEnabled</key><true/></dict></array>
<key>PayloadDescription</key><string/><key>PayloadDisplayName</key><string>notifications</string>
<key>PayloadEnabled</key><true/><key>PayloadIdentifier</key><string>BB977315-E4CB-4915-90C7-
8334C75A7C64</string><key>PayloadOrganization</key><string>Microsoft</string><key>PayloadType</key>
<string>com.apple.notificationsettings</string><key>PayloadUUID</key><string>BB977315-E4CB-4915-90C7-
8334C75A7C64</string><key>PayloadVersion</key><integer>1</integer></dict></array><key>PayloadDescription</key>
<string/><key>PayloadDisplayName</key><string>mdatp - allow notifications</string><key>PayloadEnabled</key>
<true/><key>PayloadIdentifier</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string>
<key>PayloadOrganization</key><string>Microsoft</string><key>PayloadRemovalDisallowed</key><false/>
<key>PayloadScope</key><string>System</string><key>PayloadType</key><string>Configuration</string>
<key>PayloadUUID</key><string>85F6805B-0106-4D23-9101-7F1DFD5EA6D6</string><key>PayloadVersion</key>
<integer>1</integer></dict></plist>

Package
1. Create a package in Settings > Computer Management > Packages.

2. Upload the package to the Distribution Point.

3. In the filename field, enter the name of the package. For example, wdav.pkg.
Policy
Your policy should contain a single package for Microsoft Defender.

Configure the appropriate scope to specify the computers that will receive this policy.
After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each
enrolled device.

Client device setup

You'll need no special provisioning for a macOS computer, beyond the standard JAMF Enrollment.

NOTE
After a computer is enrolled, it will show up in the Computers inventory (All Computers).

1. Open Device Profiles, from the General tab, and make sure that User Approved MDM is set to Yes. If it's
currently set to No, the user needs to open System Preferences > Profiles and select Approve on the MDM
Profile.
After a moment, the device's User Approved MDM status will change to Yes.

You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system
configuration and application packages.
Deployment
Enrolled client devices periodically poll the JAMF Server, and install new configuration profiles and policies as
soon as they are detected.
Status on the server
You can monitor deployment status in the Logs tab:
Pending means that the deployment is scheduled but has not yet happened
Completed means that the deployment succeeded and is no longer scheduled

Status on client device

After the Configuration Profile is deployed, you'll see the profile for the device in System Preferences > Profiles
>.

Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right
corner.

You can monitor policy installation on a device by following the JAMF log file:
 $ tail -f /var/log/jamf.log
Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for
user "testuser"...
Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender...
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender.
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches...
Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.

You can also check the onboarding status:

$ mdatp --health
...
licensed : true
orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
...

licensed: This confirms that the device has an ATP license.

orgid: Your Microsoft Defender ATP org id; it will be the same for your organization.

Check onboarding status

You can check that devices have been correctly onboarded by creating a script. For example, the following script
checks enrolled devices for onboarding status:

$ mdatp --health healthy

The above command prints "1" if the product is onboarded and functioning as expected.
If the product is not healthy, the exit code (which can be checked through echo $? ) indicates the problem:
1 if the device is not yet onboarded
3 if the connection to the daemon cannot be established—for example, if the daemon is not running

Logging installation issues

See Logging installation issues for more information on how to find the automatically generated log that is created
by the installer when an error occurs.

Uninstallation
This method is based on the script described in Uninstalling.
Script
Create a script in Settings > Computer Management > Scripts.
This script removes Microsoft Defender ATP from the /Applications directory:
 #!/bin/bash

echo "Is WDAV installed?"

ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null

echo "Uninstalling WDAV..."

rm -rf '/Applications/Microsoft Defender ATP.app'

echo "Is WDAV still installed?"

ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null

echo "Done!"

Policy
Your policy should contain a single script:

Configure the appropriate scope in the Scope tab to specify the machines that will receive this policy.
 Deployment with a different Mobile Device
Management (MDM) system for Microsoft Defender
ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac

Prerequisites and system requirements

Before you get started, see the main Microsoft Defender ATP for Mac page for a description of prerequisites and
system requirements for the current software version.

Approach
Cau t i on

Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft
Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information
provided below.
If your organization uses a Mobile Device Management (MDM ) solution that is not officially supported, this does
not mean you are unable to deploy or run Microsoft Defender ATP for Mac.
Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM
solution that supports the following features:
Deploy a macOS .pkg to managed machines.
Deploy macOS system configuration profiles to managed machines.
Run an arbitrary admin-configured tool/script on managed machines.
Most modern MDM solutions include these features, however, they may call them differently.
You can deploy Defender without the last requirement from the preceding list, however:
You will not be able to collect status in a centralized way
If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator

Deployment
Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use JAMF -
based deployment as a template.
Package
Configure deployment of a required application package, with the installation package (wdav.pkg) downloaded
from Microsoft Defender Security Center.
In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
License settings
Set up a system configuration profile. Your MDM solution may call it something like "Custom Settings Profile", as
Microsoft Defender ATP for Mac is not part of macOS.
Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding
package downloaded from Microsoft Defender Security Center. Your system may support an arbitrary property
list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
Alternatively, it may require you to convert the property list to a different format first.
Typically, your custom profile has an id, name, or ___domain attribute. You must use exactly "com.microsoft.wdav.atp"
for this value. MDM uses it to deploy the settings file to /Library/Managed
Preferences/com.microsoft.wdav.atp.plist on a client machine, and Defender uses this file for loading the
onboarding information.
Kernel extension policy
Set up a KEXT or kernel extension policy. Use team identifier UBF8T346G9 to whitelist kernel extensions provided
by Microsoft.

Check installation status

Run mdatp on a client machine to check the onboarding status.
 Manual deployment for Microsoft Defender ATP for
Mac
11/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires
the completion of all of the following steps:
Download installation and onboarding packages
Application installation
Client configuration

Prerequisites and system requirements

Before you get started, see the main Microsoft Defender ATP for Mac page for a description of prerequisites and
system requirements for the current software version.

Download installation and onboarding packages

Download the installation and onboarding packages from Windows Defender Security Center:
1. In Windows Defender Security Center, go to Settings > Machine Management > Onboarding.
2. In Section 1 of the page, set operating system to Linux, macOS, iOS, and Android and Deployment
method to Local script.
3. In Section 2 of the page, select Download installation package. Save it as wdav.pkg to a local directory.
4. In Section 2 of the page, select Download onboarding package. Save it as
WindowsDefenderATPOnboardingPackage.zip to the same directory.
5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files:

$ ls -l
total 721152
-rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: WindowsDefenderATPOnboarding.py

Application installation
To complete this process, you must have admin privileges on the machine.
1. Navigate to the downloaded wdav.pkg in Finder and open it.
2. Select Continue, agree with the License terms, and enter the password when prompted.

IMPORTANT
You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or
"Installation is on hold" or both. The driver must be allowed to be installed.

3. Select Open Security Preferences or Open System Preferences > Security & Privacy. Select Allow:
The installation proceeds.
Cau t i on

If you don't select Allow, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some
features, such as real-time protection, will be disabled. See Troubleshoot kernel extension issues for information on
how to resolve this.

NOTE
macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be
available until the machine is rebooted.

Client configuration
1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft
Defender ATP for Mac.
The client machine is not associated with orgId. Note that the orgId attribute is blank.

$ mdatp --health orgId

2. Run the Python script to install the configuration file:

 $ /usr/bin/python WindowsDefenderATPOnboarding.py
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be
required to enter sudos password)

3. Verify that the machine is now associated with your organization and reports a valid orgId:

$ mdatp --health orgId

E6875323-A6C0-4C60-87AD-114BBE7439B8

After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.

How to Allow Full Disk Access

Cau t i on

macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default,
applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without
explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock
icon to make changes (bottom of the dialog box). Select Microsoft Defender ATP.

Logging installation issues

See Logging installation issues for more information on how to find the automatically generated log that is created
by the installer when an error occurs.

Uninstallation
See Uninstalling for details on how to remove Microsoft Defender ATP for Mac from client devices.
 Deploy updates for Microsoft Defender ATP for Mac
11/6/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU ) is used. By default,
MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually.

If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually
check for software updates. You can deploy preferences to configure how and when MAU checks for updates for
the Macs in your organization.

Use msupdate
MAU includes a command-line tool, called msupdate, that is designed for IT administrators so that they have more
precise control over when updates are applied. Instructions for how to use this tool can be found in Update Office
for Mac by using msupdate.
In MAU, the application identifier for Microsoft Defender ATP for Mac is WDAV00. To download and install the
latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window:
 ./msupdate --install --apps wdav00

Set preferences for Microsoft AutoUpdate

This section describes the most common preferences that can be used to configure MAU. These settings can be
deployed as a configuration profile through the management console that your enterprise is using. An example of
a configuration profile is shown in the following sections.
Set the channel name
The channel determines the type and frequency of updates that are offered through MAU. Devices in InsiderFast
(corresponding to the Insider Fast channel) can try out new features before devices in External (corresponding to
the Insider Slow channel) and Production .
The Production channel contains the most stable version of the product.

TIP
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your
enterprise to InsiderFast or External .

Domain com.microsoft.autoupdate2

Key ChannelName

Data type String

Possible values InsiderFast

External
Production

Set update check frequency

Change how often MAU searches for updates.

Domain com.microsoft.autoupdate2

Key UpdateCheckFrequency

Data type Integer

Default value 720 (minutes)

Comment This value is set in minutes.

Change how MAU interacts with updates

Change how MAU searches for updates.

Domain com.microsoft.autoupdate2
 Key HowToCheck

Data type String

Possible values Manual

AutomaticCheck
AutomaticDownload

Comment Note that AutomaticDownload will do a download and install

silently if possible.

Change whether the "Check for Updates" button is enabled

Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user
interface.

Domain com.microsoft.autoupdate2

Key EnableCheckForUpdatesButton

Data type Boolean

Possible values True (default)

False

Disable Insider checkbox

Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.

Domain com.microsoft.autoupdate2

Key DisableInsiderCheckbox

Data type Boolean

Possible values False (default)

True

Limit the telemetry that is sent from MAU

Set to false to send minimal heartbeat data, no application usage, and no environment details.

Domain com.microsoft.autoupdate2

Key SendAllTelemetryEnabled

Data type Boolean

Possible values True (default)

False
Example configuration profile
The following configuration profile is used to:
Place the device in the Insider Fast channel
Automatically download and install updates
Enable the "Check for updates" button in the user interface
Allow users on the device to enroll into the Insider channels
JAMF

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ChannelName</key>
<string>InsiderFast</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
<true/>
<key>DisableInsiderCheckbox</key>
<false/>
<key>SendAllTelemetryEnabled</key>
<true/>
</dict>
</plist>

Intune
 <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>B762FF60-6ACB-4A72-9E72-459D00C936F3</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>PayloadDisplayName</key>
<string>Microsoft AutoUpdate settings</string>
<key>PayloadDescription</key>
<string>Microsoft AutoUpdate configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>5A6F350A-CC2C-440B-A074-68E3F34EBAE9</string>
<key>PayloadType</key>
<string>com.microsoft.autoupdate2</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.autoupdate2</string>
<key>PayloadDisplayName</key>
<string>Microsoft AutoUpdate configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>ChannelName</key>
<string>InsiderFast</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
<true/>
<key>DisableInsiderCheckbox</key>
<false/>
<key>SendAllTelemetryEnabled</key>
<true/>
</dict>
</array>
</dict>
</plist>

To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is
using:
From JAMF, upload this configuration profile and set the Preference Domain to com.microsoft.autoupdate2.
From Intune, upload this configuration profile and set the custom configuration profile name to
com.microsoft.autoupdate2.
Resources
msupdate reference
 Configure and validate exclusions for Microsoft
Defender ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
This article provides information on how to define exclusions that apply to on-demand scans, and real-time
protection and monitoring.

IMPORTANT
The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint
detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts
and other detections.

You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac
scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your
organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for
Mac.

WARNING
Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks
that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.

Supported exclusion types

The follow table shows the exclusion types supported by Microsoft Defender ATP for Mac.

EXCLUSION DEFINITION EXAMPLES

File extension All files with the extension, anywhere on .test

the machine

File A specific file identified by the full path /var/log/test.log

Folder All files under the specified folder /var/log/

Process A specific process (specified either by /bin/cat

the full path or file name) and all files cat
opened by it

How to configure the list of exclusions

From the management console
For more information on how to configure exclusions from JAMF, Intune, or another management console, see Set
preferences for Microsoft Defender ATP for Mac.
From the user interface
Open the Microsoft Defender ATP application and navigate to Manage settings > Add or Remove Exclusion...,
as shown in the following screenshot:
![Manage exclusions screenshot
Select the type of exclusion that you wish to add and follow the prompts.

Validate exclusions lists with the EICAR test file

You can validate that your exclusion lists are working by using curl to download a test file.
In the following Bash snippet, replace test.txt with a file that conforms to your exclusion rules. For example, if you
have excluded the .testing extension, replace test.txt with test.testing. If you are testing a path, ensure that you run
the command within that path.

$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt

If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware,
and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are
the same as what is described on the EICAR test file website.
If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text
file with the following Bash command:

echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt

You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are
attempting to exclude.
 Set preferences for Microsoft Defender ATP for Mac
12/5/2019 • 9 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac

IMPORTANT
This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations.
To configure Microsoft Defender ATP for Mac using the command-line interface, see the Resources page.

Summary
In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that
is deployed by using one of several management tools. Preferences that are managed by your security operations
team take precedence over preferences that are set locally on the device. Users in your organization are not able
to change preferences that are set through the configuration profile.
This article describes the structure of the configuration profile, includes a recommended profile that you can use
to get started, and provides instructions on how to deploy the profile.

Configuration profile structure

The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the
preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such
as a numerical value) or complex, such as a nested list of preferences.
Cau t i on

The layout of the configuration profile depends on the management console that you are using. The following
sections contain examples of configuration profiles for JAMF and Intune.
The top level of the configuration profile includes product-wide preferences and entries for subareas of Microsoft
Defender ATP, which are explained in more detail in the next sections.
Antivirus engine preferences
The antivirusEngine section of the configuration profile is used to manage the preferences of the antivirus
component of Microsoft Defender ATP.

Domain com.microsoft.wdav

Key antivirusEngine

Data type Dictionary (nested preference)

Comments See the following sections for a description of the dictionary

contents.

Enable / disable real-time protection

Specify whether to enable real-time protection, which scans files as they are accessed.
 Domain com.microsoft.wdav

Key enableRealTimeProtection

Data type Boolean

Possible values true (default)

false

Enable / disable passive mode

Specify whether the antivirus engine runs in passive mode. Passive mode has the following implications:
Real-time protection is turned off
On-demand scanning is turned on
Automatic threat remediation is turned off
Security intelligence updates are turned on
Status menu icon is hidden

Domain com.microsoft.wdav

Key passiveMode

Data type Boolean

Possible values false (default)

true

Comments Available in Microsoft Defender ATP version 100.67.60 or

higher.

Scan exclusions
Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names.

Domain com.microsoft.wdav

Key exclusions

Data type Dictionary (nested preference)

Comments See the following sections for a description of the dictionary

contents.

T y p e o f e x c l u si o n

Specify content excluded from being scanned by type.

Domain com.microsoft.wdav

Key $type
 Data type String

Possible values excludedPath

excludedFileExtension
excludedFileName

Pat h t o exc l u ded c o n t en t

Specify content excluded from being scanned by full file path.

Domain com.microsoft.wdav

Key path

Data type String

Possible values valid paths

Comments Applicable only if $type is excludedPath

P a t h t y p e (fi l e / d i r e c t o r y )

Indicate if the path property refers to a file or directory.

Domain com.microsoft.wdav

Key isDirectory

Data type Boolean

Possible values false (default)

true

Comments Applicable only if $type is excludedPath

F i l e e x t e n si o n e x c l u d e d fr o m t h e sc a n

Specify content excluded from being scanned by file extension.

Domain com.microsoft.wdav

Key extension

Data type String

Possible values valid file extensions

Comments Applicable only if $type is excludedFileExtension

N am e o f exc l u ded c o n t en t

Specify content excluded from being scanned by file name.

 Domain com.microsoft.wdav

Key name

Data type String

Possible values any string

Comments Applicable only if $type is excludedFileName

Allowed threats
Specify threats by name that are not blocked by Microsoft Defender ATP for Mac. These threats will be allowed to
run.

Domain com.microsoft.wdav

Key allowedThreats

Data type Array of strings

Threat type settings

Specify how certain threat types are handled by Microsoft Defender ATP for Mac.

Domain com.microsoft.wdav

Key threatTypeSettings

Data type Dictionary (nested preference)

Comments See the following sections for a description of the dictionary

contents.

T h r eat t ype

Specify threat types.

Domain com.microsoft.wdav

Key key

Data type String

Possible values potentially_unwanted_application

archive_bomb

A c t ion t o t ake

Specify what action to take when a threat of the type specified in the preceding section is detected. Choose from
the following options:
Audit: your device is not protected against this type of threat, but an entry about the threat is logged.
 Block: your device is protected against this type of threat and you are notified in the user interface and the
security console.
Off: your device is not protected against this type of threat and nothing is logged.

Domain com.microsoft.wdav

Key value

Data type String

Possible values audit (default)

block
off

Cloud-delivered protection preferences

Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.

Domain com.microsoft.wdav

Key cloudService

Data type Dictionary (nested preference)

Comments See the following sections for a description of the dictionary

contents.

Enable / disable cloud-delivered protection

Specify whether to enable cloud-delivered protection the device or not. To improve the security of your services,
we recommend keeping this feature turned on.

Domain com.microsoft.wdav

Key enabled

Data type Boolean

Possible values true (default)

false

Diagnostic collection level

Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems,
and also make product improvements. This setting determines the level of diagnostics sent by Microsoft Defender
ATP to Microsoft.

Domain com.microsoft.wdav

Key diagnosticLevel
 Data type String

Possible values optional (default)

required

Enable / disable automatic sample submissions

Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are
prompted if the submitted file is likely to contain personal information.

Domain com.microsoft.wdav

Key automaticSampleSubmission

Data type Boolean

Possible values true (default)

false

User interface preferences

Manage the preferences for the user interface of Microsoft Defender ATP for Mac.

Domain com.microsoft.wdav

Key userInterface

Data type Dictionary (nested preference)

Comments See the following sections for a description of the dictionary

contents.

Show / hide status menu icon

Specify whether to show or hide the status menu icon in the top-right corner of the screen.

Domain com.microsoft.wdav

Key hideStatusMenuIcon

Data type Boolean

Possible values false (default)

true

Endpoint detection and response preferences

Manage the preferences of the endpoint detection and response (EDR ) component of Microsoft Defender ATP for
Mac.
 Domain com.microsoft.wdav

Key edr

Data type Dictionary (nested preference)

Comments See the following sections for a description of the dictionary

contents.

Enable / disable early preview

Specify whether to enable EDR early preview features.

Domain com.microsoft.wdav

Key earlyPreview

Data type Boolean

Possible values true (default)

false

Device tags
Specify a tag name and its value.

Domain com.microsoft.wdav

Key tags

Data type Dictionary (nested preference)

Comments See the following sections for a description of the dictionary

contents.

T ype of t ag

Specifies the type of tag

Domain com.microsoft.wdav

Key key

Data type String

Possible values GROUP

Va l u e o f t a g

Specifies the value of tag

 Domain com.microsoft.wdav

Key value

Data type String

Possible values any string

Recommended configuration profile

To get started, we recommend the following configuration profile for your enterprise to take advantage of all
protection features that Microsoft Defender ATP provides.
The following configuration profile will:
Enable real-time protection (RTP )
Specify how the following threat types are handled:
Potentially unwanted applications (PUA ) are blocked
Archive bombs (file with a high compression rate) are audited to Microsoft Defender ATP logs
Enable cloud-delivered protection
Enable automatic sample submission
JAMF profile

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>automaticSampleSubmission</key>
<true/>
</dict>
</dict>
</plist>
Intune profile

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
 <true/>
<key>automaticSampleSubmission</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>

Full configuration profile example

The following configuration profile contains entries for all settings described in this document and can be used for
more advanced scenarios where you want more control over Microsoft Defender ATP for Mac.
JAMF profile

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
</array>
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
 <key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</plist>

Intune profile

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>antivirusEngine</key>
 <key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
</array>
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</array>
</dict>
</plist>
Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management
console that your enterprise is using. The following sections provide instructions on how to deploy this profile
using JAMF and Intune.
JAMF deployment
From the JAMF console, open Computers > Configuration Profiles, navigate to the configuration profile you'd
like to use, then select Custom Settings. Create an entry with com.microsoft.wdav as the preference ___domain and
upload the .plist produced earlier.
Cau t i on

You must enter the correct preference ___domain ( com.microsoft.wdav ); otherwise, the preferences will not be
recognized by Microsoft Defender ATP.
Intune deployment
1. Open Manage > Device configuration. Select Manage > Profiles > Create Profile.
2. Choose a name for the profile. Change Platform=macOS to Profile type=Custom. Select Configure.
3. Save the .plist produced earlier as com.microsoft.wdav.xml .
4. Enter com.microsoft.wdav as the custom configuration profile name.
5. Open the configuration profile and upload the com.microsoft.wdav.xml file. (This file was created in step 3.)
6. Select OK.
7. Select Manage > Assignments. In the Include tab, select Assign to All Users & All devices.
Cau t i on

You must enter the correct custom configuration profile name; otherwise, these preferences will not be recognized
by Microsoft Defender ATP.

Resources
Configuration Profile Reference (Apple developer documentation)
 Detect and block potentially unwanted applications
with Microsoft Defender ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Mac can detect and
block PUA files on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on
endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to
have poor reputation.
These applications can increase the risk of your network being infected with malware, cause malware infections to
be harder to identify, and can waste IT resources in cleaning up the applications.

How it works
Microsoft Defender ATP for Mac can detect and report PUA files. When configured in blocking mode, PUA files are
moved to the quarantine.
When a PUA is detected on an endpoint, Microsoft Defender ATP for Mac presents a notification to the user, unless
notifications have been disabled. The threat name will contain the word "Application".

Configure PUA protection

PUA protection in Microsoft Defender ATP for Mac can be configured in one of the following ways:
Off: PUA protection is disabled.
Audit: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No
notification is presented to the user and no action is taken by the product.
Block: PUA files are reported in the product logs and in Microsoft Defender Security Center. The user is
presented with a notification and action is taken by the product.

WARNING
By default, PUA protection is configured in Audit mode.

You can configure how PUA files are handled from the command line or from the management console.
Use the command-line tool to configure PUA protection:
In Terminal, execute the following command to configure PUA protection:

$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block]

Use the management console to configure PUA protection:

In your enterprise, you can configure PUA protection from a management console, such as JAMF or Intune,
similarly to how other product settings are configured. For more information, see the Threat type settings section
of the Set preferences for Microsoft Defender ATP for Mac topic.

Related topics
Set preferences for Microsoft Defender ATP for Mac
 Troubleshoot performance issues for Microsoft
Defender ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
This topic provides some general steps that can be used to narrow down performance issues related to Microsoft
Defender ATP for Mac.
Real-time protection (RTP ) is a feature of Microsoft Defender ATP for Mac that continuously monitors and protects
your device against threats. It consists of file and process monitoring and other heuristics.
Depending on the applications that you are running and your device characteristics, you may experience
suboptimal performance when running Microsoft Defender ATP for Mac. In particular, applications or system
processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender
ATP for Mac.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance
improves. This approach helps narrow down whether Microsoft Defender ATP for Mac is contributing to the
performance issues.
If your device is not managed by your organization, real-time protection can be disabled using one of the
following options:
From the user interface. Open Microsoft Defender ATP for Mac and navigate to Manage settings.

From the Terminal. For security purposes, this operation requires elevation.

$ mdatp --config realTimeProtectionEnabled false

If your device is managed by your organization, real-time protection can be disabled by your administrator
using the instructions in Set preferences for Microsoft Defender ATP for Mac.
2. Open Finder and navigate to Applications > Utilities. Open Activity Monitor and analyze which
applications are using the resources on your system. Typical examples include software updaters and
compilers.
3. Configure Microsoft Defender ATP for Mac with exclusions for the processes or disk locations that
contribute to the performance issues and re-enable real-time protection.
See Configure and validate exclusions for Microsoft Defender ATP for Mac for details.
 Troubleshoot kernel extension issues in Microsoft
Defender ATP for Mac
11/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of
Microsoft Defender ATP for Mac.
Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before
they are allowed to run on the device.
If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for
Mac, then the application displays a banner prompting you to enable it:

You can also run mdatp --health . It reports if real-time protection is enabled but not available. This is an indication
that the kernel extension is not approved to run on your device.
 $ mdatp --health
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
...

The following sections provide guidance on how to address this issue, depending on the method that you used to
deploy Microsoft Defender ATP for Mac.

Managed deployment
See the instructions corresponding to the management tool that you used to deploy the product:
JAMF -based deployment
Microsoft Intune-based deployment

Manual deployment
If less than 30 minutes have passed since the product was installed, navigate to System Preferences > Security
& Privacy, where you have to Allow system software from developers "Microsoft Corporation".
If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been
approved to run on your device:

In this case, you need to perform the following steps to trigger the approval flow again.
1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was
not approved to run on the device, however it will trigger the approval flow again.
 $ sudo kextutil /Library/Extensions/wdavkext.kext
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL =
"file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL =
"file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:

2. Open System Preferences > Security & Privacy from the menu. (Close it first, if it's opened.)
3. Allow system software from developers "Microsoft Corporation"
4. In Terminal, install the driver again. This time the operation will succeed:

$ sudo kextutil /Library/Extensions/wdavkext.kext

The banner should disappear from the Defender application, and mdatp --health should now report that real-time
protection is both enabled and available:

$ mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
 Privacy for Microsoft Defender ATP for Mac
11/6/2019 • 8 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac
Microsoft is committed to providing you with the information and controls you need to make choices about how
your data is collected and used when you’re using Microsoft Defender ATP for Mac.
This topic describes the privacy controls available within the product, how to manage these controls with policy
settings and more details on the data events that are collected.

Overview of privacy controls in Microsoft Defender ATP for Mac

This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for
Mac.
Diagnostic data
Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems,
and also make product improvements.
Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose
whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings
for organizations.
There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from:
Required: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and
performing as expected on the device it’s installed on.
Optional: Additional data that helps Microsoft make product improvements and provides enhanced
information to help detect, diagnose, and remediate issues.
By default, both optional and required diagnostic data are sent to Microsoft.
Cloud delivered protection data
Cloud delivered protection is used to provide increased and faster protection with access to the latest protection
data in the cloud.
Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides
important protection against malware on your endpoints and across your network.
Sample data
Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples
so they can be analyzed. Enabling automatic sample submission is optional.
When this feature is enabled and the sample that is collected is likely to contain personal information, the user is
prompted for consent.

Manage privacy controls with policy settings

If you're an IT administrator, you might want to configure these controls at the enterprise level.
The privacy controls for the various types of data described in the preceding section are described in detail in Set
preferences for Microsoft Defender ATP for Mac.
As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure
the settings that you configure have the desired effect before you implement the policy settings more widely in
your organization.

Diagnostic data events

This section describes what is considered required diagnostic data and what is considered optional diagnostic data,
along with a description of the events and fields that are collected.
Data fields that are common for all events
There is some information about events that is common to all events, regardless of category or data subtype.
The following fields are considered common for all events:

FIELD DESCRIPTION

platform The broad classification of the platform on which the app is

running. Allows Microsoft to identify on which platforms an
issue may be occurring so that it can correctly be prioritized.

machine_guid Unique identifier associated with the device. Allows Microsoft

to identify whether issues are impacting a select set of installs
and how many users are impacted.

sense_guid Unique identifier associated with the device. Allows Microsoft

to identify whether issues are impacting a select set of installs
and how many users are impacted.

org_id Unique identifier associated with the enterprise that the device
belongs to. Allows Microsoft to identify whether issues are
impacting a select set of enterprises and how many
enterprises are impacted.

hostname Local machine name (without DNS suffix). Allows Microsoft to

identify whether issues are impacting a select set of installs
and how many users are impacted.

product_guid Unique identifier of the product. Allows Microsoft to

differentiate issues impacting different flavors of the product.

app_version Version of the Microsoft Defender ATP for Mac application.

Allows Microsoft to identify which versions of the product are
showing an issue so that it can correctly be prioritized.

sig_version Version of security intelligence database. Allows Microsoft to

identify which versions of the security intelligence are showing
an issue so that it can correctly be prioritized.

supported_compressions List of compression algorithms supported by the application,

for example ['gzip'] . Allows Microsoft to understand what
types of compressions can be used when it communicates
with the application.
 FIELD DESCRIPTION

release_ring Ring that the device is associated with (for example Insider
Fast, Insider Slow, Production). Allows Microsoft to identify on
which release ring an issue may be occurring so that it can
correctly be prioritized.

Required diagnostic data

Required diagnostic data is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-
date, and perform as expected on the device it’s installed on.
Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device
or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more
frequently on a particular operating system version, with newly introduced features, or when certain Microsoft
Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these
problems more quickly so the impact to users or organizations is reduced.
Software setup and inventory data events
Microsoft Defender ATP installation / uninstallation
The following fields are collected:

FIELD DESCRIPTION

correlation_id Unique identifier associated with the installation.

version Version of the package.

severity Severity of the message (for example Informational).

code Code that describes the operation.

text Additional information associated with the product

installation.

Microsoft Defender ATP configuration

The following fields are collected:

FIELD DESCRIPTION

antivirus_engine.enable_real_time_protection Whether real-time protection is enabled on the device or not.

antivirus_engine.passive_mode Whether passive mode is enabled on the device or not.

cloud_service.enabled Whether cloud delivered protection is enabled on the device

or not.

cloud_service.timeout Time out when the application communicates with the

Microsoft Defender ATP cloud.

cloud_service.heartbeat_interval Interval between consecutive heartbeats sent by the product

to the cloud.

cloud_service.service_uri URI used to communicate with the cloud.

 FIELD DESCRIPTION

cloud_service.diagnostic_level Diagnostic level of the device (required, optional).

cloud_service.automatic_sample_submission Whether automatic sample submission is turned on or not.

edr.early_preview Whether the machine should run EDR early preview features.

edr.group_id Group identifier used by the detection and response

component.

edr.tags User-defined tags.

features.[optional feature name] List of preview features, along with whether they are enabled
or not.

Product and service performance data events

Kernel extension statistics
The following fields are collected:

FIELD DESCRIPTION

version Version of Microsoft Defender ATP for Mac.

instance_id Unique identifier generated on kernel extension startup.

trace_level Trace level of the kernel extension.

ipc.connects Number of connection requests received by the kernel

extension.

ipc.rejects Number of connection requests rejected by the kernel

extension.

ipc.connected Whether there is any active connection to the kernel

extension.

Support data
Diagnostic logs
Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The
following files are collected as part of the support logs:
All files under /Library/Logs/Microsoft/mdatp/
Subset of files under /Library/Application Support/Microsoft/Defender/ that are created and used by Microsoft
Defender ATP for Mac
Subset of files under /Library/Managed Preferences that are used by Microsoft Defender ATP for Mac
/Library/Logs/Microsoft/autoupdate.log
$HOME/Library/Preferences/com.microsoft.autoupdate2.plist
Optional diagnostic data
Optional diagnostic data is additional data that helps Microsoft make product improvements and provides
enhanced information to help detect, diagnose, and fix issues.
If you choose to send us optional diagnostic data, required diagnostic data is also included.
Examples of optional diagnostic data include data Microsoft collects about product configuration (for example
number of exclusions set on the device) and product performance (aggregate measures about the performance of
components of the product).
Software setup and inventory data events
Microsoft Defender ATP configuration
The following fields are collected:

FIELD DESCRIPTION

connection_retry_timeout Connection retry time out when communication with the

cloud.

file_hash_cache_maximum Size of the product cache.

crash_upload_daily_limit Limit of crash logs uploaded daily.

antivirus_engine.exclusions[].is_directory Whether the exclusion from scanning is a directory or not.

antivirus_engine.exclusions[].path Path that was excluded from scanning.

antivirus_engine.exclusions[].extension Extension excluded from scanning.

antivirus_engine.exclusions[].name Name of the file excluded from scanning.

antivirus_engine.scan_cache_maximum Size of the product cache.

antivirus_engine.maximum_scan_threads Maximum number of threads used for scanning.

antivirus_engine.threat_restoration_exclusion_time Time out before a file restored from the quarantine can be
detected again.

filesystem_scanner.full_scan_directory Full scan directory.

filesystem_scanner.quick_scan_directories List of directories used in quick scan.

edr.latency_mode Latency mode used by the detection and response

component.

edr.proxy_address Proxy address used by the detection and response

component.

Microsoft Auto-Update configuration

The following fields are collected:

FIELD DESCRIPTION

how_to_check Determines how product updates are checked (for example

automatic or manual).

channel_name Update channel associated with the device.

 FIELD DESCRIPTION

manifest_server Server used for downloading updates.

update_cache Location of the cache used to store updates.

Product and service usage

Diagnostic log upload started report
The following fields are collected:

FIELD DESCRIPTION

sha256 SHA256 identifier of the support log.

size Size of the support log.

original_path Path to the support log (always under /Library/Application

Support/Microsoft/Defender/wdavdiag/).

format Format of the support log.

Diagnostic log upload completed report

The following fields are collected:

FIELD DESCRIPTION

request_id Correlation ID for the support log upload request.

sha256 SHA256 identifier of the support log.

blob_sas_uri URI used by the application to upload the support log.

Product and service performance data events

Unexpected application exit (crash)
Unexpected application exits and the state of the application when that happens.
Kernel extension statistics
The following fields are collected:

FIELD DESCRIPTION

pkt_ack_timeout The following properties are aggregated numerical values,

representing count of events that happened since kernel
extension startup.

pkt_ack_conn_timeout

ipc.ack_pkts

ipc.nack_pkts

ipc.send.ack_no_conn
FIELD DESCRIPTION

ipc.send.nack_no_conn

ipc.send.ack_no_qsq

ipc.send.nack_no_qsq

ipc.ack.no_space

ipc.ack.timeout

ipc.ack.ackd_fast

ipc.ack.ackd

ipc.recv.bad_pkt_len

ipc.recv.bad_reply_len

ipc.recv.no_waiter

ipc.recv.copy_failed

ipc.kauth.vnode.mask

ipc.kauth.vnode.read

ipc.kauth.vnode.write

ipc.kauth.vnode.exec

ipc.kauth.vnode.del

ipc.kauth.vnode.read_attr

ipc.kauth.vnode.write_attr

ipc.kauth.vnode.read_ex_attr

ipc.kauth.vnode.write_ex_attr

ipc.kauth.vnode.read_sec

ipc.kauth.vnode.write_sec

ipc.kauth.vnode.take_own

ipc.kauth.vnode.denied

ipc.kauth.file_op.mask
 FIELD DESCRIPTION

ipc.kauth_file_op.open

ipc.kauth.file_op.close

ipc.kauth.file_op.close_modified

ipc.kauth.file_op.move

ipc.kauth.file_op.link

ipc.kauth.file_op.exec

ipc.kauth.file_op.remove

ipc.kauth.file_op.fork

ipc.kauth.file_op.create

Resources
Privacy at Microsoft
 Resources for Microsoft Defender ATP for Mac
11/26/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) for Mac

Collecting diagnostic information

If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the
logging level to the default.
1. Increase logging level:

$ mdatp --log-level verbose

Creating connection to daemon
Connection established
Operation succeeded

2. Reproduce the problem

3. Run sudo mdatp --diagnostic --create to backup Microsoft Defender ATP's logs. The files will be stored
inside of a .zip archive. This command will also print out the file path to the backup after the operation
succeeds.

$ sudo mdatp --diagnostic --create

Creating connection to daemon
Connection established

4. Restore logging level:

$ mdatp --log-level info

Creating connection to daemon
Connection established
Operation succeeded

Logging installation issues

If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during
installation, send us this file so we can help diagnose the cause.

Uninstalling
There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed
uninstall is available on JAMF, it is not yet available for Microsoft Intune.
Interactive uninstallation
Open Finder > Applications. Right click on Microsoft Defender ATP > Move to Trash.
From the command line
 sudo rm -rf '/Applications/Microsoft Defender ATP.app'

Configuring from the command line

Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the
command line:

GROUP SCENARIO COMMAND

Configuration Turn on/off real-time protection mdatp --config

realTimeProtectionEnabled
[true/false]

Configuration Turn on/off cloud protection mdatp --config cloudEnabled

[true/false]

Configuration Turn on/off product diagnostics mdatp --config

cloudDiagnosticEnabled
[true/false]

Configuration Turn on/off automatic sample mdatp --config

submission cloudAutomaticSampleSubmission
[true/false]

Configuration Turn on PUA protection mdatp --threat --type-handling

potentially_unwanted_application
block

Configuration Turn off PUA protection mdatp --threat --type-handling

potentially_unwanted_application
off

Configuration Turn on audit mode for PUA protection mdatp --threat --type-handling
potentially_unwanted_application
audit

Diagnostics Change the log level mdatp --log-level

[error/warning/info/verbose]

Diagnostics Generate diagnostic logs mdatp --diagnostic --create

Health Check the product's health mdatp --health

Protection Scan a path mdatp --scan --path [path]

Protection Do a quick scan mdatp --scan --quick

Protection Do a full scan mdatp --scan --full

Protection Cancel an ongoing on-demand scan mdatp --scan --cancel

Protection Request a security intelligence update mdatp --definition-update

 GROUP SCENARIO COMMAND

EDR Turn on/off EDR preview for Mac mdatp --edr --early-preview
[true/false]
OR
mdatp --edr --earlyPreview
[true/false]
for versions earlier than 100.78.0

EDR Add group tag to machine. EDR tags mdatp --edr --set-tag GROUP
are used for managing machine groups. [name]
For more information, please visit
https://docs.microsoft.com/windows/sec
urity/threat-protection/microsoft-
defender-atp/machine-groups

EDR Remove group tag from machine mdatp --edr --remove-tag [name]

Microsoft Defender ATP portal information

In the Microsoft Defender ATP portal, you'll see two categories of information.
Antivirus alerts, including:
Severity
Scan type
Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
File information (name, path, size, and hash)
Threat information (name, type, and state)
Device information, including:
Machine identifier
Tenant identifier
App version
Hostname
OS type
OS version
Computer model
Processor architecture
Whether the device is a virtual machine

NOTE
Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for
Mac app and select Help > Send feedback on your device. Optionally, use the Feedback button in the Microsoft Defender
Security Center.
 Configure the security controls in Secure score
12/4/2019 • 10 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be
available for a few weeks. View the Secure score page.

Each security control lists recommendations that you can take to increase the security posture of your
organization.
Endpoint detection and response (EDR ) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of
actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection
and response tool.

IMPORTANT
This feature is available for machines on Windows 10, version 1607 or later.

Minimum baseline configuration setting for EDR

Microsoft Defender ATP sensor is on
Data collection is working correctly
Communication to Microsoft Defender ATP service is not impaired
Rec o m m en ded ac t i o n s

You can take the following actions to increase the overall security score of your organization:
Turn on sensor
Fix sensor data collection
Fix impaired communications
For more information, see Fix unhealthy sensors.
Windows Defender Antivirus (Windows Defender AV ) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of
actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV.

IMPORTANT
This feature is available for machines on Windows 10, version 1607 or later.

Minimum baseline configuration setting for Windows Defender AV:

A well-configured machine for Windows Defender AV meets the following requirements:
Windows Defender AV is reporting correctly
 Windows Defender AV is turned on
Security intelligence is up-to-date
Real-time protection is on
Potentially Unwanted Application (PUA) protection is enabled
You can take the following actions to increase the overall security score of your organization:

NOTE
For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-
based protection is properly configured on the machine.

Fix antivirus reporting

This recommendation is displayed when the Windows Defender Antivirus is not properly configured to
report its health state. For more information on fixing the reporting, see Configure and validate network
connections.
Turn on antivirus
Update antivirus Security intelligence
Turn on real-time protection
Turn on PUA protection
For more information, see Configure Windows Defender Antivirus.
OS security updates optimization
This tile shows you the number of machines that require the latest security updates. It also shows machines that
are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run
the latest builds.

IMPORTANT
This feature is available for machines on Windows 10, version 1607 or later.

You can take the following actions to increase the overall security score of your organization:
Install the latest security updates
Fix sensor data collection
The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. It's important to ensure that sensor data collection is working properly. For more
information, see Fix unhealthy sensors.
For more information, see Windows Update Troubleshooter.
Windows Defender Exploit Guard (Windows Defender EG ) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of
actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG.
When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the
Microsoft Defender ATP Machine timeline.

IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.
Minimum baseline configuration setting for Windows Defender EG
Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:
System level protection settings are configured correctly
Attack Surface Reduction rules are configured correctly
Controlled Folder Access setting is configured correctly
Sy st e m l e v e l p r o t e c t i o n

The following system level configuration settings must be set to On or Force On:
1. Control Flow Guard
2. Data Execution Prevention (DEP )
3. Randomize memory allocations (Bottom-up ASLR )
4. Validate exception chains (SEHOP )
5. Validate heap integrity

NOTE
The setting Force randomization for images (Mandatory ASLR) is currently excluded from the baseline. Consider
configuring Force randomization for images (Mandatory ASLR) to On or Force On for better protection.

A t t a c k Su r fa c e R e d u c t i o n (A SR ) r u l e s

The following ASR rules must be configured to Block mode:

RULE DESCRIPTION GUIDS

Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550

Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899

Impede JavaScript and VBScript to launch executables D3E037E1-3EB8-44C8-A917-57927947596D

Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC

Block Win32 imports from Macro code in Office 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

NOTE
The setting Block Office applications from injecting into other processes with GUID 75668C1F-73B5-4CF0-BB93-
3ECF5CB7CC84 is excluded from the baseline. Consider enabling this rule in Audit or Block mode for better protection.

C o n t r o l l e d F o l d e r A c c e ss

The Controlled Folder Access setting must be configured to Audit mode or Enabled.

NOTE
Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block
suspicious applications. Consider enabling Controlled Folder Access for better protection.

Rec o m m en ded ac t i o n s

You can take the following actions to increase the overall security score of your organization:
 Turn on all system-level Exploit Protection settings
Set all ASR rules to enabled or audit mode
Turn on Controlled Folder Access
Turn on Windows Defender Antivirus on compatible machines
Windows Defender Application Guard (Windows Defender AG ) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of
actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG.
When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft
Defender ATP Machine timeline.
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of
actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG.
When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft
Defender ATP Machine timeline.

IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.

Minimum baseline configuration setting for Windows Defender AG:

A well-configured machine for Windows Defender AG meets the following requirements:
Hardware and software prerequisites are met
Windows Defender AG is turned on compatible machines
Managed mode is turned on
You can take the following actions to increase the overall security score of your organization:
Ensure hardware and software prerequisites are met

NOTE
This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft
Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.

Turn on Microsoft Defender AG on compatible machines

Turn on managed mode
For more information, see Microsoft Defender Application Guard overview.
Windows Defender SmartScreen optimization
A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of
actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender
SmartScreen.

WARNING
Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage ___location you have
selected for your Microsoft Defender ATP data.
 IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.

Minimum baseline configuration setting for Windows Defender SmartScreen:

The following settings must be configured with the following settings:
Check apps and files: Warn or Block
Microsoft Defender SmartScreen for Microsoft Edge: Warn or Block
Microsoft Defender SmartScreen for Microsoft store apps: Warn or Off
You can take the following actions to increase the overall security score of your organization:
Set Check app and files to Warn or Block
Set Windows Defender SmartScreen for Microsoft Edge to Warn or Block
Set Windows Defender SmartScreen for Microsoft store apps to Warn or Off
For more information, see Windows Defender SmartScreen.
Set Check app and files to Warn or Block
Set Windows Defender SmartScreen for Microsoft Edge to Warn or Block
Set Windows Defender SmartScreen for Microsoft store apps to Warn or Off
For more information, see Windows Defender SmartScreen.
Windows Defender Firewall optimization
A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that
inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the
minimum baseline configuration setting for Microsoft Defender Firewall.

IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.

Minimum baseline configuration setting for Windows Defender Firewall

Microsoft Defender Firewall is turned on for all network connections
Secure ___domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to
Blocked
Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to
Blocked
Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound
connections are set to Blocked
For more information on Windows Defender Firewall settings, see Planning settings for a basic firewall policy.

NOTE
If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make
sure that your third-party firewall is configured in a securely.

Rec o m m en ded ac t i o n s

You can take the following actions to increase the overall security score of your organization:
Turn on firewall
 Secure ___domain profile
Secure private profile
Secure public profile
Verify secure configuration of third-party firewall
Fix sensor data collection
The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. It's important to ensure that sensor data collection is working properly. For more
information, see Fix unhealthy sensors.
For more information, see Windows Defender Firewall with Advanced Security.
BitLocker optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of
actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.

IMPORTANT
This security control is only applicable for machines with Windows 10, version 1803 or later.

Minimum baseline configuration setting for BitLocker

Ensure all supported drives are encrypted
Ensure that all suspended protection on drives resume protection
Ensure that drives are compatible
Rec o m m en ded ac t i o n s

You can take the following actions to increase the overall security score of your organization:
Encrypt all supported drives
Resume protection on all drives
Ensure drive compatibility
Fix sensor data collection
The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. It's important to ensure that sensor data collection is working properly. For more
information, see Fix unhealthy sensors.
For more information, see Bitlocker.
Windows Defender Credential Guard optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of
actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender
Credential Guard.

IMPORTANT
This security control is only applicable for machines with Windows 10, version 1709 or later.

Minimum baseline configuration setting for Windows Defender Credential Guard:

Well-configured machines for Windows Defender Credential Guard meets the following requirements:
Hardware and software prerequisites are met
Windows Defender Credential Guard is turned on compatible machines
Rec o m m en ded ac t i o n s

You can take the following actions to increase the overall security score of your organization:
Ensure hardware and software prerequisites are met
Turn on Credential Guard
Fix sensor data collection
The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a
machine. The service will not be able to determine the security state of machines that are not reporting
sensor data properly. It's important to ensure that sensor data collection is working properly. For more
information, see Fix unhealthy sensors.
For more information, see Manage Windows Defender Credential Guard.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Overview of Secure score
Risk-based Threat & Vulnerability Management
Threat & Vulnerability Management dashboard overview
Exposure score
Configuration score
Security recommendations
Remediation
Software inventory
Weaknesses
Scenarios
 Configure and manage Microsoft Threat Experts
capabilities
10/29/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Before you begin

Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just
on a laboratory set-up.

NOTE
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get
proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is
a prerequisite for experts on demand collaboration.

Register to Microsoft Threat Experts managed threat hunting service

If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.
1. From the navigation pane, go to Settings > General > Advanced features > Microsoft Threat Experts.
2. Click Apply.

3. Enter your name and email address so that Microsoft can get back to you on your application.

4. Read the privacy statement, then click Submit when you're done. You will receive a welcome email once
 your application is approved.

5. From the navigation pane, go to Settings > General > Advanced features to turn the Threat Experts
toggle on. Click Save preferences.

Receive targeted attack notification from Microsoft Threat Experts

You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
The Microsoft Defender ATP portal's Alerts dashboard
Your email, if you choose to configure it
To receive targeted attack notifications through email, create an email notification rule.
Create an email notification rule
You can create rules to send email notifications for notification recipients. See Configure alert notifications to
create, edit, delete, or troubleshoot email notification, for details.

View the targeted attack notification

You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have
configured your system to receive email notification.
1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with Threat
experts.
2. From the dashboard, select the same alert topic that you got from the email, to view the details.

Consult a Microsoft threat expert about suspicious cybersecurity

activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender
Security Center for timely and accurate response. Experts provide insights to better understand complex threats,
targeted attack notifications that you get, or if you need more information about the alerts, a potentially
compromised machine, or a threat intelligence context that you see on your portal dashboard.

NOTE
Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your
security operations or incident response team for details.

1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the
Incident page. Ensure that the page for the relevant alert or machine is in view before you send an
investigation request.
2. From the upper right-hand menu, click ?. Then, select Consult a threat expert.

A flyout screen opens. The following screen shows when you are on a trial subscription.

The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription.
 The Inquiry topic field is pre-populated with the link to the relevant page for your investigation request. For
example, a link to the incident, alert, or machine details page that you were at when you made the request.

3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start
the investigation.
4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.

Sample investigation topics that you can consult with Microsoft Threat
Experts
Alert information
We see a new type of alert for a living-off-the-land binary: [AlertID ]. Can you tell us something more about this
alert and how we can investigate further?
We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different
alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on
indication provided by O365". What is the difference?
I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find
any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts?
What type of sign-ins are being monitored?
 Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
Possible machine compromise
Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many
machines. We appreciate any input to clarify whether this is related to malicious activity.
Can you help validate a possible compromise on the following system on [date] with similar behaviors as the
previous [malware name] malware detection on the same system in [month]?
Threat intelligence details
This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a
series of suspicious events which triggered multiple Microsoft Defender alerts for [malware name] malware. Do
you have any information on this malware? If yes, can you send me a link?
I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry.
Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
Microsoft Threat Experts’ alert communications
Can your incident response team help us address the targeted attack notification that we got?
I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident
response team. What can we do now, and how can we contain the incident?
I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that
we can pass on to our incident response team?

NOTE
Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However,
the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection
and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response
team to address issues that requires an incident response.

Scenario
Receive a progress report about your managed hunting inquiry
Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you
about your Consult a threat expert inquiry within two days, to communicate the investigation status from the
following categories:
More information is needed to continue with the investigation
A file or several file samples are needed to determine the technical context
Investigation requires more time
Initial information was enough to conclude the investigation
It is crucial to respond in a timely manner to keep the investigation moving.

Related topic
Microsoft Threat Experts overview
 Onboard machines to the Microsoft Defender ATP
service
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You'll need to go the onboarding section of the Microsoft Defender ATP portal to onboard any of the supported
devices. Depending on the device, you'll be guided with appropriate steps and provided management and
deployment tool options suitable for the device.
In general, to onboard devices to the service:
Verify that the device fulfills the minimum requirements
Depending on the device, follow the configuration steps provided in the onboarding section of the Microsoft
Defender ATP portal
Use the appropriate management tool and deployment method for your devices
Run a detection test to verify that the devices are properly onboarded and reporting to the service

In this section
TOPIC DESCRIPTION

Onboard previous versions of Windows Onboard Windows 7 and Windows 8.1 machines to Microsoft
Defender ATP.

Onboard Windows 10 machines You'll need to onboard machines for it to report to the
Microsoft Defender ATP service. Learn about the tools and
methods you can use to configure machines in your
enterprise.

Onboard servers Onboard Windows Server 2012 R2 and Windows Server 2016
to Microsoft Defender ATP

Onboard non-Windows machines Microsoft Defender ATP provides a centralized security

operations experience for Windows as well as non-Windows
platforms. You'll be able to see alerts from various supported
operating systems (OS) in Microsoft Defender Security Center
and better protect your organization's network. This
experience leverages on a third-party security products' sensor
data.
TOPIC DESCRIPTION

Run a detection test on a newly onboarded machine Run a script on a newly onboarded machine to verify that it is
properly reporting to the Microsoft Defender ATP service.

Configure proxy and Internet settings Enable communication with the Microsoft Defender ATP cloud
service by configuring the proxy and Internet connectivity
settings.

Troubleshoot onboarding issues Learn about resolving issues that might arise during
onboarding.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

 Onboard previous versions of Windows
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Windows 7 SP1 Enterprise
Windows 7 SP1 Pro
Windows 8.1 Pro
Windows 8.1 Enterprise
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack
detection and investigation capabilities on supported Windows versions.

IMPORTANT
This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more
information, see Preview features.

To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
Configure and update System Center Endpoint Protection clients.
Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as
instructed below.

TIP
After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP endpoint.

Configure and update System Center Endpoint Protection clients

IMPORTANT
This step is required only if your organization uses System Center Endpoint Protection (SCEP).

Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware
detections and to stop propagation of an attack in your organization by banning potentially malicious files or
suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection clients
Configure the SCEP client Cloud Protection Service membership to the Advanced setting
Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information,
see Allow connections to the Windows Defender Antivirus cloud
Install and configure Microsoft Monitoring Agent (MMA) to report
sensor data to Microsoft Defender ATP
Before you begin
Review the following details to verify minimum system requirements:
Install the February 2018 monthly update rollup

NOTE
Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.

Install the Update for customer experience and diagnostic telemetry

Install either .NET framework 4.5 (or later) or KB3154518

NOTE
Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. Don't install .NET framework 4.0.x, since it will
negate the above installation.

Meet the Azure Log Analytics agent minimum system requirements. For more information, see Collect data
from computers in you environment with Log Analytics
1. Download the agent setup file: Windows 64-bit agent or Windows 32-bit agent.
2. Obtain the workspace ID:
In the Microsoft Defender ATP navigation pane, select Settings > Machine management >
Onboarding
Select Windows 7 SP1 and 8.1 as the operating system
Copy the workspace ID and workspace key
3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the
agent:
Manually install the agent using setup
On the Agent Setup Options page, select Connect the agent to Azure Log Analytics (OMS )
Install the agent using command line and configure the agent using a script
4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
Once completed, you should see onboarded endpoints in the portal within an hour.
Configure proxy and Internet connectivity settings
Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct,
using a proxy, or through the OMS Gateway.
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS
scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit
communication with Microsoft Defender ATP service:

AGENT RESOURCE PORTS

*.oms.opinsights.azure.com 443
 AGENT RESOURCE PORTS

*.blob.core.windows.net 443

*.azure-automation.net 443

*.ods.opinsights.azure.com 443

winatp-gw-cus.microsoft.com 443

winatp-gw-eus.microsoft.com 443

winatp-gw-neu.microsoft.com 443

winatp-gw-weu.microsoft.com 443

winatp-gw-uks.microsoft.com 443

winatp-gw-ukw.microsoft.com 443

Offboard client endpoints

To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft
Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft
Defender ATP.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

 Onboarding tools and methods for Windows 10
machines
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Machines in your organization must be configured so that the Microsoft Defender ATP service can get sensor
data from them. There are various methods and deployment tools that you can use to configure the machines
in your organization.
The following deployment tools and methods are supported:
Group Policy
System Center Configuration Manager
Mobile Device Management (including Microsoft Intune)
Local script

In this section
TOPIC DESCRIPTION

Onboard Windows 10 machines using Group Policy Use Group Policy to deploy the configuration package on
machines.

Onboard Windows 10 machines using System Center You can use either use System Center Configuration
Configuration Manager Manager (current branch) version 1606 or System Center
Configuration Manager(current branch) version 1602 or
earlier to deploy the configuration package on machines.

Onboard Windows 10 machines using Mobile Device Use Mobile Device Management tools or Microsoft Intune
Management tools to deploy the configuration package on machine.

Onboard Windows 10 machines using a local script Learn how to use the local script to deploy the configuration
package on endpoints.

Onboard non-persistent virtual desktop infrastructure (VDI) Learn how to use the configuration package to configure
machines VDI machines.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

 Onboard Windows 10 machines using Group Policy
12/24/2019 • 5 minutes to read • Edit Online

Applies to:
Group Policy
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

NOTE
To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.

For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with
NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.

Onboard machines using Group Policy

1. Open the GP configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Microsoft Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Group policy.
d. Click Download package and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only ___location that can be accessed by the machine.
You should have a folder called OptionalParamsPolicy and the file
WindowsDefenderATPOnboardingScript.cmd.
3. Open the Group Policy Management Console (GPMC ), right-click the Group Policy Object (GPO ) you
want to configure and click Edit.
4. In the Group Policy Management Editor, go to Computer configuration, then Preferences, and
then Control panel settings.
5. Right-click Scheduled tasks, point to New, and then click Immediate Task (At least Windows 7).
6. In the Task window that opens, go to the General tab. Under Security options click Change User or
Group and type SYSTEM and then click Check Names then OK. NT AUTHORITY\SYSTEM appears as
the user account the task will run as.
7. Select Run whether user is logged on or not and check the Run with highest privileges check box.
8. Go to the Actions tab and click New... Ensure that Start a program is selected in the Action field.
Enter the file name and ___location of the shared WindowsDefenderATPOnboardingScript.cmd file.
9. Click OK and close any open GPMC windows.
 TIP
After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded
to the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP machine.

Additional Microsoft Defender ATP configuration settings

For each machine, you can state whether samples can be collected from the machine when a request is made
through Microsoft Defender Security Center to submit a file for deep analysis.
You can use Group Policy (GP ) to configure settings, such as settings for the sample sharing used in the deep
analysis feature.
Configure sample collection settings
1. On your GP management machine, copy the following files from the configuration package:
a. Copy AtpConfiguration.admx into C:\Windows\PolicyDefinitions
b. Copy AtpConfiguration.adml into C:\Windows\PolicyDefinitions\en-US
If you are using a Central Store for Group Policy Administrative Templates, copy the following files from
the configuration package:
a. Copy AtpConfiguration.admx into \\<forest.root>\SysVol\<forest.root>\Policies\PolicyDefinitions
b. Copy AtpConfiguration.adml into \\<forest.root>\SysVol\<forest.root>\Policies\PolicyDefinitions\en-
US
2. Open the Group Policy Management Console, right-click the GPO you want to configure and click Edit.
3. In the Group Policy Management Editor, go to Computer configuration.
4. Click Policies, then Administrative templates.
5. Click Windows components and then Windows Defender ATP.
6. Choose to enable or disable sample sharing from your machines.

NOTE
If you don't set a value, the default value is to enable sample collection.

Offboard machines using Group Policy

For security reasons, the package used to Offboard machines will expire 30 days after the date it was
downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an
offboarding package you will be notified of the packages expiry date and it will also be included in the package
name.

NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will
cause unpredictable collisions.

1. Get the offboarding package from Microsoft Defender Security Center:

 a. In the navigation pane, select Settings > Offboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Group policy.
d. Click Download package and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only ___location that can be accessed by the machine.
You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd.
3. Open the Group Policy Management Console (GPMC ), right-click the Group Policy Object (GPO ) you
want to configure and click Edit.
4. In the Group Policy Management Editor, go to Computer configuration, then Preferences, and
then Control panel settings.
5. Right-click Scheduled tasks, point to New, and then click Immediate task.
6. In the Task window that opens, go to the General tab. Choose the local SYSTEM user account
(BUILTIN\SYSTEM ) under Security options.
7. Select Run whether user is logged on or not and check the Run with highest privileges check-box.
8. Go to the Actions tab and click New.... Ensure that Start a program is selected in the Action field.
Enter the file name and ___location of the shared
WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd file.
9. Click OK and close any open GPMC windows.

IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including
reference to any alerts it has had will be retained for up to 6 months.

Monitor machine configuration

With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be
done directly on the portal, or by using the different deployment tools.

Monitor machines using the portal

1. Go to Microsoft Defender Security Center.
2. Click Machines list.
3. Verify that machines are appearing.

NOTE
It can take several days for machines to start showing on the Machines list. This includes the time it takes for the
policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint
to start reporting.

Related topics
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Microsoft Defender ATP machines
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
 Onboard Windows 10 machines using System Center
Configuration Manager
9/20/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
System Center 2012 Configuration Manager or later versions

Want to experience Microsoft Defender ATP? Sign up for a free trial.

## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (SCCM ) (current branch) version 1606, has UI integrated support for
configuring and managing Microsoft Defender ATP on machines. For more information, see Support for Microsoft
Defender Advanced Threat Protection service.

NOTE
If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match
the server version. Starting with version 1606 of Configuration Manager, see Microsoft Defender Advanced Threat
Protection for ATP configuration.

## Onboard Windows 10 machines using System Center Configuration Manager earlier versions You can use existing
System Center Configuration Manager functionality to create a policy to configure your machines. This is supported
in the following System Center Configuration Manager versions:
System Center 2012 Configuration Manager
System Center 2012 R2 Configuration Manager
System Center Configuration Manager (current branch), version 1511
System Center Configuration Manager (current branch), version 1602
Onboard machines using System Center Configuration Manager
1. Open the SCCM configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Microsoft Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select System Center Configuration Manager 2012/2012
R2/1511/1602.
d. Click Download package, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only ___location that can be accessed by the network
administrators who will deploy the package. You should have a file named
WindowsDefenderATPOnboardingScript.cmd.
3. Deploy the package by following the steps in the Packages and Programs in Configuration Manager topic.
a. Choose a predefined device collection to deploy the package to.
 NOTE
Microsoft Defender ATP doesn't support onboarding during the Out-Of-Box Experience (OOBE) phase. Make sure users
complete OOBE after running Windows installation or upgrading.

TIP
After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to
the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP machine.

Configure sample collection settings

For each machine, you can set a configuration value to state whether samples can be collected from the machine
when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the
sample share setting on a machine. This rule should be a remediating compliance rule configuration item that sets
the value of a registry key on targeted machines to make sure they’re complaint.
The configuration is set through the following registry key entry:

Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”

Name: "AllowSampleCollection"
Value: 0 or 1

Where:
Key type is a D -WORD.
Possible values are:
0 - doesn't allow sample sharing from this machine
1 - allows sharing of all file types from this machine
The default value in case the registry key doesn’t exist is 1.
For more information about System Center Configuration Manager Compliance see Get started with compliance
settings in System Center Configuration Manager.

Offboard machines using System Center Configuration Manager

For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded.
Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you
will be notified of the packages expiry date and it will also be included in the package name.

NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause
unpredictable collisions.

1. Get the offboarding package from Microsoft Defender Security Center:

a. In the navigation pane, select Settings > Offboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select System Center Configuration Manager 2012/2012
 R2/1511/1602.
d. Click Download package, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only ___location that can be accessed by the network
administrators who will deploy the package. You should have a file named
WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd.
3. Deploy the package by following the steps in the Packages and Programs in Configuration Manager topic.
a. Choose a predefined device collection to deploy the package to.

IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to
any alerts it has had will be retained for up to 6 months.

Monitor machine configuration

Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run)
on the machines in your network.
2. Checking that the machines are compliant with the Microsoft Defender ATP service (this ensures the
machine can complete the onboarding process and can continue to report data to the service).
To confirm the configuration package has been correctly deployed:
1. In the SCCM console, click Monitoring at the bottom of the navigation pane.
2. Click Overview and then Deployments.
3. Click on the deployment with the package name.
4. Review the status indicators under Completion Statistics and Content Status.
If there are failed deployments (machines with Error, Requirements Not Met, or Failed statuses), you may
need to troubleshoot the machines. For more information see, Troubleshoot Microsoft Defender Advanced Threat
Protection onboarding issues.
Check that the machines are compliant with the Microsoft Defender ATP service:
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your
deployment.
This rule should be a non-remediating compliance rule configuration item that monitors the value of a registry
key on targeted machines.
Monitor the following registry key entry:

Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”

Name: “OnboardingState”
Value: “1”

For more information about System Center Configuration Manager Compliance see Get started with compliance
settings in System Center Configuration Manager.

Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Microsoft Defender ATP machine
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
 Onboard Windows 10 machines using Mobile Device
Management tools
10/1/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You can use mobile device management (MDM ) solutions to configure machines. Microsoft Defender ATP
supports MDMs by providing OMA-URIs to create policies to manage machines.
For more information on using Microsoft Defender ATP CSP see, WindowsAdvancedThreatProtection CSP and
WindowsAdvancedThreatProtection DDF file.

Before you begin

If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied
successfully.
For more information on enabling MDM with Microsoft Intune, see Setup Windows Device Management.

Onboard machines using Microsoft Intune

Follow the instructions from Intune.
For more information on using Microsoft Defender ATP CSP see, WindowsAdvancedThreatProtection CSP and
WindowsAdvancedThreatProtection DDF file.

NOTE
The Health Status for onboarded machines policy uses read-only properties and can't be remediated.
Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.

TIP
After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the
service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP machine.

Offboard and monitor machines using Mobile Device Management

tools
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded.
Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you
will be notified of the packages expiry date and it will also be included in the package name.
 NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause
unpredictable collisions.

1. Get the offboarding package from Microsoft Defender Security Center:

a. In the navigation pane, select Settings > Offboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Mobile Device Management / Microsoft Intune.
d. Click Download package, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only ___location that can be accessed by the network
administrators who will deploy the package. You should have a file named
WindowsDefenderATP_valid_until_YYYY -MM -DD.offboarding.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI
settings.
OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
Date type: String
Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY -MM -
DD.offboarding file]
For more information on Microsoft Intune policy settings see, Windows 10 policy settings in Microsoft Intune.

NOTE
The Health Status for offboarded machines policy uses read-only properties and can't be remediated.

IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference
to any alerts it has had will be retained for up to 6 months.

Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Microsoft Defender ATP machine
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
 Onboard Windows 10 machines using a local script
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first
when testing the service before you commit to onboarding all machines in your network.

NOTE
The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other
deployment options. For more information on using other deployment options, see Onboard Window 10 machines.

Onboard machines
1. Open the GP configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Microsoft Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Local Script.
d. Click Download package and save the .zip file.
2. Extract the contents of the configuration package to a ___location on the machine you want to onboard (for
example, the Desktop). You should have a file named WindowsDefenderATPOnboardingScript.cmd.
3. Open an elevated command-line prompt on the machine and run the script:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
4. Type the ___location of the script file. If you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd
5. Press the Enter key or click OK.
For information on how you can manually validate that the machine is compliant and correctly reports sensor
data see, Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues.

TIP
After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to
the service. For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP endpoint.

Configure sample collection settings

For each machine, you can set a configuration value to state whether samples can be collected from the machine
when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can manually configure the sample sharing setting on the machine by using regedit or creating and running
a .reg file.
The configuration is set through the following registry key entry:

Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”

Name: "AllowSampleCollection"
Value: 0 or 1

Where:
Name type is a D -WORD.
Possible values are:
0 - doesn't allow sample sharing from this machine
1 - allows sharing of all file types from this machine
The default value in case the registry key doesn’t exist is 1.

Offboard machines using a local script

For security reasons, the package used to Offboard machines will expire 30 days after the date it was
downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an
offboarding package you will be notified of the packages expiry date and it will also be included in the package
name.

NOTE
Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will
cause unpredictable collisions.

1. Get the offboarding package from Microsoft Defender Security Center:

a. In the navigation pane, select Settings > Offboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select Local Script.
d. Click Download package and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only ___location that can be accessed by the machines.
You should have a file named WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd.
3. Open an elevated command-line prompt on the machine and run the script:
a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
4. Type the ___location of the script file. If you copied the file to the desktop, type:
%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY -MM -DD.cmd
5. Press the Enter key or click OK.

IMPORTANT
Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference
to any alerts it has had will be retained for up to 6 months.

Monitor machine configuration

You can follow the different verification steps in the Troubleshoot onboarding issues to verify that the script
completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment tools.
Monitor machines using the portal
1. Go to Microsoft Defender Security Center.
2. Click Machines list.
3. Verify that machines are appearing.

Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Run a detection test on a newly onboarded Microsoft Defender ATP machine
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
 Onboard non-persistent virtual desktop
infrastructure (VDI) machines
1/7/2020 • 2 minutes to read • Edit Online

Applies to:
Virtual desktop infrastructure (VDI) machines

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Onboard non-persistent virtual desktop infrastructure (VDI) machines

Microsoft Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges
when onboarding VDIs. The following are typical challenges for this scenario:
Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior
to the actual provisioning.
The machine name is typically reused for new sessions.
VDI machines can appear in Microsoft Defender ATP portal as either:
Single entry for each machine.
Note that in this case, the same machine name must be configured when the session is created, for example
using an unattended answer file.
Multiple entries for each machine - one for each session.
The following steps will guide you through onboarding VDI machines and will highlight steps for single and
multiple entries.

WARNING
For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender
ATP sensor onboarding.

1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you
downloaded from the service onboarding wizard. You can also get the package from Microsoft Defender
Security Center:
a. In the navigation pane, select Settings > Onboarding.
b. Select Windows 10 as the operating system.
c. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints.
d. Click Download package and save the .zip file.
2. Copy the extracted files from the .zip into image under the path
golden/master
C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup . You should have a folder called
WindowsDefenderATPOnboardingPackage containing the file WindowsDefenderATPOnboardingScript.cmd .
 NOTE
If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden.
You'll need to choose the Show hidden files and folders option from file explorer.

3. The following step is only applicable if you're implementing a single entry for each machine:
For single entry for each machine:
a. From the WindowsDefenderATPOnboardingPackage , copy the Onboard-NonPersistentMachine.ps1 file to
golden/master image to the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup .

NOTE
If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden.
You'll need to choose the Show hidden files and folders option from file explorer.

4. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows
Settings > Scripts > Startup.

NOTE
Domain Group Policy may also be used for onboarding non-persistent VDI machines.

5. Depending on the method you'd like to implement, follow the appropriate steps:
For single entry for each machine:
Select the PowerShell Scripts tab, then click Add (Windows Explorer will open directly in the path where
you copied the onboarding script earlier). Navigate to onboarding PowerShell script
Onboard-NonPersistentMachine.ps1 .

For multiple entries for each machine:

Select the Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied
the onboarding script earlier). Navigate to the onboarding bash script
WindowsDefenderATPOnboardingScript.cmd .

6. Test your solution:

a. Create a pool with one machine.
b. Logon to machine.
c. Logoff from machine.
d. Logon to machine with another user.
e. For single entry for each machine: Check only one entry in Microsoft Defender Security Center.
For multiple entries for each machine: Check multiple entries in Microsoft Defender Security Center.
7. Click Machines list on the Navigation pane.
8. Use the search function by entering the machine name and select Machine as search type.

Related topics
Onboard Windows 10 machines using Group Policy
Onboard Windows 10 machines using System Center Configuration Manager
Onboard Windows 10 machines using Mobile Device Management tools
Onboard Windows 10 machines using a local script
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
 Onboard servers to the Microsoft Defender ATP
service
12/3/2019 • 8 minutes to read • Edit Online

Applies to:
Windows Server 2008 R2 SP1
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server, 2019
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP extends support to also include the Windows Server operating system, providing
advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security
Center console.
The service supports the onboarding of the following servers:
Windows Server 2008 R2 SP1
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server 2019
For a practical guidance on what needs to be in place for licensing and infrastructure, see Protecting Windows
Servers with Microsoft Defender ATP.

NOTE
An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows
Server platform, see Supported features available in Azure Security Center

Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows

Server 2016
There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server
2016 to Microsoft Defender ATP:
Option 1: Onboard through Azure Security Center
Option 2: Onboard through Microsoft Defender Security Center
Option 1: Onboard servers through Azure Security Center
1. In the navigation pane, select Settings > Machine management > Onboarding.
2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
3. Click Onboard Servers in Azure Security Center.
4. Follow the onboarding instructions in Microsoft Defender Advanced Threat Protection with Azure Security
Center.
Option 2: Onboard servers through Microsoft Defender Security Center
You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security
Center.
For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
Install the February monthly update rollup
Install the Update for customer experience and diagnostic telemetry
Install either .NET framework 4.5 (or later) or KB3154518
For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center
Endpoint Protection clients.

NOTE
This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding
Windows Server 2008 R2 SP1 and Windows Server 2012 R2.

Turn on server monitoring from Microsoft Defender Security Center.

If you're already leveraging System Center Operations Manager (SCOM ) or Azure Monitor (formerly known as
Operations Management Suite (OMS )), simply attach the Microsoft Monitoring Agent (MMA) to report to
your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA
to report sensor data to Microsoft Defender ATP as instructed below. For more information, see Collect log
data with Azure Log Analytics agent.

TIP
After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service.
For more information, see Run a detection test on a newly onboarded Microsoft Defender ATP endpoint.

Configure and update System Center Endpoint Protection clients

IMPORTANT
This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding
Windows Server 2012 R2.

Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware
detections and to stop propagation of an attack in your organization by banning potentially malicious files or
suspected malware.
The following steps are required to enable this integration:
Install the January 2017 anti-malware platform update for Endpoint Protection clients
Configure the SCEP client Cloud Protection Service membership to the Advanced setting
Turn on Server monitoring from the Microsoft Defender Security Center portal
1. In the navigation pane, select Settings > Machine management > Onboarding.
2. Select Windows Server 2012 R2 and 2016 as the operating system.
3. Click Turn on server monitoring and confirm that you'd like to proceed with the environment set up.
When the set up completes, the Workspace ID and Workspace key fields are populated with unique
values. You'll need to use these values to configure the MMA agent.
Install and configure Microsoft Monitoring Agent (MMA ) to report sensor data to Microsoft Defender ATP
1. Download the agent setup file: Windows 64-bit agent.
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the
following installation methods to install the agent on the server:
Manually install the agent using setup
On the Agent Setup Options page, choose Connect the agent to Azure Log Analytics (OMS ).
Install the agent using the command line and configure the agent using a script.
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see
Configure proxy settings.
Once completed, you should see onboarded servers in the portal within an hour.
Configure server proxy and Internet connectivity settings
Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct,
using a proxy, or through the OMS Gateway.
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS
scanning (SSL inspection) is enabled, make sure that you enable access to Microsoft Defender ATP service
URLs.

Windows Server, version 1803 and Windows Server 2019

To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and
versions below.

NOTE
The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script.
For more information on how to deploy scripts in System Center Configuration Manager, see Packages and programs in
Configuration Manager.

Supported tools include:

Local script
Group Policy
System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
VDI onboarding scripts for non-persistent machines
For more information, see Onboard Windows 10 machines.
Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening
on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server
endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see Onboard
Windows 10 machines.
2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender
AV passive mode settings and verify it was configured correctly:
a. Set the following registry entry: - Path:
 HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection - Name: ForceDefenderPassiveMode
- Value: 1
b. Run the following PowerShell command to verify that the passive mode was configured:

```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```

c. Confirm that a recent event containing the passive mode event is found:

3. Run the following command to check if Windows Defender AV is installed:

sc query Windefend

If the result is ‘The specified service does not exist as an installed service’, then you'll need to install
Windows Defender AV. For more information, see Windows Defender Antivirus in Windows 10.

Integration with Azure Security Center

Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection
solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to
provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that
are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see
Onboarding to Azure Security Center Standard for enhanced security.

NOTE
Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.

Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security
Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and
servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to
perform detailed investigation to uncover the scope of a potential breach

IMPORTANT
When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The
Microsoft Defender ATP data is stored in Europe by default.
If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the ___location you
specified when you created your tenant even if you integrate with Azure Security Center at a later time.

Offboard servers
You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows
10 client machines.
For other server versions, you have two options to offboard servers from the service:
Uninstall the MMA agent
Remove the Microsoft Defender ATP workspace configuration

NOTE
Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any
alerts it has had will be retained for up to 6 months.

Uninstall servers by uninstalling the MMA agent

To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your
Microsoft Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to
Microsoft Defender ATP. For more information, see To disable an agent.
Remove the Microsoft Defender ATP workspace configuration
To offboard the server, you can use either of the following methods:
Remove the Microsoft Defender ATP workspace configuration from the MMA agent
Run a PowerShell command to remove the configuration
Remove the Microsoft Defender ATP workspace configuration from the MMA agent
1. In the Microsoft Monitoring Agent Properties, select the Azure Log Analytics (OMS ) tab.
2. Select the Microsoft Defender ATP workspace, and click Remove.

Run a PowerShell command to remove the configuration

1. Get your Workspace ID: a. In the navigation pane, select Settings > Onboarding.
b. Select Windows Server 2012 R2 and 2016 as the operating system and get your Workspace ID:
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and
replacing WorkspaceID :

# Load agent scripting object

$AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
# Remove OMS Workspace
$AgentCfg.RemoveCloudWorkspace($WorkspaceID)
# Reload the configuration and apply changes
$AgentCfg.ReloadConfiguration()

Related topics
Onboard Windows 10 machines
Onboard non-Windows machines
Configure proxy and Internet connectivity settings
Run a detection test on a newly onboarded Microsoft Defender ATP machine
Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues
 Onboard non-Windows machines
9/26/2019 • 2 minutes to read • Edit Online

Applies to:
macOS
Linux
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS ) in Microsoft
Defender Security Center and better protect your organization's network.
You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP
for the integration to work.

Onboarding non-Windows machines

You'll need to take the following steps to onboard non-Windows machines:
1. Select your preferred method of onboarding:
For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-
party solution. For more information, see Microsoft Defender ATP for Mac.
For other non-Windows devices choose Onboard non-Windows machines through third-party
integration.
a. In the navigation pane, select Interoperability > Partners. Make sure the third-party
solution is listed.
b. In the Partner Applications tab, select the partner that supports your non-Windows
devices.
c. Select Open partner page to open the partner's page. Follow the instructions
provided on the page.
d. After creating an account or subscribing to the partner solution, you should get to a
stage where a tenant Global Admin in your organization is asked to accept a
permission request from the partner application. Read the permission request carefully
to make sure that it is aligned with the service that you require.
2. Run a detection test by following the instructions of the third-party solution.

Offboard non-Windows machines

1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender
ATP.
2. Remove permissions for the third-party solution in your Azure AD tenant.
a. Sign in to the Azure portal.
 b. Select Azure Active Directory > Enterprise Applications.
c. Select the application you'd like to offboard.
d. Select the Delete button.

Related topics
Onboard Windows 10 machines
Onboard servers
Configure proxy and Internet connectivity settings
Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues
 Onboard machines without Internet access to
Microsoft Defender ATP
8/9/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
To onboard machines without Internet access, you'll need to take the following general steps:

On-premise machines
Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
Azure Log Analytics Agent
Install and configure Microsoft Monitoring Agent (MMA) point to Microsoft Defender ATP Workspace
key & ID
Offline machines in the same network of Azure Log Analytics
Configure MMA to point to:
Azure Log Analytics IP as a proxy
Microsoft Defender ATP workspace key & ID

Azure virtual machines

Configure and enable Azure Log Analytics workspace
Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
Azure Log Analytics Agent
Install and configure Microsoft Monitoring Agent (MMA) point to Microsoft Defender ATP
Workspace key & ID
Offline Azure VMs in the same network of OMS Gateway
Configure Azure Log Analytics IP as a proxy
Azure Log Analytics Workspace Key & ID
Azure Security Center (ASC )
Security Policy > Log Analytics Workspace
Threat Detection > Allow Microsoft Defender ATP to access my data
For more information, see Working with security policies.
 Run a detection test on a newly onboarded
Microsoft Defender ATP machine
8/14/2019 • 2 minutes to read • Edit Online

Applies to:
Supported Windows 10 versions
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803
Windows Server, 2019
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the
Microsoft Defender ATP service.
1. Create a folder: 'C:\test-WDATP -test'.
2. Open an elevated command-line prompt on the machine and run the script:
a. Go to Start and type cmd.
b. Right-click Command Prompt and select Run as administrator.

3. At the prompt, copy and run the following command:

 powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference=
'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe',
'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'

The Command Prompt window will close automatically. If successful, the detection test will be marked as
completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.

Related topics
Onboard Windows 10 machines
Onboard servers
 Experience Microsoft Defender ATP through
simulated attacks
12/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

TIP
Learn about the latest enhancements in Microsoft Defender ATP: What's new in Microsoft Defender ATP.
Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation.
Read: Insights from the MITRE ATT&CK-based evaluation.

You might want to experience Microsoft Defender ATP before you onboard more than a few machines to the
service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated
attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an
efficient response.

Before you begin

To run any of the provided simulations, you need at least one onboarded machine.
Read the walkthrough document provided with each attack scenario. Each document includes OS and application
requirements as well as detailed instructions that are specific to an attack scenario.

Run a simulation
1. In Help > Simulations & tutorials, select which of the available attack scenarios you would like to
simulate:
Scenario 1: Document drops backdoor - simulates delivery of a socially engineered lure
document. The document launches a specially crafted backdoor that gives attackers control.
Scenario 2: PowerShell script in fileless attack - simulates a fileless attack that relies on
PowerShell, showcasing attack surface reduction and machine learning detection of malicious
memory activity.
Scenario 3: Automated incident response - triggers automated investigation, which automatically
hunts for and remediates breach artifacts to scale your incident response capacity.
2. Download and read the corresponding walkthrough document provided with your selected scenario.
3. Download the simulation file or copy the simulation script by navigating to Help > Simulations &
tutorials. You can choose to download the file or script on the test machine but it's not mandatory.
4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
 NOTE
Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Onboard machines
Onboard Windows 10 machines
 Configure machine proxy and Internet connectivity
settings
11/7/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Microsoft Defender ATP service.
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The
sensor uses Microsoft Windows HTTP Services (WinHTTP ) to enable communication with the Microsoft
Defender ATP cloud service.

TIP
For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate
behind a proxy. For more information, see Investigate connection events that occur behind forward proxies.

The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy
settings and can only discover a proxy server by using the following discovery methods:
Auto-discovery methods:
Transparent proxy
Web Proxy Auto-discovery Protocol (WPAD )

NOTE
If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For
more information on Microsoft Defender ATP URL exclusions in the proxy, see Enable access to Microsoft Defender ATP
service URLs in the proxy server.

Manual static proxy configuration:

Registry based configuration
WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for
example: a desktop in a corporate network behind the same proxy)

Configure the proxy server manually using a registry-based static

proxy
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data
and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the
Internet.
The static proxy is configurable through Group Policy (GP ). The group policy can be found under:
Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure
Authenticated Proxy usage for the Connected User Experience and Telemetry Service
Set it to Enabled and select Disable Authenticated Proxy usage:

Administrative Templates > Windows Components > Data Collection and Preview Builds >
Configure connected user experiences and telemetry:
Configure the proxy:
 The policy sets two registry values TelemetryProxyServer as REG_SZ and
DisableEnterpriseAuthProxy as REG_DWORD under the registry key
HKLM\Software\Policies\Microsoft\Windows\DataCollection .

The registry value TelemetryProxyServer takes the following string format:

<server name or ip>:<port>

For example: 10.0.0.6:8080

The registry value DisableEnterpriseAuthProxy should be set to 1.

Configure the proxy server manually using netsh command

Use netsh to configure a system-wide static proxy.

NOTE
This will affect all applications including Windows services which use WinHTTP with default proxy.
Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-
based static proxy configuration.

1. Open an elevated command-line:

a. Go to Start and type cmd.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command and press Enter:

netsh winhttp set proxy <proxy>:<port>

For example: netsh winhttp set proxy 10.0.0.6:8080

To reset the winhttp proxy, enter the following command and press Enter

netsh winhttp reset proxy

See Netsh Command Syntax, Contexts, and Formatting to learn more.

Enable access to Microsoft Defender ATP service URLs in the proxy

server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS
scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not
disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They
permit communication with Microsoft Defender ATP service in port 80 and 443:

NOTE
URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example,
us-v20.events.data.microsoft.com is only needed if the machine is on Windows 10, version 1803 or later.

SERVICE LOCATION MICROSOFT.COM DNS RECORD

Common URLs for all locations crl.microsoft.com

ctldl.windowsupdate.com
events.data.microsoft.com
notify.windows.com
settings-win.data.microsoft.com

European Union eu.vortex-win.data.microsoft.com

eu-v20.events.data.microsoft.com
usseu1northprod.blob.core.windows.net
usseu1westprod.blob.core.windows.net
winatp-gw-neu.microsoft.com
winatp-gw-weu.microsoft.com
wseu1northprod.blob.core.windows.net
wseu1westprod.blob.core.windows.net

United Kingdom uk.vortex-win.data.microsoft.com

uk-v20.events.data.microsoft.com
ussuk1southprod.blob.core.windows.net
ussuk1westprod.blob.core.windows.net
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com
wsuk1southprod.blob.core.windows.net
wsuk1westprod.blob.core.windows.net
 SERVICE LOCATION MICROSOFT.COM DNS RECORD

United States us.vortex-win.data.microsoft.com

ussus1eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net
ussus2eastprod.blob.core.windows.net
ussus2westprod.blob.core.windows.net
ussus3eastprod.blob.core.windows.net
ussus3westprod.blob.core.windows.net
ussus4eastprod.blob.core.windows.net
ussus4westprod.blob.core.windows.net
us-v20.events.data.microsoft.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
wsus1eastprod.blob.core.windows.net
wsus1westprod.blob.core.windows.net
wsus2eastprod.blob.core.windows.net
wsus2westprod.blob.core.windows.net

If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system
context, make sure anonymous traffic is permitted in the previously listed URLs.

Microsoft Defender ATP service backend IP range

If you network devices don't support the URLs white-listed in the prior section, you can use the following
information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
+<Region Name="uswestcentral">
+<Region Name="useast2">
+<Region Name="useast">
+<Region Name="europenorth">
+<Region Name="europewest">
+<Region Name="uksouth">
+<Region Name="ukwest">
You can find the Azure IP range on Microsoft Azure Datacenter IP Ranges.

NOTE
As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.

Verify client connectivity to Microsoft Defender ATP service URLs

Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the
proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service
URLs.
1. Download the connectivity verification tool to the PC where Microsoft Defender ATP sensor is running on.
2. Extract the contents of MDATPClientAnalyzer on the machine.
3. Open an elevated command-line:
a. Go to Start and type cmd.
 b. Right-click Command prompt and select Run as administrator.
4. Enter the following command and press Enter:

HardDrivePath\MDATPClientAnalyzer.cmd

Replace HardDrivePath with the path where the MDATPClientAnalyzer tool was downloaded to, for
example

C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd

5. Extract the MDATPClientAnalyzerResult.zip file created by tool in the folder used in the HardDrivePath.
6. Open MDATPClientAnalyzerResult.txt and verify that you have performed the proxy configuration steps to
enable server discovery and access to the service URLs.

The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP
client is configured to interact with. It then prints the results into the MDATPClientAnalyzerResult.txt file
for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For
example:

Testing URL : https://xxx.microsoft.com/xxx

1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist

If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can
communicate with the tested URL properly using this connectivity method.

However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes).
You can then use the URLs in the table shown in Enable access to Microsoft Defender ATP service URLs in the
proxy server. The URLs you'll use will depend on the region selected during the onboarding procedure.

NOTE
The Connectivity Analyzer tool is not compatible with ASR rule Block process creations originating from PSExec and WMI
commands. You will need to temporarily disable this rule to run the connectivity tool. When the TelemetryProxyServer is
set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.

Related topics
Onboard Windows 10 machines
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
 Create a notification rule when a local onboarding or
offboarding script is used
11/7/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified.

Before you begin

You'll need to have access to:
Microsoft Flow (Flow Plan 1 at a minimum). For more information, see Flow pricing page.
Azure Table or SharePoint List or Library / SQL DB

Create the notification flow

1. In flow.microsoft.com.
2. Navigate to My flows > New > Scheduled - from blank.

3. Build a scheduled flow.

a. Enter a flow name.
b. Specify the start and time.
c. Specify the frequency. For example, every 5 minutes.
4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender
ATP security center machine(s) API. You can also replace it with the out-of-the-box "WDATP Connector"
(action: "Machines - Get list of machines").

5. Enter the following HTTP fields:

Method: "GET" as a value to get the list of machines.
URI: Enter https://api.securitycenter.windows.com/api/machines .
Authentication: Select "Active Directory OAuth".
Tenant: Sign-in to https://portal.azure.com and navigate to Azure Active Directory > App
Registrations and get the Tenant ID value.
Audience: https://securitycenter.onmicrosoft.com/windowsatpservice\
Client ID: Sign-in to https://portal.azure.com and navigate to Azure Active Directory > App
Registrations and get the Client ID value.
Credential Type: Select "Secret".
Secret: Sign-in to https://portal.azure.com and navigate tnd navigate to Azure Active Directory > App
Registrations and get the Tenant ID value.
6. Add a new step by selecting Add new action then search for Data Operations and select Parse JSON.
7. Add Body in the Content field.

8. Select the Use sample payload to generate schema link.

9. Copy and paste the following JSON snippet:

{
{
"type": "object",
"properties": {
"@@odata.context": {
"type": "string"
},
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"computerDnsName": {
"type": "string"
},
"firstSeen": {
"type": "string"
},
"lastSeen": {
"type": "string"
},
"osPlatform": {
"type": "string"
},
"osVersion": {},
"lastIpAddress": {
"type": "string"
},
"lastExternalIpAddress": {
"type": "string"
},
"agentVersion": {
"type": "string"
},
"osBuild": {
"type": "integer"
},
"healthStatus": {
"type": "string"
},
"riskScore": {
"type": "string"
},
"exposureScore": {
"type": "string"
},
"aadDeviceId": {},
"machineTags": {
"type": "array"
}
},
"required": [
"id",
"computerDnsName",
"firstSeen",
"lastSeen",
"osPlatform",
"osVersion",
"lastIpAddress",
"lastExternalIpAddress",
"agentVersion",
"osBuild",
"healthStatus",
"rbacGroupId",
"rbacGroupName",
"riskScore",
"exposureScore",
"aadDeviceId",
 "aadDeviceId",
"machineTags"
]
}
}
}
}

10. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at
the SharePoint list as an example:
If yes, no notification will be triggered
If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the
Microsoft Defender ATP admin
11. Under Condition, add the following expression: "length(body('Get_items')?['value'])" and set the condition
to equal to 0.
Alert notification
The following image is an example of an email notification.
Tips
You can filter here using lastSeen only:
Every 60 min:
Take all machines last seen in the past 7 days.
For each machine:
If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for
offboarding possibility.
If first seen is on the past hour -> Alert for onboarding.
In this solution you will not have duplicate alerts: There are tenants that have numerous machines. Getting all those
machines might be very expensive and might require paging.
You can split it to two queries:
1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
2. Take all machines last seen in the past hour and check first seen property for them (if the first seen property is
on the past hour, the last seen must be there too).
 Troubleshoot Microsoft Defender Advanced Threat Protection
onboarding issues
10/14/2019 • 13 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Windows Server 2012 R2
Windows Server 2016
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues. This page provides detailed steps
to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur
on the machines.

Troubleshoot issues with onboarding tools

If you have completed the onboarding process and don't see machines in the Machines list after an hour, it might indicate an onboarding or
connectivity problem.
Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the
deployment has succeeded or not.
If you have completed the onboarding process and don't see machines in the Machines list after an hour, you can check the output of the
script on the machines. For more information, see Troubleshoot onboarding when deploying with a script.
If the script completes successfully, see Troubleshoot onboarding issues on the machines for additional errors that might occur.
Troubleshoot onboarding issues when deploying with System Center Configuration Manager
When onboarding machines using the following versions of System Center Configuration Manager:
System Center 2012 Configuration Manager
System Center 2012 R2 Configuration Manager
System Center Configuration Manager (current branch) version 1511
System Center Configuration Manager (current branch) version 1602
Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the
machines. You can track the deployment in the Configuration Manager Console.
If the deployment fails, you can check the output of the script on the machines.
If the onboarding completed successfully but the machines are not showing up in the Machines list after an hour, see Troubleshoot
onboarding issues on the machine for additional errors that might occur.
Troubleshoot onboarding when deploying with a script
Check the result of the script on the machine:
1. Click Start, type Event Viewer, and press Enter.
2. Go to Windows Logs > Application.
3. Look for an event from WDATPOnboarding event source.
If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.

NOTE
The following event IDs are specific to the onboarding script only.

EVENT ID ERROR TYPE RESOLUTION STEPS

5 Offboarding data was found but couldn't be Check the permissions on the registry, specifically
deleted HKLM\SOFTWARE\Policies\Microsoft\Windows
Advanced Threat Protection
.
 EVENT ID ERROR TYPE RESOLUTION STEPS

10 Onboarding data couldn't be written to registry Check the permissions on the registry, specifically
HKLM\SOFTWARE\Policies\Microsoft\Windows
Advanced Threat
.
Verify that the script was ran as an administrator.

15 Failed to start SENSE service Check the service health ( sc query sense
command). Make sure it's not in an intermediate
state ('Pending_Stopped', 'Pending_Running')
and try to run the script again (with
administrator rights).

If the machine is running Windows 10, version

1607 and running the command
sc query sense returns START_PENDING ,
reboot the machine. If rebooting the machine
doesn't address the issue, upgrade to
KB4015217 and try onboarding again.

15 Failed to start SENSE service If the message of the error is: System error 577
or error 1058 has occurred. You need to enable
the Windows Defender Antivirus ELAM driver,
see Ensure that Windows Defender Antivirus is
not disabled by a policy for instructions.

30 The script failed to wait for the service to start The service could have taken more time to start
running or has encountered errors while trying to start.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.

35 The script failed to find needed onboarding When the SENSE service starts for the first time,
status registry value it writes onboarding status to the registry
___location
HKLM\SOFTWARE\Microsoft\Windows Advanced
Threat Protection\Status
.
The script failed to find it after several seconds.
You can manually test it and check if it's there.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.

40 SENSE service onboarding status is not set to 1 The SENSE service has failed to onboard properly.
For more information on events and errors
related to SENSE, see Review events and errors
using Event viewer.

65 Insufficient privileges Run the script again with administrator privileges.

Troubleshoot onboarding issues using Microsoft Intune

You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM
enrollment.
Use the following tables to understand the possible causes of issues while onboarding:
Microsoft Intune error codes and OMA-URIs table
Known issues with non-compliance table
Mobile Device Management (MDM ) event logs table
If none of the event logs and troubleshooting steps work, download the Local script from the Machine management section of the
portal, and run it in an elevated command prompt.
Microsoft Intune error codes and OMA-URIs:

POSSIBLE CAUSE AND

ERROR CODE HEX ERROR CODE DEC ERROR DESCRIPTION OMA-URI TROUBLESHOOTING STEPS
 POSSIBLE CAUSE AND
ERROR CODE HEX ERROR CODE DEC ERROR DESCRIPTION OMA-URI TROUBLESHOOTING STEPS

0x87D1FDE8 -2016281112 Remediation failed Onboarding Possible cause:

Offboarding Onboarding or offboarding
failed on a wrong blob:
wrong signature or missing
PreviousOrgIds fields.

Troubleshooting steps:
Check the event IDs in the
View agent onboarding
errors in the machine event
log section.

Check the MDM event logs

in the following table or
follow the instructions in
Diagnose MDM failures in
Windows 10.

Onboarding Possible cause: Microsoft

Offboarding Defender ATP Policy
SampleSharing registry key does not exist
or the OMA DM client
doesn't have permissions to
write to it.

Troubleshooting steps:
Ensure that the following
registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr
Advanced Threat Protection

If it doesn't exist, open an

elevated command and add
the key.

SenseIsRunning Possible cause: An

OnboardingState attempt to remediate by
OrgId read-only property.
Onboarding has failed.

Troubleshooting steps:
Check the troubleshooting
steps in Troubleshoot
onboarding issues on the
machine.

Check the MDM event logs

in the following table or
follow the instructions in
Diagnose MDM failures in
Windows 10.

All Possible cause: Attempt

to deploy Microsoft
Defender ATP on non-
supported SKU/Platform,
particularly Holographic
SKU.

Currently is supported
platforms: Enterprise,
Education, and Professional.
Server is not supported.

0x87D101A9 -2016345687 Syncml(425): The requested All Possible cause: Attempt

command failed because to deploy Microsoft
the sender does not have Defender ATP on non-
adequate access control supported SKU/Platform,
permissions (ACL) on the particularly Holographic
recipient. SKU.

Currently is supported
platforms: Enterprise,
Education, and Professional.
Known issues with non-compliance
The following table provides information on issues with non-compliance and how you can address the issues.

CASE SYMPTOMS POSSIBLE CAUSE AND TROUBLESHOOTING STEPS

1 Machine is compliant by SenseIsRunning OMA- Possible cause: Check that user passed OOBE
URI. But is non-compliant by OrgId, Onboarding after Windows installation or upgrade. During
and OnboardingState OMA-URIs. OOBE onboarding couldn't be completed but
SENSE is running already.

Troubleshooting steps: Wait for OOBE to

complete.

2 Machine is compliant by OrgId, Onboarding, and Possible cause: Sense service's startup type is
OnboardingState OMA-URIs, but is non- set as "Delayed Start". Sometimes this causes the
compliant by SenseIsRunning OMA-URI. Microsoft Intune server to report the machine as
non-compliant by SenseIsRunning when DM
session occurs on system start.

Troubleshooting steps: The issue should

automatically be fixed within 24 hours.

3 Machine is non-compliant Troubleshooting steps: Ensure that

Onboarding and Offboarding policies are not
deployed on the same machine at same time.

Mobile Device Management (MDM ) event logs

View the MDM event logs to troubleshoot issues that might arise during onboarding:
Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
Channel name: Admin

ID SEVERITY EVENT DESCRIPTION TROUBLESHOOTING STEPS

1819 Error Microsoft Defender Advanced Download the Cumulative Update

Threat Protection CSP: Failed to Set for Windows 10, 1607.
Node's Value. NodeId: (%1),
TokenName: (%2), Result: (%3).

Troubleshoot onboarding issues on the machine

If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list
in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent:
View agent onboarding errors in the machine event log
Ensure the diagnostic data service is enabled
Ensure the service is set to start
Ensure the machine has an Internet connection
Ensure that Windows Defender Antivirus is not disabled by a policy
View agent onboarding errors in the machine event log
1. Click Start, type Event Viewer, and press Enter.
2. In the Event Viewer (Local) pane, expand Applications and Services Logs > Microsoft > Windows > SENSE.

NOTE
SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.

3. Select Operational to load the log.

4. In the Action pane, click Filter Current log.
5. On the Filter tab, under Event level: select Critical, Warning, and Error, and click OK.
6. Events which can indicate issues will appear in the Operational pane. You can attempt to troubleshoot them based on the solutions
in the following table:

EVENT ID MESSAGE RESOLUTION STEPS

5 Microsoft Defender Advanced Threat Protection Ensure the machine has Internet access.
service failed to connect to the server at variable

6 Microsoft Defender Advanced Threat Protection Run the onboarding script again.
service is not onboarded and no onboarding
parameters were found. Failure code: variable

7 Microsoft Defender Advanced Threat Protection Ensure the machine has Internet access, then run
service failed to read the onboarding parameters. the entire onboarding process again.
Failure code: variable

9 Microsoft Defender Advanced Threat Protection If the event happened during onboarding, reboot
service failed to change its start type. Failure and re-attempt running the onboarding script.
code: variable For more information, see Run the onboarding
script again.

If the event happened during offboarding,

contact support.

10 Microsoft Defender Advanced Threat Protection If the event happened during onboarding, re-
service failed to persist the onboarding attempt running the onboarding script. For more
information. Failure code: variable information, see Run the onboarding script again.

If the problem persists, contact support.

15 Microsoft Defender Advanced Threat Protection Ensure the machine has Internet access.
cannot start command channel with URL:
variable

17 Microsoft Defender Advanced Threat Protection Run the onboarding script again. If the problem
service failed to change the Connected User persists, contact support.
Experiences and Telemetry service ___location.
Failure code: variable

25 Microsoft Defender Advanced Threat Protection Contact support.

service failed to reset health status in the
registry. Failure code: variable

27 Failed to enable Microsoft Defender Advanced Contact support.

Threat Protection mode in Windows Defender.
Onboarding process failed. Failure code: variable
 EVENT ID MESSAGE RESOLUTION STEPS

29 Failed to read the offboarding parameters. Error Ensure the machine has Internet access, then run
type: %1, Error code: %2, Description: %3 the entire offboarding process again.

30 Failed to disable Contact support.

$(build.sense.productDisplayName) mode in
Microsoft Defender Advanced Threat Protection.
Failure code: %1

32 $(build.sense.productDisplayName) service failed Verify that the service start type is manual and
to request to stop itself after offboarding reboot the machine.
process. Failure code: %1

55 Failed to create the Secure ETW autologger. Reboot the machine.

Failure code: %1

63 Updating the start type of external service. Identify what is causing changes in start type of
Name: %1, actual start type: %2, expected start mentioned service. If the exit code is not 0, fix
type: %3, exit code: %4 the start type manually to expected start type.

64 Starting stopped external service. Name: %1, exit Contact support if the event keeps re-appearing.
code: %2

68 The start type of the service is unexpected. Identify what is causing changes in start type. Fix
Service name: %1, actual start type: %2, expected mentioned service start type.
start type: %3

69 The service is stopped. Service name: %1 Start the mentioned service. Contact support if
persists.

There are additional components on the machine that the Microsoft Defender ATP agent depends on to function properly. If there are no
onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional
components are configured correctly.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start
and is running on the machine. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is
currently running (and start it if it isn't).
Ensure the service is set to start
Use the command line to check the Windows 10 diagnostic data service startup type:
1. Open an elevated command-line prompt on the machine:
a. Click Start, type cmd, and press Enter.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

sc qc diagtrack

If the service is enabled, then the result should look like the following screenshot:
 If the START_TYPE is not set to AUTO_START , then you'll need to set the service to automatically start.

Use the command line to set the Windows 10 diagnostic data service to automatically start:
1. Open an elevated command-line prompt on the machine:
a. Click Start, type cmd, and press Enter.
b. Right-click Command prompt and select Run as administrator.
2. Enter the following command, and press Enter:

sc config diagtrack start=auto

3. A success message is displayed. Verify the change by entering the following command, and press Enter:

sc qc diagtrack

4. Start the service.

a. In the command prompt, type the following command and press Enter:

sc start diagtrack

Ensure the machine has an Internet connection

The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and communicate with the
Microsoft Defender ATP service.
WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy
servers that are available in your particular environment.
To ensure that sensor has service connectivity, follow the steps described in the Verify client connectivity to Microsoft Defender ATP service
URLs topic.
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in Configure proxy
and Internet connectivity settings topic.
Ensure that Windows Defender Antivirus is not disabled by a policy
Problem: The Microsoft Defender ATP service does not start after onboarding.
Symptom: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.
Solution: If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender
Early Launch Antimalware (ELAM ) driver to be enabled. You must ensure that it's not disabled in system policy.
Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are
cleared:
DisableAntiSpyware
DisableAntiVirus
For example, in Group Policy there should be no entries such as the following values:
<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/>
</Key>
 <Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiVirus"/></Key>

After clearing the policy, run the onboarding steps again.

You can also check the following registry key values to verify that the policy is disabled:
1. Open the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender .
2. Ensure that the value DisableAntiSpyware is not present.

Troubleshoot onboarding issues on a server

If you encounter issues while onboarding a server, go through the following verification steps to address possible issues.
Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service
Ensure that the server proxy and Internet connectivity settings are configured properly
You might also need to check the following:
Check that there is a Microsoft Defender Advanced Threat Protection Service running in the Processes tab in Task Manager. For
example:

Check Event Viewer > Applications and Services Logs > Operation Manager to see if there are any errors.
In Services, check if the Microsoft Monitoring Agent is running on the server. For example,

In Microsoft Monitoring Agent > Azure Log Analytics (OMS ), check the Workspaces and verify that the status is running.
 Check to see that machines are reflected in the Machines list in the portal.

Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
For more information, see Windows 10 Licensing.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Troubleshoot Microsoft Defender ATP
Onboard machines
Configure machine proxy and Internet connectivity settings
 Troubleshoot subscription and portal access issues
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft
Defender ATP service.
If you receive an error message, Microsoft Defender Security Center will provide a detailed explanation on what
the issue is and relevant links will be supplied.

No subscriptions found
If while accessing Microsoft Defender Security Center you get a No subscriptions found message, it means the
Azure Active Directory (AAD ) used to login the user to the portal, does not have a Microsoft Defender ATP license.
Potential reasons:
The Windows E5 and Office E5 licenses are separate licenses.
The license was purchased but not provisioned to this AAD instance.
It could be a license provisioning issue.
It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for
authentication into the service.
For both cases you should contact Microsoft support at General Microsoft Defender ATP Support or Volume
license support.

Your subscription has expired

If while accessing Microsoft Defender Security Center you get a Your subscription has expired message, your
online service subscription has expired. Microsoft Defender ATP subscription, like any other online service
subscription, has an expiration date.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration
date a Your subscription has expired message will be presented with an option to download the machine
offboarding package, should you choose to not renew the license.
 NOTE
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired
offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of
the packages expiry date and it will also be included in the package name.

You are not authorized to access the portal

If you receive a You are not authorized to access the portal, be aware that Microsoft Defender ATP is a security
monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the
user. For more information see, Assign user access to the portal.

Data currently isn't available on some sections of the portal

If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
You'll need to whitelist the securitycenter.windows.com and all sub-domains under it. For example
*.securitycenter.windows.com .

Portal communication issues

If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll
need to verify that the following URLs are whitelisted and open for communciation.
*.blob.core.windows.net crl.microsoft.com
https://*.microsoftonline-p.com
https://*.securitycenter.windows.com
https://automatediracs-eus-prd.securitycenter.windows.com
https://login.microsoftonline.com
https://login.windows.net
https://onboardingpackagescusprd.blob.core.windows.net
https://secure.aadcdn.microsoftonline-p.com
https://securitycenter.windows.com
https://static2.sharepointonline.com

Related topics
Validate licensing provisioning and complete setup for Microsoft Defender ATP
 Microsoft Defender ATP API license and terms of use
11/7/2019 • 2 minutes to read • Edit Online

APIs
Microsoft Defender ATP APIs are governed by Microsoft API License and Terms of use.
Throttling limits
NAME CALLS RENEWAL PERIOD

API calls per connection 100 60 seconds

Legal Notices
Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this
repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file.
Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the
documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other
countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks.
Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653.
Privacy information can be found at https://privacy.microsoft.com/en-us/ Microsoft and any contributors reserve
all others rights, whether under their respective copyrights, patents, or trademarks, whether by implication,
estoppel or otherwise.
 Microsoft Defender ATP API overview
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those
APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
The API access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code
Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Microsoft Defender ATP API
You can access Microsoft Defender ATP API with Application Context or User Context.
Application Context: (Recommended)
Used by apps that run without a signed-in user present. for example, apps that run as background
services or daemons.
Steps that need to be taken to access Microsoft Defender ATP API with application context:
1. Create an AAD Web-Application.
2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate
Machines'.
3. Create a key for this Application.
4. Get token using the application with its key.
5. Use the token to access Microsoft Defender ATP API
For more information, see Get access with application context.
User Context:
Used to perform actions in the API on behalf of a user.
Steps that needs to be taken to access Microsoft Defender ATP API with application context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
4. Use the token to access Microsoft Defender ATP API
For more information, see Get access with user context.
Related topics
Microsoft Defender ATP APIs
Access Microsoft Defender ATP with application context
Access Microsoft Defender ATP with user context
 Microsoft Defender ATP API - Hello World
12/18/2019 • 4 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Get Alerts using a simple PowerShell script

How long it takes to go through this example?
It only takes 5 minutes done in two steps:
Application registration
Use examples: only requires copy/paste of a short PowerShell script
Do I need a permission to connect?
For the Application registration stage, you must have a Global administrator role in your Azure Active Directory
(Azure AD ) tenant.
Step 1 - Create an App in Azure Active Directory
1. Log on to Azure with your Global administrator user.
2. Navigate to Azure Active Directory > App registrations > New registration.

3. In the registration form, choose a name for your application and then click Register.
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read all alerts' permission:
On your application page, click API Permissions > Add permission > APIs my organization uses
> type WindowsDefenderATP and click on WindowsDefenderATP.
Note: WindowsDefenderATP does not appear in the original list. You need to start writing its name in
the text box to see it appear.
 Choose Application permissions > Alert.Read.All > Click on Add permissions

Important note: You need to select the relevant permissions. 'Read All Alerts' is only an example!
For instance,
To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
To determine which permission you need, please look at the Permissions section in the API you are
interested to call.
5. Click Grant consent
Note: Every time you add permission you must click on Grant consent for the new permission to take
effect.

6. Add a secret to the application.

Click Certificates & secrets, add description to the secret and click Add.
Important: After click Add, copy the generated secret value. You won't be able to retrieve after you
leave!

7. Write down your application ID and your tenant ID:

On your application page, go to Overview and copy the following:
Done! You have successfully registered an application!
Step 2 - Get a token using the App and use this token to access the API.
Copy the script below to PowerShell ISE or to a text editor, and save it as "Get-Token.ps1"
Running this script will generate a token and will save it in the working folder under the name "Latest-
token.txt".

# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current
directory
# Paste below your Tenant ID, App ID and App Secret (App key).

$tenantId = '' ### Paste your tenant ID here

$appId = '' ### Paste your Application ID here
$appSecret = '' ### Paste your Application secret here

$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token

Sanity Check:
Run the script.
In your browser go to: https://jwt.ms/
Copy the token (the content of the Latest-token.txt file).
Paste in the top box.
Look for the "roles" section. Find the Alert.Read.All role.
Lets get the Alerts!
The script below will use Get-Token.ps1 to access the API and will get the past 48 hours Alerts.
Save this script in the same folder you saved the previous script Get-Token.ps1.
The script creates two files (json and csv) with the data in the same folder as the scripts.
 # Returns Alerts created in the past 48 hours.

$token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make sure you are running this script from the
same folder of Get-Token.ps1

# Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")

# The URL contains the type of query and the time filter we create above
# Read more about other query options and filters at Https://TBD- add the documentation link
$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"

# Set the WebRequest headers

$headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $token"
}

# Send the webrequest and get the results.

$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop

# Extract the alerts from the results.

$alerts = ($response | ConvertFrom-Json).value | ConvertTo-Json

# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}

# Save the result as json and as csv

$outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"
$outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"

Out-File -FilePath $outputJsonPath -InputObject $alerts

($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation

You’re all done! You have just successfully:

Created and registered and application
Granted permission for that application to read alerts
Connected the API
Used a PowerShell script to return alerts created in the past 48 hours

Related topic
Microsoft Defender ATP APIs
Access Microsoft Defender ATP with application context
Access Microsoft Defender ATP with user context
 Create an app to access Microsoft Defender ATP
without a user
12/26/2019 • 5 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.
This page describes how to create an application to get programmatic access to Microsoft Defender ATP without
a user.
If you need programmatic access Microsoft Defender ATP on behalf of a user, see Get access with user context
If you are not sure which access you need, see Get started.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs
will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access
requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Microsoft Defender ATP API
This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate
the token.

Create an app
1. Log on to Azure with user that has Global Administrator role.
2. Navigate to Azure Active Directory > App registrations > New registration.

3. In the registration form, choose a name for your application and then click Register.
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read all alerts' permission:
 On your application page, click API Permissions > Add permission > APIs my organization
uses > type WindowsDefenderATP and click on WindowsDefenderATP.
Note: WindowsDefenderATP does not appear in the original list. You need to start writing its name
in the text box to see it appear.

Choose Application permissions > Alert.Read.All > Click on Add permissions

Important note: You need to select the relevant permissions. 'Read All Alerts' is only an example!
For instance,
 To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
To determine which permission you need, please look at the Permissions section in the API you are
interested to call.
5. Click Grant consent
Note: Every time you add permission you must click on Grant consent for the new permission to take
effect.

6. Add a secret to the application.

Click Certificates & secrets, add description to the secret and click Add.
Important: After click Add, copy the generated secret value. You won't be able to retrieve after you
leave!

7. Write down your application ID and your tenant ID:

On your application page, go to Overview and copy the following:
8. For Microsoft Defender ATP Partners only - Set your application to be multi-tenanted (available in all
tenants after consent)
This is required for 3rd party applications (for example, if you create an application that is intended to run
in multiple customers tenant).
This is not required if you create a service that you want to run in your tenant only (i.e. if you create an
application for your own usage that will only interact with your own data)
Go to Authentication > Add https://portal.azure.com as Redirect URI.
On the bottom of the page, under Supported account types, mark Accounts in any
organizational directory
Application consent for your multi-tenant Application:
You need your application to be approved in each tenant where you intend to use it. This is because your
application interacts with Microsoft Defender ATP application on behalf of your customer.
You (or your customer if you are writing a 3rd party application) need to click the consent link and approve
your application. The consent should be done with a user who has admin privileges in the active directory.
Consent link is of the form:

https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-
0000-000000000000&response_type=code&sso_reload=true

where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID

Done! You have successfully registered an application!
See examples below for token acquisition and validation.

Get an access token examples:

For more details on AAD token, refer to AAD tutorial
Using PowerShell
 # That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current
directory
# Paste below your Tenant ID, App ID and App Secret (App key).

$tenantId = '' ### Paste your tenant ID here

$appId = '' ### Paste your Application ID here
$appSecret = '' ### Paste your Application key here

$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token

Using C#:
The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8

Create a new Console Application

Install Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
Add the below using

using Microsoft.IdentityModel.Clients.ActiveDirectory;

Copy/Paste the below code in your application (do not forget to update the 3 variables:
tenantId, appId, appSecret )

string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here

string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a
test, and then store it in a safe place!

const string authority = "https://login.windows.net";

const string wdatpResourceId = "https://api.securitycenter.windows.com";

AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");

ClientCredential clientCredential = new ClientCredential(appId, appSecret);
AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId,
clientCredential).GetAwaiter().GetResult();
string token = authenticationResult.AccessToken;

Using Python
Refer to Get token using Python
Using Curl

NOTE
The below procedure supposed Curl for Windows is already installed on your computer
 Open a command window
Set CLIENT_ID to your Azure application ID
Set CLIENT_SECRET to your Azure application secret
Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft
Defender ATP application
Run the below command:

curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d

"client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d
"client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k

You will get an answer of the form:

{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N
iIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}

Validate the token

Sanity check to make sure you got a correct token:
Copy/paste into JWT the token you get in the previous step in order to decode it
Validate you get a 'roles' claim with the desired permissions
In the screen shot below you can see a decoded token acquired from an Application with permissions to all of
Microsoft Defender ATP's roles:
Use the token to access Microsoft Defender ATP API
Choose the API you want to use, for more information, see Supported Microsoft Defender ATP APIs
Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization
scheme)
The Expiration time of the token is 1 hour (you can send more then one request with the same token)
Example of sending a request to get a list of alerts using C#
 var httpClient = new HttpClient();

var request = new HttpRequestMessage(HttpMethod.Get,

"https://api.securitycenter.windows.com/api/alerts");

request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);

var response = httpClient.SendAsync(request).GetAwaiter().GetResult();

// Do something useful with the response

Related topics
Supported Microsoft Defender ATP APIs
Access Microsoft Defender ATP on behalf of a user
 Use Microsoft Defender ATP APIs
12/26/2019 • 3 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.
This page describes how to create an application to get programmatic access to Microsoft Defender ATP on
behalf of a user.
If you need programmatic access Microsoft Defender ATP without a user, refer to Access Microsoft Defender ATP
with application context.
If you are not sure which access you need, read the Introduction page.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs
will enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API
access requires OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create an AAD application
Get an access token using this application
Use the token to access Microsoft Defender ATP API
This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate
the token.

NOTE
When accessing Microsoft Defender ATP API on behalf of a user, you will need the correct Application permission and user
permission. If you are not familiar with user permissions on Microsoft Defender ATP, see Manage portal access using role-
based access control.

TIP
If you have the permission to perform an action in the portal, you have the permission to perform the action in the API.

Create an app
1. Log on to Azure with user that has Global Administrator role.
2. Navigate to Azure Active Directory > App registrations > New registration.
3. In the registration from, enter the following information then click Register.

Name: -Your application name-

Application type: Public client
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
On your application page, click API Permissions > Add permission > APIs my organization
uses > type WindowsDefenderATP and click on WindowsDefenderATP.
Note: WindowsDefenderATP does not appear in the original list. You need to start writing its name
in the text box to see it appear.

Choose Delegated permissions > Alert.Read > Click on Add permissions

 Important note: You need to select the relevant permissions. 'Read alerts' is only an example!
For instance,
To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
To determine which permission you need, please look at the Permissions section in the API you
are interested to call.
Click Grant consent
Note: Every time you add permission you must click on Grant consent for the new permission to
take effect.

5. Write down your application ID and your tenant ID:

On your application page, go to Overview and copy the following:
Get an access token
For more details on AAD token, refer to AAD tutorial
Using C#
Copy/Paste the below class in your application.
Use AcquireUserTokenAsync method with the your application ID, tenant ID, user name and password
to acquire a token.
 namespace WindowsDefenderATP
{
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json.Linq;

public static class WindowsDefenderATPUtils

{
private const string Authority = "https://login.windows.net";

private const string WdatpResourceId = "https://api.securitycenter.windows.com";

public static async Task<string> AcquireUserTokenAsync(string username, string password, string

appId, string tenantId)
{
using (var httpClient = new HttpClient())
{
var urlEncodedBody = $"resource={WdatpResourceId}&client_id=
{appId}&grant_type=password&username={username}&password={password}";

var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-

www-form-urlencoded");

using (var response = await httpClient.PostAsync($"

{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false))
{
response.EnsureSuccessStatusCode();

var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);

var jObject = JObject.Parse(json);

return jObject["access_token"].Value<string>();
}
}
}
}
}

Validate the token

Sanity check to make sure you got a correct token:
Copy/paste into JWT the token you got in the previous step in order to decode it
Validate you get a 'scp' claim with the desired app permissions
In the screen shot below you can see a decoded token acquired from the app in the tutorial:
Use the token to access Microsoft Defender ATP API
Choose the API you want to use - Supported Microsoft Defender ATP APIs
Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization
scheme)
The Expiration time of the token is 1 hour (you can send more then one request with the same token)
Example of sending a request to get a list of alerts using C#

var httpClient = new HttpClient();

var request = new HttpRequestMessage(HttpMethod.Get,

"https://api.securitycenter.windows.com/api/alerts");

request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);

var response = httpClient.SendAsync(request).GetAwaiter().GetResult();

// Do something useful with the response

Related topics
Microsoft Defender ATP APIs
Access Microsoft Defender ATP with application context
 Partner access through Microsoft Defender ATP APIs
1/8/2020 • 5 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.
This page describes how to create an AAD application to get programmatic access to Microsoft Defender ATP on
behalf of your customers.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will
help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires
OAuth2.0 authentication. For more information, see OAuth 2.0 Authorization Code Flow.
In general, you’ll need to take the following steps to use the APIs:
Create a multi-tenant AAD application.
Get authorized(consent) by your customer administrator for your application to access Microsoft Defender ATP
resources it needs.
Get an access token using this application.
Use the token to access Microsoft Defender ATP API.
The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender
ATP and validate the token.
To become an official partner of Microsoft Defender ATP and appear in our partner page, you will
provide us with your application identifier.

Create the multi-tenant app

1. Log on to your Azure tenant with user that has Global Administrator role.
2. Navigate to Azure Active Directory > App registrations > New registration.

3. In the registration form:

Choose a name for your application.
 Supported account types - accounts in any organizational directory.
Redirect URI - type: Web, URI: https://portal.azure.com

4. Allow your Application to access Microsoft Defender ATP and assign it with the minimal set of permissions
required to complete the integration.
On your application page, click API Permissions > Add permission > APIs my organization uses
> type WindowsDefenderATP and click on WindowsDefenderATP.
Note: WindowsDefenderATP does not appear in the original list. You need to start writing its name in
the text box to see it appear.
Request API permissions
To determine which permission you need, please look at the Permissions section in the API you are
interested to call. For instance:
To run advanced queries, select 'Run advanced queries' permission
To isolate a machine, select 'Isolate machine' permission
In the following example we will use 'Read all alerts' permission:
Choose Application permissions > Alert.Read.All > Click on Add permissions
5. Click Grant consent
Note: Every time you add permission you must click on Grant consent for the new permission to take
effect.

6. Add a secret to the application.

Click Certificates & secrets, add description to the secret and click Add.
Important: After click Add, copy the generated secret value. You won't be able to retrieve after you
leave!

7. Write down your application ID:

On your application page, go to Overview and copy the following:
8. Add the application to your customer's tenant.
You need your application to be approved in each customer tenant where you intend to use it. This is
because your application interacts with Microsoft Defender ATP application on behalf of your customer.
A user with Global Administrator from your customer's tenant need to click the consent link and approve
your application.
Consent link is of the form:

https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-
0000-000000000000&response_type=code&sso_reload=true

Where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID

After clicking on the consent link, login with the Global Administrator of the customer's tenant and consent
the application.
 In addition, you will need to ask your customer for their tenant ID and save it for future use when acquiring
the token.
Done! You have successfully registered an application!
See examples below for token acquisition and validation.

Get an access token examples:

Note: to get access token on behalf of your customer, use the customer's tenant ID on the following token
acquisitions.

For more details on AAD token, refer to AAD tutorial

Using PowerShell
 # That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current
directory
# Paste below your Tenant ID, App ID and App Secret (App key).

$tenantId = '' ### Paste your tenant ID here

$appId = '' ### Paste your Application ID here
$appSecret = '' ### Paste your Application key here

$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token

Using C#:
The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory

Create a new Console Application

Install Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
Add the below using

using Microsoft.IdentityModel.Clients.ActiveDirectory;

Copy/Paste the below code in your application (do not forget to update the 3 variables:
tenantId, appId, appSecret )

string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here

string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test,
and then store it in a safe place!

const string authority = "https://login.windows.net";

const string wdatpResourceId = "https://api.securitycenter.windows.com";

AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");

ClientCredential clientCredential = new ClientCredential(appId, appSecret);
AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId,
clientCredential).GetAwaiter().GetResult();
string token = authenticationResult.AccessToken;

Using Python
Refer to Get token using Python
Using Curl

NOTE
The below procedure supposed Curl for Windows is already installed on your computer
 Open a command window
Set CLIENT_ID to your Azure application ID
Set CLIENT_SECRET to your Azure application secret
Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft
Defender ATP application
Run the below command:

curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d

"client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d
"client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k

You will get an answer of the form:

{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiI
sIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}

Validate the token

Sanity check to make sure you got a correct token:
Copy/paste into JWT the token you get in the previous step in order to decode it
Validate you get a 'roles' claim with the desired permissions
In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions
to Microsoft Defender ATP:
The "tid" claim is the tenant ID the token belongs to.
Use the token to access Microsoft Defender ATP API
Choose the API you want to use, for more information, see Supported Microsoft Defender ATP APIs
Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization
scheme)
The Expiration time of the token is 1 hour (you can send more then one request with the same token)
Example of sending a request to get a list of alerts using C#
 var httpClient = new HttpClient();

var request = new HttpRequestMessage(HttpMethod.Get,

"https://api.securitycenter.windows.com/api/alerts");

request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);

var response = httpClient.SendAsync(request).GetAwaiter().GetResult();

// Do something useful with the response

Related topics
Supported Microsoft Defender ATP APIs
Access Microsoft Defender ATP on behalf of a user
 Supported Microsoft Defender ATP APIs
11/12/2019 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.

End Point URI and Versioning

End Point URI:
The service base URI is: https://api.securitycenter.windows.com
The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to
https://api.securitycenter.windows.com/api/alerts

Versioning:
The API supports versioning.
The current version is V1.0.
To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example:
https://api.securitycenter.windows.com/api/v1.0/alerts
If you don't specify any version (e.g. https://api.securitycenter.windows.com/api/alerts ) you will get to the
latest version.

Learn more about the individual supported entities where you can run API calls to and details such as HTTP
request values, request headers and expected responses.

In this section
TOPIC DESCRIPTION

Advanced Hunting Run queries from API.

Alerts Run API calls such as get alerts, create alert, update alert and
more.

Domains Run API calls such as get ___domain related machines, ___domain
statistics and more.

Files Run API calls such as get file information, file related alerts,
file related machines, and file statistics.

IPs Run API calls such as get IP related alerts and get IP
statistics.

Machines Run API calls such as get machines, get machines by ID,
information about logged on users, edit tags and more.
 TOPIC DESCRIPTION

Machine Actions Run API call such as Isolation, Run anti-virus scan and more.

Indicators Run API call such as create Indicator, get Indicators and
delete Indicators.

Users Run API calls such as get user related alerts and user related
machines.

Related topic
Microsoft Defender ATP APIs
 Advanced hunting API
12/18/2019 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Limitations
1. You can only run a query on data from the last 30 days.
2. The results will include a maximum of 100,000 rows.
3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every
hour and 4 hours of running time a day.
4. The maximal execution time of a single request is 10 minutes.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose
permissions, see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application AdvancedQuery.Read.All 'Run advanced queries'

Delegated (work or school account) AdvancedQuery.Read 'Run advanced queries'

NOTE
When obtaining a token using user credentials:
The user needs to have 'View Data' AD role
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/advancedqueries/run

Request headers
HEADER VALUE

Authorization Bearer {token}. Required.

Content-Type application/json

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Query Text The query to run. Required.

Response
If successful, this method returns 200 OK, and QueryResponse object in the response body.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

POST https://api.securitycenter.windows.com/api/advancedqueries/run
Content-type: application/json
{
"Query":"ProcessCreationEvents
| where InitiatingProcessFileName =~ \"powershell.exe\"
| where ProcessCommandLine contains \"appdata\"
| project EventTime, FileName, InitiatingProcessFileName
| limit 2"
}

Response
Here is an example of the response.

NOTE
The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
 HTTP/1.1 200 OK
Content-Type: application/json
{
"Schema": [{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "InitiatingProcessFileName",
"Type": "String"
}],
"Results": [{
"EventTime": "2018-07-09T07:16:26.8017265",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe"
},
{
"EventTime": "2018-07-08T19:00:02.7798905",
"FileName": "gpresult.exe",
"InitiatingProcessFileName": "powershell.exe"
}]
}

Related topic
Microsoft Defender ATP APIs introduction
Advanced Hunting from Portal
Advanced Hunting using PowerShell
 Alert resource type
12/23/2019 • 3 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.

Methods
METHOD RETURN TYPE DESCRIPTION

Get alert Alert Get a single alert object.

List alerts Alert collection List alert collection.

Create alert Alert Create an alert based on event data

obtained from Advanced Hunting.

List related domains Domain collection List URLs associated with the alert.

List related files File collection List the file entities that are associated
with the alert.

List related IPs IP collection List IPs that are associated with the
alert.

Get related machines Machine The machine that is associated with

the alert.

Get related users User The user that is associated with the
alert.

Properties
PROPERTY TYPE DESCRIPTION

id String Alert ID.

title String Alert title.

description String Alert description.

alertCreationTime Nullable DateTimeOffset The date and time (in UTC) the alert
was created.

lastEventTime Nullable DateTimeOffset The last occurrence of the event that

triggered the alert on the same
machine.
PROPERTY TYPE DESCRIPTION

firstEventTime Nullable DateTimeOffset The first occurrence of the event that

triggered the alert on that machine.

lastUpdateTime Nullable DateTimeOffset The first occurrence of the event that

triggered the alert on that machine.

resolvedTime Nullable DateTimeOffset The date and time in which the status
of the alert was changed to 'Resolved'.

incidentId Nullable Long The Incident ID of the Alert.

investigationId Nullable Long The Investigation ID related to the

Alert.

investigationState Nullable Enum The current state of the Investigation.

Possible values are: 'Unknown',
'Terminated', 'SuccessfullyRemediated',
'Benign', 'Failed', 'PartiallyRemediated',
'Running', 'PendingApproval',
'PendingResource',
'PartiallyInvestigated',
'TerminatedByUser',
'TerminatedBySystem', 'Queued',
'InnerFailure', 'PreexistingAlert',
'UnsupportedOs',
'UnsupportedAlertType',
'SuppressedAlert'.

assignedTo String Owner of the alert.

severity Enum Severity of the alert. Possible values

are: 'UnSpecified', 'Informational',
'Low', 'Medium' and 'High'.

status Enum Specifies the current status of the

alert. Possible values are: 'Unknown',
'New', 'InProgress' and 'Resolved'.

classification Nullable Enum Specification of the alert. Possible

values are: 'Unknown', 'FalsePositive',
'TruePositive'.

determination Nullable Enum Specifies the determination of the

alert. Possible values are:
'NotAvailable', 'Apt', 'Malware',
'SecurityPersonnel', 'SecurityTesting',
'UnwantedSoftware', 'Other'.

category String Category of the alert.

detectionSource String Detection source.

threatFamilyName String Threat family.

 PROPERTY TYPE DESCRIPTION

machineId String ID of a machine entity that is

associated with the alert.

comments List of Alert comments Alert Comment is an object that

contains: comment string, createdBy
string and createTime date time.

alertFiles List of Alert Files This list will be populated on

$expand option, see example
below Alert File is an object that
contains: sha1, sha256, filePath and
fileName.

alertIPs List of Alert IPs This list will be populated on

$expand option, see example
below Alert IP is an object that
contains: ipAddress string field.

alertDomains List of Alert Domains This list will be populated on

$expand option, see example
below Alert Domain is an object that
contains: host string field.

JSON representation:
When querying for alert list the regular way (without expand option, e.g. /api/alerts) the expandable
properties will not get populated (empty lists)
To expand expandable properties use $expand option (e.g. to expand all send /api/alerts?
$expand=files,ips,domains).
When querying single alert all expandable properties will be expanded.
Check out OData queries with Microsoft Defender ATP for more OData examples.
Response example for getting single alert:

GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499
{
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"determination": null,
"investigationState": "Running",
"detectionSource": "WindowsDefenderAtp",
"category": "CommandAndControl",
"threatFamilyName": null,
"title": "Network connection to a risky host",
"description": "A network connection was made to a risky host which has exhibited malicious activity.",
"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
"firstEventTime": "2019-11-03T23:47:16.2288822Z",
"lastEventTime": "2019-11-03T23:47:51.2966758Z",
"lastUpdateTime": "2019-11-03T23:55:52.6Z",
"resolvedTime": null,
"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
"comments": [
{
"comment": "test comment for docs",
"createdBy": "[email protected]",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
],
"alertFiles": [
{
"sha1": "77e862797dd525fd3e9c3058153247945d0d4cfd",
"sha256": "c05823562aee5e6d000b0e041197d5b8303f5aa4eecb49820879b705c926e16e",
"filePath": "C:\\Users\\test1212\\AppData\\Local\\Temp\\nsf61D3.tmp.exe",
"fileName": "nsf61D3.tmp.exe"
}
],
"alertDomains": [
{
"host": "login.bullguard.com"
}
],
"alertIps": [
{
"ipAddress": "91.231.212.53"
}
]
}
 List alerts API
12/23/2019 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Retrieves a collection of Alerts.
Supports OData V4 queries.
The OData's Filter query is supported on: "alertCreationTime", "incidentId", "InvestigationId", "status", "severity"
and "category".
See examples at OData queries with Microsoft Defender ATP

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alert.Read.All 'Read all alerts'

Application Alert.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.Read 'Read alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The response will include only alerts that are associated with machines that the user can access, based on machine group
settings (See Create and manage machine groups for more information)

HTTP request
GET /api/alerts

Optional query parameters

Method supports $top, $select, $filter, $expand and $skip query parameters.
$expand is available on Files, IPs and Domains. e.g. $expand=files,domains
Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful, this method returns 200 OK, and a list of alert objects in the response body.

Example
Request
Here is an example of the request.

GET https://api.securitycenter.windows.com/api/alerts

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

Response
Here is an example of the response.

NOTE
The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
 {
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"determination": null,
"investigationState": "Running",
"detectionSource": "WindowsDefenderAtp",
"category": "CommandAndControl",
"threatFamilyName": null,
"title": "Network connection to a risky host",
"description": "A network connection was made to a risky host which has exhibited malicious activity.",
"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
"firstEventTime": "2019-11-03T23:47:16.2288822Z",
"lastEventTime": "2019-11-03T23:47:51.2966758Z",
"lastUpdateTime": "2019-11-03T23:55:52.6Z",
"resolvedTime": null,
"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
"comments": [
{
"comment": "test comment for docs",
"createdBy": "[email protected]",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
],
"alertFiles": [],
"alertDomains": [],
"alertIps": []
}
]
}

Related topics
OData queries with Microsoft Defender ATP
 Create alert from event API
12/10/2019 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Create alert using event data, as obtained from Advanced Hunting for creating a new alert.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alerts.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type String application/json. Required.

Request body
In the request body, supply the following values (all are required):

PROPERTY TYPE DESCRIPTION

 PROPERTY TYPE DESCRIPTION

machineId String Id of the machine on which the event

was identified. Required.

severity String Severity of the alert. The property

values are: 'Low', 'Medium' and 'High'.
Required.

title String Title for the alert. Required.

description String Description of the alert. Required.

recommendedAction String Action that is recommended to be

taken by security officer when analyzing
the alert. Required.

eventTime DateTime(UTC) The time of the event, as obtained from

the advanced query. Required.

reportId String The reportId, as obtained from the

advanced query. Required.

category String Category of the alert. The property

values are: "General",
"CommandAndControl", "Collection",
"CredentialAccess", "DefenseEvasion",
"Discovery", "Exfiltration", "Exploit",
"Execution", "InitialAccess",
"LateralMovement", "Malware",
"Persistence", "PrivilegeEscalation",
"Ransomware", "SuspiciousActivity"
Required.

Response
If successful, this method returns 200 OK, and a new alert object in the response body. If event with the specified
properties (reportId, eventTime and machineId) was not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Content-Length: application/json

{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"severity": "Low",
"title": "test alert",
"description": "test alert",
"recommendedAction": "test alert",
"eventTime": "2018-08-03T16:45:21.7115183Z",
"reportId": "20776",
"category": "None"
}
 Update alert
12/26/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Update the properties of an alert entity.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alerts.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
PATCH /api/alerts/{id}

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type String application/json. Required.

Request body
In the request body, supply the values for the relevant fields that should be updated. Existing properties that are not
included in the request body will maintain their previous values or be recalculated based on changes to other
property values. For best performance you shouldn't include existing values that haven't change.
 PROPERTY TYPE DESCRIPTION

status String Specifies the current status of the alert.

The property values are: 'New',
'InProgress' and 'Resolved'.

assignedTo String Owner of the alert

classification String Specifies the specification of the alert.

The property values are: 'Unknown',
'FalsePositive', 'TruePositive'.

determination String Specifies the determination of the alert.

The property values are: 'NotAvailable',
'Apt', 'Malware', 'SecurityPersonnel',
'SecurityTesting', 'UnwantedSoftware',
'Other'

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

Response
If successful, this method returns 200 OK, and the alert entity in the response body with the updated properties. If
alert with the specified id was not found - 404 Not Found.

Example
Request
Here is an example of the request.

PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"assignedTo": "[email protected]"
}

Response
Here is an example of the response.
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "[email protected]",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
 Get alert information by ID API
12/26/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves an alert by its ID.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alert.Read.All 'Read all alerts'

Application Alert.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.Read 'Read alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/alerts/{id}

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful, this method returns 200 OK, and the alert entity in the response body. If alert with the specified id
was not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442

Response
Here is an example of the response.

{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
 Get alert related ___domain information API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves all domains related to a specific alert.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application URL.Read.All 'Read URLs'

Delegated (work or school account) URL.Read.All 'Read URLs'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/alerts/{id}/domains

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and alert and ___domain exist - 200 OK. If alert not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains",
"value": [
{
"host": "www.example.com"
}
]
}
 Get alert related files information API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves all files related to a specific alert.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application File.Read.All 'Read file profiles'

Delegated (work or school account) File.Read.All 'Read file profiles'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/alerts/{id}/files

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
"value": [
{
"sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
"sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
"md5": "82849dc81d94056224445ea73dc6153a",
"globalPrevalence": 33,
"globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
"globalLastObserved": "2018-08-06T16:07:12.9414137Z",
"windowsDefenderAVThreatName": null,
"size": 801112,
"fileType": "PortableExecutable",
"isPeFile": true,
"filePublisher": null,
"fileProductName": null,
"signer": "Microsoft Windows",
"issuer": "Microsoft Development PCA 2014",
"signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
"isValidCertificate": true
}
]
}
 Get alert related IP information API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves all IPs related to a specific alert.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Ip.Read.All 'Read IP address profiles'

Delegated (work or school account) Ip.Read.All 'Read IP address profiles'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/alerts/{id}/ips

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
]
}
 Get alert related machine information API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves machine that is related to a specific alert.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine information'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/alerts/{id}/machine

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
 Get alert related user information API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves the user associated to a specific alert.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application User.Read.All 'Read user profiles'

Delegated (work or school account) User.Read.All 'Read user profiles'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
The user needs to have access to the machine associated with the alert, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/alerts/{id}/user

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
"id": "contoso\\user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
}
 Machine resource type
12/3/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Methods
METHOD RETURN TYPE DESCRIPTION

List machines machine collection List set of machine entities in the org.

Get machine machine Get a machine by its identity.

Get logged on users user collection Get the set of User that logged on to
the machine.

Get related alerts alert collection Get the set of alert entities that were
raised on the machine.

Add or Remove machine tags machine Add or Remove tag to a specific

machine.

Find machines by IP machine collection Find machines seen with IP.

Properties
PROPERTY TYPE DESCRIPTION

id String machine identity.

computerDnsName String machine fully qualified name.

firstSeen DateTimeOffset First date and time where the machine

was observed by Microsoft Defender
ATP.

lastSeen DateTimeOffset Last date and time where the machine

was observed by Microsoft Defender
ATP.

osPlatform String OS platform.

osVersion String OS Version.

lastIpAddress String Last IP on local NIC on the machine.

lastExternalIpAddress String Last IP through which the machine

accessed the internet.
PROPERTY TYPE DESCRIPTION

agentVersion String Version of Microsoft Defender ATP

agent.

osBuild Nullable long OS build number.

healthStatus Enum machine health status. Possible values

are: "Active", "Inactive",
"ImpairedCommunication",
"NoSensorData" and
"NoSensorDataImpairedCommunicatio
n"

rbacGroupId Int RBAC Group ID.

rbacGroupName String RBAC Group Name.

riskScore Nullable Enum Risk score as evaluated by Microsoft

Defender ATP. Possible values are:
'None', 'Low', 'Medium' and 'High'.

aadDeviceId Nullable Guid AAD Device ID (when machine is Aad

Joined).

machineTags String collection Set of machine tags.

 List machines API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
This API can do the following actions:
Retrieves a collection of machines that have communicated with Microsoft Defender ATP cloud on the last 30
days.
Get Machines collection API supports OData V4 queries.
The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress",
"HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
See examples at OData queries with Microsoft Defender ATP

Permissions
PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine profiles'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines,that the user have access to, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET https://api.securitycenter.windows.com/api/machines

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and machines exists - 200 OK with list of machine entities in the body. If no recent machines - 404 Not
Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/machines

Response
Here is an example of the response.
 HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

Related topics
OData queries with Microsoft Defender ATP
 Get machine by ID API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a machine entity by ID.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine profiles'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)

HTTP request
GET /api/machines/{id}

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and machine exists - 200 OK with the machine entity in the body. If machine with the specified id was
not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
 Get machine log on users API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of logged on users.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application User.Read.All 'Read user profiles'

Delegated (work or school account) User.Read.All 'Read user profiles'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include users only if the machine is visible to the user, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/machines/{id}/logonusers

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and machine exist - 200 OK with list of user entities in the body. If machine was not found - 404 Not
Found.
Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users",
"value": [
{
"id": "contoso\\user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
},
{
"id": "contoso\\user2",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-05T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
}
]
}
 Get machine related alerts API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of alerts related to a given machine ID.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alert.Read.All 'Read all alerts'

Application Alert.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.Read 'Read alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)

HTTP request
GET /api/machines/{id}/alerts

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and machine exists - 200 OK with list of alert entities in the body. If machine was not found - 404 Not
Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
 Add or Remove Machine Tags API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
This API adds or remove tag to a specific machine.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Manage security setting' (See Create and manage roles for
more information)
User needs to have access to the machine, based on machine group settings (See Create and manage machine groups for
more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/tags

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Value String The tag name. Required.

 PARAMETER TYPE DESCRIPTION

Action Enum Add or Remove. Allowed values are:

'Add' or 'Remove'. Required.

Response
If successful, this method returns 200 - Ok response code and the updated Machine in the response body.

Example
Request
Here is an example of a request that adds machine tag.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "test Tag 2",
"Action": "Add"
}

Response
Here is an example of the response.

HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
 Find machines by internal IP API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given
timestamp.
The given timestamp must be in the past 30 days.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine profiles'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
Response will include only machines that the user have access to based on machine group settings (See Create and
manage machine groups for more information)
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines that the user have access to based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and machines were found - 200 OK with list of the machines in the response body. If no machine
found - 404 Not Found. If the timestamp is not in the past 30 days - 400 Bad Request.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-
22T08:44:05Z)

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-09-22T08:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
]
}
 MachineAction resource type
6/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

METHOD RETURN TYPE DESCRIPTION

List MachineActions Machine Action List Machine Action entities.

Get MachineAction Machine Action Get a single Machine Action entity.

Collect investigation package Machine Action Collect investigation package from a

machine.

Get investigation package SAS URI Machine Action Get URI for downloading the
investigation package.

Isolate machine Machine Action Isolate machine from network.

Release machine from isolation Machine Action Release machine from Isolation.

Restrict app execution Machine Action Restrict application execution.

Remove app restriction Machine Action Remove application execution

restriction.

Run antivirus scan Machine Action Run an AV scan using Windows

Defender (when applicable).

Offboard machine Machine Action Offboard machine from Microsoft

Defender ATP.

Properties
PROPERTY TYPE DESCRIPTION

id Guid Identity of the Machine Action entity.

type Enum Type of the action. Possible values are:

"RunAntiVirusScan", "Offboard",
"CollectInvestigationPackage", "Isolate",
"Unisolate", "StopAndQuarantineFile",
"RestrictCodeExecution" and
"UnrestrictCodeExecution"

requestor String Identity of the person that executed

the action.
PROPERTY TYPE DESCRIPTION

requestorComment String Comment that was written when

issuing the action.

status Enum Current status of the command.

Possible values are: "Pending",
"InProgress", "Succeeded", "Failed",
"TimeOut" and "Cancelled".

machineId String Id of the machine on which the action

was executed.

creationDateTimeUtc DateTimeOffset The date and time when the action was
created.

lastUpdateTimeUtc DateTimeOffset The last date and time when the action
status was updated.

relatedFileInfo Class Contains two Properties. 1) string

'fileIdentifier' 2) Enum
'fileIdentifierType' with the possible
values: "Sha1" ,"Sha256" and "Md5".
 List MachineActions API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Gets collection of actions done on machines.
Get MachineAction collection API supports OData V4 queries.
The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and
"CreationDateTimeUtc".
See examples at OData queries with Microsoft Defender ATP

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine profiles'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)

HTTP request
GET https://api.securitycenter.windows.com/api/machineactions

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful, this method returns 200, Ok response code with a collection of machineAction entities.

Example 1
Request
Here is an example of the request on an organization that has three MachineActions.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/machineactions

Response
Here is an example of the response.
 HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "[email protected]",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "[email protected]",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
},
{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "StopAndQuarantineFile",
"requestor": "[email protected]",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
"lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
"relatedFileInfo": {
"fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
"fileIdentifierType": "Sha1"
}
}
]
}

Example 2
Request
Here is an example of a request that filters the MachineActions by machine ID and shows the latest two
MachineActions.

GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq
'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2

Response
Here is an example of the response.
 NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "[email protected]",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "[email protected]",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
}
]
}

Related topics
OData queries with Microsoft Defender ATP
 Get machineAction API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Get action performed on a machine.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine profiles'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)

HTTP request
GET https://api.securitycenter.windows.com/api/machineactions/{id}

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful, this method returns 200, Ok response code with a Machine Action entity. If machine action entity with
the specified id was not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba

Response
Here is an example of the response.

HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "[email protected]",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
}
 Collect investigation package API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Collect investigation package from a machine.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.CollectForensics 'Collect forensics'

Delegated (work or school account) Machine.CollectForensics 'Collect forensics'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

 PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

POST
https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackag
e
Content-type: application/json
{
"Comment": "Collect forensics due to alert 1234"
}

Response
Here is an example of the response.

HTTP/1.1 201 Created

Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "c9042f9b-8483-4526-87b5-35e4c2532223",
"type": "CollectInvestigationPackage",
"requestor": "[email protected]",
"requestorComment": " Collect forensics due to alert 1234",
"status": "InProgress",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
"lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
"relatedFileInfo": null
}
 Get package SAS URI API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Get a URI that allows downloading of an investigation package.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.CollectForensics 'Collect forensics'

Delegated (work or school account) Machine.CollectForensics 'Collect forensics'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)

HTTP request
GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful, this method returns 200, Ok response code with object that holds the link to the package in the
“value” parameter. This link is valid for a very short time and should be used immediately for downloading the
package to a local storage.
Example
Request
Here is an example of the request.

GET
https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUr
i

Response
Here is an example of the response.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

HTTP/1.1 200 Ok
Content-type: application/json

{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-
us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?
token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeB
sxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoA
vmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9
Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNR
SnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6
Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3b
QOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXU
RYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh
4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPP
AJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0
zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4
fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY
0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4Jes
TjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYO
dT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
}
 Isolate machine API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Isolates a machine from accessing external network.

NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Isolate 'Isolate machine'

Delegated (work or school account) Machine.Isolate 'Isolate machine'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/isolate

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

IsolationType String Type of the isolation. Allowed values

are: 'Full' or 'Selective'.

IsolationType controls the type of isolation to perform and can be one of the following:
Full – Full isolation
Selective – Restrict only limited set of applications from accessing the network (see Isolate machines from the
network for more details)

Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}

Response
Here is an example of the response.
 HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "b89eb834-4578-496c-8be0-03f004061435",
"type": "Isolate",
"requestor": "[email protected] ",
"requestorComment": "Isolate machine due to alert 1234",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z",
"lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z",
"relatedFileInfo": null
}

To unisolate a machine, see Release machine from isolation.

 Release machine from isolation API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Undo isolation of a machine.

NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Isolate 'Isolate machine'

Delegated (work or school account) Machine.Isolate 'Isolate machine'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
Content-type: application/json
{
"Comment": "Unisolate machine since it was clean and validated"
}

Response
Here is an example of the response.

NOTE
The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.

HTTP/1.1 201 Created

Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "09a0f91e-a2eb-409d-af33-5577fe9bd558",
"type": "Unisolate",
"requestor": "[email protected] ",
"requestorComment": "Unisolate machine since it was clean and validated ",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z",
"lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z",
"relatedFileInfo": null
}
To isolate a machine, see Isolate machine.
 Restrict app execution API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Restrict execution of all applications on the machine except a predefined set (see Response machine alerts for more
information)

NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.RestrictExecution 'Restrict code execution'

Delegated (work or school account) Machine.RestrictExecution 'Restrict code execution'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.

Example
Request
Here is an example of the request.

POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecut
ion
Content-type: application/json
{
"Comment": "Restrict code execution due to alert 1234"
}

Response
Here is an example of the response.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

HTTP/1.1 201 Created

Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "78d408d1-384c-4c19-8b57-ba39e378011a",
"type": "RestrictCodeExecution",
"requestor": "[email protected] ",
"requestorComment": "Restrict code execution due to alert 1234",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"relatedFileInfo": null
}

To remove code execution restriction from a machine, see Remove app restriction.
 Remove app restriction API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Enable execution of any application on the machine.

NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.RestrictExecution 'Restrict code execution'

Delegated (work or school account) Machine.RestrictExecution 'Restrict code execution'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine
groups for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExe
cution
Content-type: application/json
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}

Response
Here is an example of the response.

HTTP/1.1 201 Created

Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "UnrestrictCodeExecution",
"requestor": "[email protected]",
"requestorComment": "Unrestrict code execution since machine was cleaned and validated ",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
"lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z",
"relatedFileInfo": null
}

To restrict code execution on a machine, see Restrict app execution.

 Run antivirus scan API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Initiate Windows Defender Antivirus scan on a machine.

NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Scan 'Scan machine'

Delegated (work or school account) Machine.Scan 'Scan machine'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

ScanType String Defines the type of the Scan. Required.

ScanType controls the type of scan to perform and can be one of the following:
Quick – Perform quick scan on the machine
Full – Perform full scan on the machine

Response
If successful, this method returns 201, Created response code and MachineAction object in the response body.

Example
Request
Here is an example of the request.

POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
Content-type: application/json
{
"Comment": "Check machine for viruses due to alert 3212",
“ScanType”: “Full”
}

Response
Here is an example of the response.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "[email protected]",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"relatedFileInfo": null
}
 Offboard machine API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Offboard machine from Microsoft Defender ATP.

NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Offboard 'Offboard machine'

Delegated (work or school account) Machine.Offboard 'Offboard machine'

NOTE
When obtaining a token using user credentials:
The user needs to 'Global Admin' AD role
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/offboard

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:
 PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
Content-type: application/json
{
"Comment": "Offboard machine by automation"
}

Response
Here is an example of the response.

HTTP/1.1 201 Created

Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "c9042f9b-8483-4526-87b5-35e4c2532223",
"type": "OffboardMachine",
"requestor": "[email protected]",
"requestorComment": "offboard machine by automation",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
"lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
"relatedFileInfo": null
}
 Stop and quarantine file API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Stop execution of a file on a machine and delete it.

NOTE
This page focuses on performing a machine action via API. See take response actions on a machine for more information
about response actions functionality via Microsoft Defender ATP.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.StopAndQuarantine 'Stop And Quarantine'

Delegated (work or school account) Machine.StopAndQuarantine 'Stop And Quarantine'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles
for more information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

Sha1 String Sha1 of the file to stop and quarantine

on the machine. Required.

Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.

Example
Request
Here is an example of the request.

POST
https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineF
ile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}

Response
Here is an example of the response.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "141408d1-384c-4c19-8b57-ba39e378011a",
"type": "StopAndQuarantineFile",
"requestor": "[email protected] ",
"requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"relatedFileInfo": {
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1"
}
}
 Initiate machine investigation API (Preview)
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Initiate AutoIR investigation on a machine.

NOTE
This page focuses on performing an automated investigation on a machine. See automated investigation for more
information.

Limitations
1. The number of executions is limited (up to 5 calls per hour).
2. For Automated Investigation limitations, see Automated Investigation.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alert.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'Alerts Investigation' (See Create and manage roles for more
information)
The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups
for more information)

HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/InitiateInvestigation
Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

Comment String Comment to associate with the action.

Required.

Response
If successful, this method returns 200 OK response code with object that holds the investigation ID in the "value"
parameter. If machine was not found - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/InitiateInvestigation
Content-type: application/json
{
"Comment": "Initiate an investigation on machine fb9ab6be3965095a09c057be7c90f0a2"
}

Response
Here is an example of the response.

HTTP/1.1 200 Created

Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.Int64",
"value": 5146
}
 Indicator resource type
12/6/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

METHOD RETURN TYPE DESCRIPTION

List Indicators Indicator Collection List Indicator entities.

Submit Indicator Indicator Submits Indicator entity.

Delete Indicator No Content Deletes Indicator entity.

See the corresponding page in the portal.

For more information on creating indicators, see Manage indicators.

Properties
PROPERTY TYPE DESCRIPTION

indicatorValue String Identity of the Indicator entity.

indicatorType Enum Type of the indicator. Possible values

are: "FileSha1", "FileSha256",
"IpAddress", "DomainName" and "Url"

title String Indicator alert title.

creationTimeDateTimeUtc DateTimeOffset The date and time when the indicator

was created.

createdBy String Identity of the user/application that

submitted the indicator.

expirationTime DateTimeOffset The expiration time of the indicator

action Enum The action that will be taken if the

indicator will be discovered in the
organization. Possible values are:
"Alert", "AlertAndBlock", and "Allowed"

severity Enum The severity of the indicator. possible

values are: "Informational", "Low",
"Medium" and "High"

description String Description of the indicator.

recommendedActions String Indicator alert recommended actions.

PROPERTY TYPE DESCRIPTION

rbacGroupNames List of strings RBAC group names where the indicator

is exposed. Empty list in case it exposed
to all groups.
 Submit or Update Indicator API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
Currently this API is supported only for AppOnly context requests. (See Get access with application context for more
information)

Submits or Updates new Indicator entity.

NOTE
There is a limit of 5000 indicators per tenant.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Ti.ReadWrite 'Read and write Indicators'

Application Ti.ReadWrite.All 'Read and write All Indicators'

HTTP request
POST https://api.securitycenter.windows.com/api/indicators

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

 NAME TYPE DESCRIPTION

Content-Type string application/json. Required.

Request body
In the request body, supply a JSON object with the following parameters:

PARAMETER TYPE DESCRIPTION

indicatorValue String Identity of the Indicator entity.

Required

indicatorType Enum Type of the indicator. Possible values

are: "FileSha1", "FileSha256",
"IpAddress", "DomainName" and "Url".
Required

action Enum The action that will be taken if the

indicator will be discovered in the
organization. Possible values are: "Alert",
"AlertAndBlock", and "Allowed".
Required

title String Indicator alert title. Optional

expirationTime DateTimeOffset The expiration time of the indicator.

Optional

severity Enum The severity of the indicator. possible

values are: "Informational", "Low",
"Medium" and "High". Optional

description String Description of the indicator. Optional

recommendedActions String TI indicator alert recommended actions.

Optional

Response
If successful, this method returns 200 - OK response code and the created / updated Indicator entity in the
response body.
If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request
usually indicates incorrect body and Conflict can happen if you try to submit an Indicator that conflicts with an
existing Indicator type or Action.

Example
Request
Here is an example of the request.
 POST https://api.securitycenter.windows.com/api/indicators
Content-type: application/json
{
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST"
}

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators/$entity",
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": []
}

Related topic
Manage indicators
 List Indicators API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
Currently this API is supported only for AppOnly context requests. (See Get access with application context for more
information)

Gets collection of TI Indicators.

Get TI Indicators collection API supports OData V4 queries.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Ti.ReadWrite 'Read and write Indicators'

Application Ti.ReadWrite.All 'Read and write All Indicators'

HTTP request
GET https://api.securitycenter.windows.com/api/indicators

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty
Response
If successful, this method returns 200, Ok response code with a collection of Indicator entities.

NOTE
If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the
Indicators it created.

Example 1:
Request
Here is an example of a request that gets all Indicators

GET https://api.securitycenter.windows.com/api/indicators

Response
Here is an example of the response.

HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"indicatorValue": "12.13.14.15",
"indicatorType": "IpAddress",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "Alert",
"severity": "Informational",
"description": "test",
"recommendedActions": "test",
"rbacGroupNames": []
},
{
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}

Example 2:
Request
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action

GET https://api.securitycenter.windows.com/api/indicators?$filter=action eq 'AlertAndBlock'

Response
Here is an example of the response.

HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
 Delete Indicator API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

NOTE
Currently this API is only supported for AppOnly context requests. (See Get access with application context for more
information)

Deletes an Indicator entity by ID.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Get started

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Ti.ReadWrite 'Read and write TI Indicators'

Application Ti.ReadWrite.All 'Read and write Indicators'

HTTP request
Delete https://api.securitycenter.windows.com/api/indicators/{id}

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty
Response
If Indicator exist and deleted successfully - 204 OK without content. If Indicator with the specified id was not found
- 404 Not Found.

Example
Request
Here is an example of the request.

DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f

Response
Here is an example of the response.

HTTP/1.1 204 NO CONTENT

 Get ___domain related alerts API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of alerts related to a given ___domain address.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alert.Read.All 'Read all alerts'

Application Alert.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.Read 'Read alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)

HTTP request
GET /api/domains/{___domain}/alerts

Request headers
HEADER VALUE

Authorization String

Request body
Empty

Response
If successful and ___domain exists - 200 OK with list of alert entities. If ___domain does not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts

Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json

{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
 Get ___domain related machines API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of machines that have communicated to or from a given ___domain address.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine profiles'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines that the user can access, based on machine group settings (See Create and manage
machine groups for more information)

HTTP request
GET /api/domains/{___domain}/machines

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and ___domain exists - 200 OK with list of machine entities. If ___domain do not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines

Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
 Get ___domain statistics API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves the prevalence for the given ___domain.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application URL.Read.All 'Read URLs'

Delegated (work or school account) URL.Read.All 'Read URLs'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)

HTTP request
GET /api/domains/{___domain}/stats

Request headers
HEADER VALUE

Authorization Bearer {token}. Required.

Request body
Empty

Response
If successful and ___domain exists - 200 OK, with statistics object in the response body. If ___domain does not exist - 404
Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/domains/example.com/stats

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
"host": "example.com",
"orgPrevalence": "4070",
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
 File resource type
12/23/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Represent a file entity in Microsoft Defender ATP.

Methods
METHOD RETURN TYPE DESCRIPTION

Get file file Get a single file

List file related alerts alert collection Get the alert entities that are associated
with the file.

List file related machines machine collection Get the machine entities associated
with the alert.

file statistics Statistics summary Retrieves the prevalence for the given
file.

Properties
PROPERTY TYPE DESCRIPTION

sha1 String Sha1 hash of the file content

sha256 String Sha256 hash of the file content

md5 String md5 hash of the file content

globalPrevalence Integer File prevalence across organization

globalFirstObserved DateTimeOffset First time the file was observed.

globalLastObserved DateTimeOffset Last time the file was observed.

size Integer Size of the file.

fileType String Type of the file.

isPeFile Boolean true if the file is portable executable

(e.g. "DLL", "EXE", etc.)

filePublisher String File publisher.

PROPERTY TYPE DESCRIPTION

fileProductName String Product name.

signer String File signer.

issuer String File issuer.

signerHash String Hash of the signing certificate.

isValidCertificate Boolean Was signing certificate successfully

verified by Microsoft Defender ATP
agent.
 Get file information API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a file by identifier Sha1, Sha256, or MD5.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application File.Read.All 'Read all file profiles'

Delegated (work or school account) File.Read.All 'Read all file profiles'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)

HTTP request
GET /api/files/{id}

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and file exists - 200 OK with the file entity in the body. If file does not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
"sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
"sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
"md5": "7f05a371d2beffb3784fd2199f81d730",
"globalPrevalence": 7329,
"globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
"globalLastObserved": "2018-08-07T23:35:11.1361328Z",
"windowsDefenderAVThreatName": null,
"size": 391680,
"fileType": "PortableExecutable",
"isPeFile": true,
"filePublisher": null,
"fileProductName": null,
"signer": null,
"issuer": null,
"signerHash": null,
"isValidCertificate": null
}
 Get file related alerts API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of alerts related to a given file hash.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alert.Read.All 'Read all alerts'

Application Alert.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.Read 'Read alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)

HTTP request
GET /api/files/{id}/alerts

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and file exists - 200 OK with list of alert entities in the body. If file do not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "[email protected]",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
 Get file related machines API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of machines related to a given file hash.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine profiles'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines, that the user have access to, based on machine group settings (See Create and
manage machine groups for more information)

HTTP request
GET /api/files/{id}/machines

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and file exists - 200 OK with list of machine entities in the body. If file do not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines

Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
 Get file statistics API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves the prevalence for the given file.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application File.Read.All 'Read file profiles'

Delegated (work or school account) File.Read.All 'Read file profiles'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)

HTTP request
GET /api/files/{id}/stats

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
"orgPrevalence": "3",
"orgFirstSeen": "2018-07-15T06:13:59Z",
"orgLastSeen": "2018-08-03T16:45:21Z",
"topFileNames": [
"chrome_1.exe",
"chrome_2.exe"
]
}
 Get IP related alerts API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of alerts related to a given IP address.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alert.Read.All 'Read all alerts'

Application Alert.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.Read 'Read alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)

HTTP request
GET /api/ips/{ip}/alerts

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and IP exists - 200 OK with list of alert entities in the body. If IP do not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
 Get IP statistics API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves the prevalence for the given IP.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Ip.Read.All 'Read IP address profiles'

Delegated (work or school account) Ip.Read.All 'Read IP address profiles'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)

HTTP request
GET /api/ips/{ip}/stats

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty

Response
If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats

Response
Here is an example of the response.

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":
"https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "10.209.67.177",
"orgPrevalence": "63515",
"orgFirstSeen": "2017-07-30T13:36:06Z",
"orgLastSeen": "2017-08-29T13:32:59Z"
}
 User resource type
12/23/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

METHOD RETURN TYPE DESCRIPTION

List User related alerts alert collection List all the alerts that are associated
with a user.

List User related machines machine collection List all the machines that were logged
on by a user.
 Get user related alerts API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of alerts related to a given user ID.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Alert.Read.All 'Read all alerts'

Application Alert.ReadWrite.All 'Read and write all alerts'

Delegated (work or school account) Alert.Read 'Read alerts'

Delegated (work or school account) Alert.ReadWrite 'Read and write alerts'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only alerts, associated with machines, that the user have access to, based on machine group settings
(See Create and manage machine groups for more information)

HTTP request
GET /api/users/{id}/alerts

Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for
[email protected] use /api/users/user1/alerts)

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty
Response
If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/users/user1/alerts

Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "[email protected]",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
 Get user related machines API
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of machines related to a given user ID.

Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions,
see Use Microsoft Defender ATP APIs

PERMISSION TYPE PERMISSION PERMISSION DISPLAY NAME

Application Machine.Read.All 'Read all machine profiles'

Application Machine.ReadWrite.All 'Read and write all machine information'

Delegated (work or school account) Machine.Read 'Read machine information'

Delegated (work or school account) Machine.ReadWrite 'Read and write machine information'

NOTE
When obtaining a token using user credentials:
The user needs to have at least the following role permission: 'View Data' (See Create and manage roles for more
information)
Response will include only machines that the user can access, based on machine group settings (See Create and manage
machine groups for more information)

HTTP request
GET /api/users/{id}/machines

Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for
[email protected] use /api/users/user1/machines)

Request headers
NAME TYPE DESCRIPTION

Authorization String Bearer {token}. Required.

Request body
Empty
Response
If successful and user exists - 200 OK with list of machine entities in the body. If user does not exist - 404 Not
Found.

Example
Request
Here is an example of the request.

NOTE
For better performance, you can use server closer to your geo ___location:
api-us.securitycenter.windows.com
api-eu.securitycenter.windows.com
api-uk.securitycenter.windows.com

GET https://api.securitycenter.windows.com/api/users/user1/machines

Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
 Microsoft Power Automate (formerly Microsoft Flow),
and Azure Functions
1/8/2020 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Automating security procedures is a standard requirement for every modern Security Operations Center. The lack
of professional Cyber defenders, forces SOC to work in the most efficient way and automation is a must. MS flow
supports different connectors that were built exactly for that. You can build an end-to-end procedure automation
within few minutes.
Microsoft Defender API has an official Flow Connector with a lot of capabilities:
Usage example
The following example demonstrates how you can create a Flow that will be triggered any time a new Alert occurs
on your tenant.
Login to Microsoft Flow
Go to: My flows > New > Automated

Choose a name for your Flow, Search for Microsoft Defender ATP Triggers as the trigger and choose the
new Alerts trigger.
 Now you have a Flow that is triggered every time a new Alert occurs.

All you need to do now, is to choose your next steps. Lets, for example, Isolate the machine if the Severity of the
Alert is High and mail about it. The Alert trigger gives us only the Alert ID and the Machine ID. We can use the
Connector to expand these entities.
Get the Alert entity using the connector
Choose Microsoft Defender ATP for new step.
Choose Alerts - Get single alert API.
Set the Alert Id from the last step as Input.
Isolate the machine if the Alert's severity is High
Add Condition as a new step .
Check if Alert severity equals to High.
If yes, add Microsoft Defender ATP - Isolate machine action with the Machine Id and a comment.

Now you can add a new step for mailing about the Alert and the Isolation. There are multiple Email connectors that
are very easy to use, e.g. Outlook, GMail, etc.. Save your flow and that's all.
You can also create scheduled flow that will run Advanced Hunting queries and much more!

Related topic
Microsoft Defender ATP APIs
 Create custom reports using Power BI
1/7/2020 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.
In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example
demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)

Connect Power BI to Advanced Hunting API

Open Microsoft Power BI
Click Get Data > Blank Query

Click Advanced Editor

Copy the below and paste it in the editor:

let
AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'",

HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",

Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),

TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),

Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))

in Table

Click Done
Click Edit Credentials

Select Organizational account > Sign in

 Enter your credentials and wait to be signed in
Click Connect

Now the results of your query will appear as table and you can start build visualizations on top of it!
You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you
would like.

Connect Power BI to OData APIs

The only difference from the above example is the query inside the editor.
Copy the below and paste it in the editor to pull all Machine Actions from your organization:

let

Query = "MachineActions",

Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0",

MoreColumns=true])
in
Source

You can do the same for Alerts and Machines.

You also can use OData queries for queries filters, see Using OData Queries

Power BI dashboard samples in GitHub

For more information see the Power BI report templates.
Related topic
Microsoft Defender ATP APIs
Advanced Hunting API
Using OData Queries
 Advanced Hunting using Python
12/26/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Run advanced queries using Python, see Advanced Hunting API.
In this section we share Python samples to retrieve a token and use it to run a query.

Prerequisite: You first need to create an app.

Get token
Run the following:

import json
import urllib.request
import urllib.parse

tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here

appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here

url = "https://login.windows.net/%s/oauth2/token" % (tenantId)

resourceAppIdUri = 'https://api.securitycenter.windows.com'

body = {
'resource' : resourceAppIdUri,
'client_id' : appId,
'client_secret' : appSecret,
'grant_type' : 'client_credentials'
}

data = urllib.parse.urlencode(body).encode("utf-8")

req = urllib.request.Request(url, data)

response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
aadToken = jsonResponse["access_token"]

where
tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of
this tenant)
appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP )
appSecret: Secret of your AAD app

Run query
Run the following query:
 query = 'RegistryEvents | limit 10' # Paste your own query here

url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
headers = {
'Content-Type' : 'application/json',
'Accept' : 'application/json',
'Authorization' : "Bearer " + aadToken
}

data = json.dumps({ 'Query' : query }).encode("utf-8")

req = urllib.request.Request(url, data, headers)

response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
schema = jsonResponse["Schema"]
results = jsonResponse["Results"]

schema contains the schema of the results of your query

results contains the results of your query
Complex queries
If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in
the above sample, run the below command:

queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file

query = queryFile.read()
queryFile.close()

Work with query results

You can now use the query results.
To iterate over the results do the below:

for result in results:

print(result) # Prints the whole result
print(result["EventTime"]) # Prints only the property 'EventTime' from the result

To output the results of the query in CSV format in file file1.csv do the below:

import csv

outputFile = open("D:\\Temp\\file1.csv", 'w')

output = csv.writer(outputFile)
output.writerow(results[0].keys())
for result in results:
output.writerow(result.values())

outputFile.close()

To output the results of the query in JSON format in file file1.json do the below:
 outputFile = open("D:\\Temp\\file1.json", 'w')
json.dump(results, outputFile)
outputFile.close()

Related topic
Microsoft Defender ATP APIs
Advanced Hunting API
Advanced Hunting using PowerShell
 Advanced Hunting using PowerShell
12/26/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Run advanced queries using PowerShell, see Advanced Hunting API.
In this section we share PowerShell samples to retrieve a token and use it to run a query.

Before you begin

You first need to create an app.

Preparation instructions
Open a PowerShell window.
If your policy does not allow you to run the PowerShell commands, you can run the below command:

Set-ExecutionPolicy -ExecutionPolicy Bypass

For more details, see PowerShell documentation

Get token
Run the following:

$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here

$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here

$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$body = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
$aadToken = $response.access_token

where
$tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data
of this tenant)
$appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender
ATP )
$appSecret: Secret of your AAD app

Run query
Run the following query:

$query = 'RegistryEvents | limit 10' # Paste your own query here

$url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
$headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $aadToken"
}
$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
$response = $webResponse | ConvertFrom-Json
$results = $response.Results
$schema = $response.Schema

$results contains the results of your query

$schema contains the schema of the results of your query
Complex queries
If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in
the above sample, run the below command:

$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file

Work with query results

You can now use the query results.
To output the results of the query in CSV format in file file1.csv do the below:

$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv

To output the results of the query in JSON format in file file1.json do the below:

$results | ConvertTo-Json | Set-Content file1.json

Related topic
Microsoft Defender ATP APIs
Advanced Hunting API
Advanced Hunting using Python
 OData queries with Microsoft Defender ATP
8/9/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
If you are not familiar with OData queries, see: OData V4 queries
Not all properties are filterable.

Properties that supports $filter:

Alert: Id, IncidentId, AlertCreationTime, Status, Severity and Category.
Machine: Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore,
MachineTags and RbacGroupId.
MachineAction: Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
Example 1
Get all the machines with the tag 'ExampleTag'

HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq

'ExampleTag')

Response:

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}

Example 2
 Get all the alerts that created after 2018-10-20 00:00:00

HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-

22T00:00:00Z

Response:

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "[email protected]",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
.
.
.
]
}

Example 3
Get all the machines with 'High' 'RiskScore'

HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'

Response:
 HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}

Example 4
Get top 100 machines with 'HealthStatus' not equals to 'Active'

HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100

Response:
 HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}

Example 5
Get all the machines that last seen after 2018-10-20

HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z

Response:
 HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
.
]
}

Example 6
Get all the Anti-Virus scans that the user [email protected] created using Microsoft
Defender ATP

HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq

'[email protected]' and type eq 'RunAntiVirusScan'

Response:

HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
"type": "RunAntiVirusScan",
"requestor": "[email protected]",
"requestorComment": "1533",
"status": "Succeeded",
"machineId": "123321c10e44a82877af76b1d0161a17843f688a",
"creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z",
"lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
"relatedFileInfo": null
},
.
.
.
]
}

Example 7
 Get the count of open alerts for a specific machine:

HTTP GET
https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?
$filter=status ne 'Resolved'

Response:

HTTP/1.1 200 OK
Content-type: application/json

Related topic
Microsoft Defender ATP APIs
 Get KB collection API
5/15/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a collection of KB's and KB details.

Permissions
User needs read permissions.

HTTP request
GET /testwdatppreview/kbinfo

Request headers
HEADER VALUE

Authorization Bearer {token}. Required.

Content type application/json

Request body
Empty

Response
If successful - 200 OK.

Example
Request
Here is an example of the request.

GET https://graph.microsoft.com/testwdatppreview/KbInfo
Content-type: application/json

Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo",
"@odata.count": 271,
"value":[
{
"id": "KB3097617 (10240.16549) Amd64",
"release": "KB3097617 (10240.16549)",
"publishingDate": "2015-10-16T21:00:00Z",
"version": "10.0.10240.16549",
"architecture": "Amd64"
},
…
}
 Get CVE-KB map API
5/15/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Retrieves a map of CVE's to KB's and CVE details.

Permissions
User needs read permissions.

HTTP request
GET /testwdatppreview/cvekbmap

Request headers
HEADER VALUE

Authorization Bearer {token}. Required.

Content type application/json

Request body
Empty

Response
If successful and map exists - 200 OK.

Example
Request
Here is an example of the request.

GET https://graph.microsoft.com/testwdatppreview/CveKbMap
Content-type: application/json

Response
Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap",
"@odata.count": 4168,
"value": [
{
"cveKbId": "CVE-2015-2482-3097617",
"cveId": "CVE-2015-2482",
"kbId":"3097617",
"title": "Cumulative Security Update for Internet Explorer",
"severity": "Critical"
},
…
}
 Pull detections to your SIEM tools
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Pull detections using security information and events management

(SIEM) tools
NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert
details.

Microsoft Defender ATP supports security information and event management (SIEM ) tools to pull detections.
Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be
configured to pull detections from your enterprise tenant in Azure Active Directory (AAD ) using the OAuth 2.0
authentication protocol for an AAD application that represents the specific SIEM connector installed in your
environment.
Microsoft Defender ATP currently supports the following SIEM tools:
Splunk
HP ArcSight
To use either of these supported SIEM tools you'll need to:
Enable SIEM integration in Microsoft Defender ATP
Configure the supported SIEM tool:
Configure Splunk to pull Microsoft Defender ATP detections
Configure HP ArcSight to pull Microsoft Defender ATP detections
For more information on the list of fields exposed in the Detection API see, Microsoft Defender ATP Detection
fields.

Pull Microsoft Defender ATP detections using REST API

Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
For more information, see Pull Microsoft Defender ATP detections using REST API.

In this section
TOPIC DESCRIPTION
TOPIC DESCRIPTION

Enable SIEM integration in Microsoft Defender ATP Learn about enabling the SIEM integration feature in the
Settings page in the portal so that you can use and generate
the required information to configure supported SIEM tools.

Configure Splunk to pull Microsoft Defender ATP detections Learn about installing the REST API Modular Input App and
other configuration settings to enable Splunk to pull Microsoft
Defender ATP detections.

Configure HP ArcSight to pull Microsoft Defender ATP Learn about installing the HP ArcSight REST FlexConnector
detections package and the files you need to configure ArcSight to pull
Microsoft Defender ATP detections.

Microsoft Defender ATP Detection fields Understand what data fields are exposed as part of the alerts
API and how they map to Microsoft Defender Security Center.

Pull Microsoft Defender ATP detections using REST API Use the Client credentials OAuth 2.0 flow to pull detections
from Microsoft Defender ATP using REST API.

Troubleshoot SIEM tool integration issues Address issues you might encounter when using the SIEM
integration feature.
 Enable SIEM integration in Microsoft Defender ATP
12/11/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Enable security information and event management (SIEM ) integration so you can pull detections from Microsoft
Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.

NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert
details.

Prerequisites
The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD ). This
is typically someone with a Global administrator role.
During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow
pop-ups for this site.

Enabling SIEM integration

1. In the navigation pane, select Settings > SIEM.

TIP
If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of
your browser. It might be blocking the new window being opened when you enable the capability.

2. Select Enable SIEM integration. This activates the SIEM connector access details section with pre-
 populated values and an application is created under you Azure Active Directory (AAD ) tenant.

WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.

3. Choose the SIEM type you use in your organization.

NOTE
If you select HP ArcSight, you'll need to save these two configuration files:
WDATP-connector.jsonparser.properties
WDATP-connector.properties

If you want to connect directly to the detections REST API through programmatic access, choose Generic
API.
4. Copy the individual values or select Save details to file to download a file that contains all the values.
5. Select Generate tokens to get an access and refresh token.
 NOTE
You'll need to generate a new Refresh token every 90 days.

You can now proceed with configuring your SIEM solution or connecting to the detections REST API through
programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive
detections from Microsoft Defender Security Center.

Integrate Microsoft Defender ATP with IBM QRadar

You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see IBM
Knowledge Center.

Related topics
Configure Splunk to pull Microsoft Defender ATP detections
Configure HP ArcSight to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
 Configure Splunk to pull Microsoft Defender ATP
detections
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.

NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert details.

Before you begin

Install the open source Windows Defender ATP Modular Inputs TA in Splunk.
Make sure you have enabled the SIEM integration feature from the Settings menu. For more information, see
Enable SIEM integration in Microsoft Defender ATP
Have the details file you saved from enabling the SIEM integration feature ready. You'll need to get the
following values:
Tenant ID
Client ID
Client Secret
Resource URL

Configure Splunk
1. Login in to Splunk.
2. Go to Settings > Data inputs.
3. Select Windows Defender ATP alerts under Local inputs.
NOTE: This input will only appear after you install the Windows Defender ATP Modular Inputs TA.
4. Click New.
5. Type the following values in the required fields, then click Save:
NOTE: All other values in the form are optional and can be left blank.

FIELD VALUE

Name Name for the Data Input

 Login URL URL to authenticate the Endpoint Depending on the ___location
azure app (Default : of your datacenter, select
https://login.microsoftonline. any of the following URL:
com) For EU:
https://wdatp-alertexporter-
eu.securitycenter.windows.com/api/alerts
For US:
https://wdatp-alertexporter-
us.securitycenter.windows.com/api/alerts

For UK:
https://wdatp-alertexporter-
uk.securitycenter.windows.com/api/alerts

Tenant ID Azure Tenant ID

Resource Value from the SIEM

integration feature page

Client ID Value from the SIEM

integration feature page

Client Secret Value from the SIEM

integration feature page

After completing these configuration steps, you can go to the Splunk dashboard and run queries.

View detections using Splunk solution explorer

Use the solution explorer to view detections in Splunk.
1. In Splunk, go to Settings > Searchers, reports, and alerts.
2. Select New.
3. Enter the following details:
Search: Enter a query, for example:
sourcetype="wdatp:alerts" |spath|table*

App: Add-on for Windows Defender (TA_Windows-defender)

Other values are optional and can be left with the default values.
4. Click Save. The query is saved in the list of searches.
5. Find the query you saved in the list and click Run. The results are displayed based on your query.

TIP
To minimize Detection duplications, you can use the following query:
source="rest://wdatp:alerts" | spath | dedup _raw | table *

Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure ArcSight to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
 Configure HP ArcSight to pull Microsoft Defender
ATP detections
9/20/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender
ATP detections.

NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert
details.

Before you begin

Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections
from your Azure Active Directory (AAD ) application.
This section guides you in getting the necessary information to set and use the required configuration files
correctly.
Make sure you have enabled the SIEM integration feature from the Settings menu. For more information,
see Enable SIEM integration in Microsoft Defender ATP.
Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following
values:
OAuth 2.0 Token refresh URL
OAuth 2.0 Client ID
OAuth 2.0 Client secret
Have the following configuration files ready:
WDATP -connector.properties
WDATP -connector.jsonparser.properties
You would have saved a .zip file which contains these two files when you chose HP ArcSight as the
SIEM type you use in your organization.
Make sure you generate the following tokens and have them ready:
Access token
Refresh token
You can generate these tokens from the SIEM integration setup section of the portal.
Install and configure HP ArcSight FlexConnector
The following steps assume that you have completed all the required steps in Before you begin.
1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The
tool is typically installed in the following default ___location:
C:\Program Files\ArcSightFlexConnectors\current\bin .
You can choose where to save the tool, for example C:\folder_location\current\bin where folder_location
represents the installation ___location.
2. Follow the installation wizard through the following tasks:
Introduction
Choose Install Folder
Choose Install Set
Choose Shortcut Folder
Pre-Installation Summary
Installing...
You can keep the default values for each of these tasks or modify the selection to suit your requirements.
3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM
integration feature. Put the two files in the FlexConnector installation ___location, for example:
WDATP -connector.jsonparser.properties: C:\folder_location\current\user\agent\flexagent\
WDATP -connector.properties: C:\folder_location\current\user\agent\flexagent\
NOTE: You must put the configuration files in this ___location, where folder_location represents the ___location
where you installed the tool.
4. After the installation of the core connector completes, the Connector Setup window opens. In the
Connector Setup window, select Add a Connector.
5. Select Type: ArcSight FlexConnector REST and click Next.
6. Type the following information in the parameter details form. All other values in the form are optional and
can be left blank.

FIELD VALUE

Configuration File Type in the name of the client property file. The name
must match the file provided in the .zip that you
downloaded. For example, if the configuration file in
"flexagent" directory is named "WDATP-
Connector.jsonparser.properties", you must type
"WDATP-Connector" as the name of the client property
file.
 Events URL Depending on the ___location of your datacenter, select
either the EU or the US URL:
For EU: https://wdatp-alertexporter-
eu.windows.com/api/alerts/?
sinceTimeUtc=$START_AT_TIME

For US: https://wdatp-alertexporter-

us.windows.com/api/alerts/?
sinceTimeUtc=$START_AT_TIME

For UK: https://wdatp-alertexporter-

uk.windows.com/api/alerts/?
sinceTimeUtc=$START_AT_TIME

Authentication Type OAuth 2

OAuth 2 Client Properties file Browse to the ___location of the wdatp-connector.properties

file. The name must match the file provided in the .zip
that you downloaded.

Refresh Token You can obtain a refresh token in two ways: by

generating a refresh token from the SIEM settings page
or using the restutil tool.

For more information on generating a refresh token from

the Preferences setup , see Enable SIEM integration in
Microsoft Defender ATP.

Get your refresh token using the restutil tool:

a. Open a command prompt. Navigate to
C:\folder_location\current\bin where folder_location
represents the ___location where you installed the tool.

b. Type: arcsight restutil token -config from the

bin directory.For example: arcsight restutil boxtoken -
proxy proxy.___location.hp.com:8080 A Web browser
window will open.

c. Type in your credentials then click on the password field

to let the page redirect. In the login prompt, enter your
credentials.

d. A refresh token is shown in the command prompt.

e. Copy and paste it into the Refresh Token field.

7. A browser window is opened by the connector. Login with your application credentials. After you log in,
you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so
that the connector configuration can authenticate.

If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that
requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust
this certificate if the redirect_uri is a https.

If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the
certificate.
7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
 8. Select the ArcSight Manager (encrypted) as the destination and click Next.
9. Type in the destination IP/hostname in Manager Hostname and your credentials in the parameters form.
All other values in the form should be retained with the default values. Click Next.
10. Type in a name for the connector in the connector details form. All other values in the form are optional
and can be left blank. Click Next.
11. The ESM Manager import certificate window is shown. Select Import the certificate to connector from
destination and click Next. The Add connector Summary window is displayed and the certificate is
imported.
12. Verify that the details in the Add connector Summary window is correct, then click Next.
13. Select Install as a service and click Next.
14. Type a name in the Service Internal Name field. All other values in the form can be retained with the
default values or left blank . Click Next.
15. Type in the service parameters and click Next. A window with the Install Service Summary is shown.
Click Next.
16. Finish the installation by selecting Exit and Next.

Install and configure the HP ArcSight console

1. Follow the installation wizard through the following tasks:
Introduction
License Agreement
Special Notice
Choose ArcSight installation directory
Choose Shortcut Folder
Pre-Installation Summary
2. Click Install. After the installation completes, the ArcSight Console Configuration Wizard opens.
3. Type localhost in Manager Host Name and 8443 in Manager Port then click Next.
4. Select Use direct connection, then click Next.
5. Select Password Based Authentication, then click Next.
6. Select This is a single user installation. (Recommended), then click Next.
7. Click Done to quit the installer.
8. Login to the HP ArcSight console.
9. Navigate to Active channel set > New Condition > Device > Device Product.
10. Set Device Product = Microsoft Defender ATP. When you've verified that events are flowing to the
tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
You can now run queries in the HP ArcSight console.
Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows
Defender ATP” as the device name.

Troubleshooting HP ArcSight connection

Problem: Failed to refresh the token. You can find the log located in C:\folder_location\current\logs where
folder_location represents the ___location where you installed the tool. Open agent.log and look for
ERROR/FATAL/WARN .

Symptom: You get the following error message:

Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access
token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token

Solution:
1. Stop the process by clicking Ctrl + C on the Connector window. Click Y when asked "Terminate batch job
Y/N?".
2. Navigate to the folder where you stored the WDATP -connector.properties file and edit it to add the
following value: reauthenticate=true .
3. Restart the connector by running the following command: arcsight.bat connectors .
A browser window appears. Allow it to run, it should disappear, and the connector should now be running.

NOTE
Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window
should appear.

Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure Splunk to pull Microsoft Defender ATP detections
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
 Microsoft Defender ATP detections API fields
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.

NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert details.

Detections API fields and portal mapping

The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a
reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in
ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it
to match the needs of your organization. For more information, see Enable SIEM integration in Microsoft Defender ATP.
Field numbers match the numbers in the images below.

PORTAL LABEL SIEM FIELD NAME ARCSIGHT FIELD EXAMPLE VALUE DESCRIPTION

1 AlertTitle name Windows Defender AV Value available for every

detected 'Mikatz' high- Detection.
severity malware

2 Severity deviceSeverity High Value available for every

Detection.

3 Category deviceEventCategory Malware Value available for every

Detection.

4 Detection source sourceServiceName Antivirus Windows Defender

Antivirus or Microsoft
Defender ATP. Value
available for every
Detection.

5 MachineName sourceHostName desktop-4a5ngd6 Value available for every

Detection.

6 FileName fileName Robocopy.exe Available for detections

associated with a file or
process.

7 FilePath filePath C:\Windows\System32\Ro Available for detections

bocopy.exe associated with a file or
process.

8 UserDomain sourceNtDomain CONTOSO The ___domain of the user

context running the
activity, available for
Microsoft Defender ATP
behavioral based
detections.
PORTAL LABEL SIEM FIELD NAME ARCSIGHT FIELD EXAMPLE VALUE DESCRIPTION

9 UserName sourceUserName liz.bean The user context running

the activity, available for
Microsoft Defender ATP
behavioral based
detections.

10 Sha1 fileHash 3da065e07b990034e9db Available for detections

7842167f70b63aa5329 associated with a file or
process.

11 Sha256 deviceCustomString6 ebf54f745dc81e1958f75e Available for Windows

4ca91dd0ab989fc9787bb Defender AV detections.
6b0bf993e2f5

12 Md5 deviceCustomString5 db979c04a99b96d37098 Available for Windows

8325bb5a8b21 Defender AV detections.

13 ThreatName deviceCustomString1 HackTool:Win32/Mikatz!d Available for Windows

ha Defender AV detections.

14 IpAddress sourceAddress 218.90.204.141 Available for detections

associated to network
events. For example,
'Communication to a
malicious network
destination'.

15 Url requestUrl down.esales360.cn Available for detections

associated to network
events. For example,
'Communication to a
malicious network
destination'.

16 RemediationIsSuccess deviceCustomNumber2 TRUE Available for Windows

Defender AV detections.
ArcSight value is 1 when
TRUE and 0 when FALSE.

17 WasExecutingWhileDetect deviceCustomNumber1 FALSE Available for Windows

ed Defender AV detections.
ArcSight value is 1 when
TRUE and 0 when FALSE.

18 AlertId externalId 636210704265059241_6 Value available for every

73569822 Detection.

19 LinkToWDATP flexString1 Value available for every

https://securitycenter.windows.com/alert/636210704265059241_673569
Detection.

20 AlertTime deviceReceiptTime 2017-05- The time the event

07T01:56:59.3191352Z occurred. Value available
for every Detection.

21 MachineDomain sourceDnsDomain contoso.com Domain name not

relevant for AAD joined
machines. Value available
for every Detection.

22 Actor deviceCustomString4 BORON Available for alerts related

to a known actor group.

21+5 ComputerDnsName No mapping liz-bean.contoso.com The machine fully qualified

___domain name. Value
available for every
Detection.
PORTAL LABEL SIEM FIELD NAME ARCSIGHT FIELD EXAMPLE VALUE DESCRIPTION

LogOnUsers sourceUserId contoso\liz-bean; The ___domain and user of

contoso\jay-hardee the interactive logon
user/s at the time of the
event. Note: For machines
on Windows 10 version
1607, the ___domain
information will not be
available.

InternalIPv4List No mapping 192.168.1.7, 10.1.14.1 List of IPV4 internal IPs

for active network
interfaces.

InternalIPv6List No mapping fd30:0000:0000:0001:ff4e List of IPV6 internal IPs

:003e:0009:000e, for active network
FE80:CD00:0000:0CDE:12 interfaces.
57:0000:211E:729C

Internal field LastProcessedTimeUtc No mapping 2017-05- Time when event arrived

07T01:56:58.9936648Z at the backend. This field
can be used when setting
the request parameter for
the range of time that
detections are retrieved.

Not part of the schema deviceVendor Static value in the

ArcSight mapping -
'Microsoft'.

Not part of the schema deviceProduct Static value in the

ArcSight mapping -
'Microsoft Defender ATP'.

Not part of the schema deviceVersion Static value in the

ArcSight mapping - '2.0',
used to identify the
mapping versions.
Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure Splunk to pull Microsoft Defender ATP detections
Configure ArcSight to pull Microsoft Defender ATP detections
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
 Pull Microsoft Defender ATP detections using SIEM REST
API
10/16/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert details.

Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
In general, the OAuth 2.0 protocol supports four types of flows:
Authorization grant flow
Implicit flow
Client credentials flow
Resource owner flow
For more information about the OAuth specifications, see the OAuth Website.
Microsoft Defender ATP supports the Authorization grant flow and Client credential flow to obtain access to pull detections,
with Azure Active Directory (AAD ) as the authorization server.
The Authorization grant flow uses user credentials to get an authorization code, which is then used to obtain an access token.
The Client credential flow uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow
is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
Use the following method in the Microsoft Defender ATP API to pull detections in JSON format.

NOTE
Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based
on the query parameters you set, enabling you to apply your own grouping and filtering.

Before you begin

Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration
application in Azure Active Directory (AAD ). For more information, see Enable SIEM integration in Microsoft
Defender ATP.
Take note of the following values in your Azure application registration. You need these values to configure the OAuth
flow in your service or daemon app:
Application ID (unique to your application)
App key, or secret (unique to your application)
Your app's OAuth 2.0 token endpoint
Find this value by clicking View Endpoints at the bottom of the Azure Management Portal in your app's
page. The endpoint will look like https://login.microsoftonline.com/{tenantId}/oauth2/token .
Get an access token
Before creating calls to the endpoint, you'll need to get an access token.
You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP.
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:

POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1

Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

resource=https%3A%2F%2Fgraph.windows.net&client_id=35e0f735-5fe4-4693-9e68-
3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials

The response will include an access token and expiry information.

{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1488720683",
"not_before": "1488720683",
"resource": "https://graph.windows.net",
"access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
}

You can now use the value in the access_token field in a request to the Microsoft Defender ATP API.

Request
With an access token, your app can make authenticated requests to the Microsoft Defender ATP API. Your app must append
the access token to the Authorization header of each request.
Request syntax
METHOD REQUEST URI

GET Use the URI applicable for your region.

For EU:
https://wdatp-alertexporter-eu.windows.com/api/alerts
For US:
https://wdatp-alertexporter-us.windows.com/api/alerts
For UK:
https://wdatp-alertexporter-uk.windows.com/api/alerts

Request header
HEADER TYPE DESCRIPTION

Authorization string Required. The Azure AD access token in the

form Bearer <token>.

Request parameters
Use optional query parameters to specify and control the amount of data returned in a response. If you call this method
without parameters, the response contains all the alerts in your organization in the last 2 hours.

NAME VALUE DESCRIPTION

 NAME VALUE DESCRIPTION

sinceTimeUtc DateTime Defines the lower time bound alerts are

retrieved from, based on field:
LastProcessedTimeUtc
The time range will be: from sinceTimeUtc
time to current time.

NOTE: When not specified, all alerts

generated in the last two hours are
retrieved.

untilTimeUtc DateTime Defines the upper time bound alerts are

retrieved.
The time range will be: from sinceTimeUtc
time to untilTimeUtc time.

NOTE: When not specified, the default value

will be the current time.

ago string Pulls alerts in the following time range: from

(current_time - ago) time to
current_time time.

Value should be set according to ISO 8601

duration format
E.g. ago=PT10M will pull alerts received in
the last 10 minutes.

limit int Defines the number of alerts to be

retrieved. Most recent alerts will be
retrieved based on the number defined.

NOTE: When not specified, all alerts

available in the time range will be retrieved.

machinegroups string Specifies machine groups to pull alerts from.

NOTE: When not specified, alerts from all

machine groups will be retrieved.

Example:

https://wdatp-alertexporter-
eu.securitycenter.windows.com/api/Alerts/?
machinegroups=UKMachines&machinegroups=FranceMachines

DeviceCreatedMachineTags string Single machine tag from the registry.

CloudCreatedMachineTags string Machine tags that were created in Microsoft

Defender Security Center.

Request example
The following example demonstrates how to retrieve all the detections in your organization.

GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer <your access token>

The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00.

GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
Authorization: Bearer <your access token>
Response
The return value is an array of alert objects in JSON format.
Here is an example return value:

{"AlertTime":"2017-01-23T07:32:54.1861171Z",
"ComputerDnsName":"desktop-bvccckk",
"AlertTitle":"Suspicious PowerShell commandline",
"Category":"SuspiciousActivity",
"Severity":"Medium",
"AlertId":"636207535742330111_-1114309685",
"Actor":null,
"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
"IocName":null,
"IocValue":null,
"CreatorIocName":null,
"CreatorIocValue":null,
"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
"FileName":"powershell.exe",
"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
"IpAddress":null,
"Url":null,
"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
"UserName":null,
"AlertPart":0,
"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
"ThreatCategory":null,
"ThreatFamily":null,
"ThreatName":null,
"RemediationAction":null,
"RemediationIsSuccess":null,
"Source":"Microsoft Defender ATP",
"Md5":null,
"Sha256":null,
"WasExecutingWhileDetected":null,
"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}

Code examples
Get access token
The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API.

AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId));

ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = context.AcquireTokenAsync(detectionsResource,
clientCredentials).GetAwaiter().GetResult();

Use token to connect to the detections endpoint

HttpClient httpClient = new HttpClient();

httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType,
authenticationResult.AccessToken);
HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-
eu.windows.com/api/alert").GetAwaiter().GetResult();
string detectionsJson = response.Content.ReadAsStringAsync().Result;
Console.WriteLine("Got detections list: {0}", detectionsJson);

Error codes
The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request.
 HTTP ERROR CODE DESCRIPTION

401 Malformed request or invalid token.

403 Unauthorized exception - any of the domains is not managed by

the tenant administrator or tenant state is deleted.

500 Error in the service.

Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure ArcSight to pull Microsoft Defender ATP detections
Configure Splunk to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Troubleshoot SIEM tool integration issues
 Troubleshoot SIEM tool integration issues
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You might need to troubleshoot issues while pulling detections in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.

Learn how to get a new client secret

If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool
application, you'll need to get a new secret.
1. Login to the Azure management portal.
2. Select Azure Active Directory.
3. Select your tenant.
4. Click App registrations. Then in the applications list, select the application:
For SIEM: https://WindowsDefenderATPSiemConnector
For Threat intelligence API: https://WindowsDefenderATPCustomerTiConnector
5. Select Keys section, then provide a key description and specify the key validity duration.
6. Click Save. The key value is displayed.
7. Copy the value and save it in a safe place.

Error when getting a refresh access token

If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools,
you'll need to add reply URL for relevant application in Azure Active Directory.
1. Login to the Azure management portal.
2. Select Azure Active Directory.
3. Select your tenant.
4. Click App Registrations. Then in the applications list, select the application:
For SIEM: https://WindowsDefenderATPSiemConnector
For Threat intelligence API: https://WindowsDefenderATPCustomerTiConnector
5. Add the following URL:
For the European Union:
https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback
For the United Kingdom:
https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback
For the United States:
https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback .
6. Click Save.

Error while enabling the SIEM connector application

If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker
settings of your browser. It might be blocking the new window being opened when you enable the capability.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Enable SIEM integration in Microsoft Defender ATP
Configure ArcSight to pull Microsoft Defender ATP detections
Configure Splunk to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Pull Microsoft Defender ATP detections using REST API
 Create custom reports using Power BI
1/7/2020 • 2 minutes to read • Edit Online

Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Want to experience Microsoft Defender ATP? Sign up for a free trial.
In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example
demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)

Connect Power BI to Advanced Hunting API

Open Microsoft Power BI
Click Get Data > Blank Query

Click Advanced Editor

Copy the below and paste it in the editor:

let
AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'",

HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",

Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),

TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),

Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))

in Table

Click Done
Click Edit Credentials

Select Organizational account > Sign in

 Enter your credentials and wait to be signed in
Click Connect

Now the results of your query will appear as table and you can start build visualizations on top of it!
You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you
would like.

Connect Power BI to OData APIs

The only difference from the above example is the query inside the editor.
Copy the below and paste it in the editor to pull all Machine Actions from your organization:

let

Query = "MachineActions",

Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0",

MoreColumns=true])
in
Source

You can do the same for Alerts and Machines.

You also can use OData queries for queries filters, see Using OData Queries

Power BI dashboard samples in GitHub

For more information see the Power BI report templates.
Related topic
Microsoft Defender ATP APIs
Advanced Hunting API
Using OData Queries
 Create and build Power BI reports using Microsoft
Defender ATP data connectors (Deprecated)
12/23/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

WARNING
This connector is being deprecated, learn how to Create Power-BI reports using Microsoft Defender ATP APIs.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Understand the security status of your organization, including the status of machines, alerts, and investigations
using the Microsoft Defender ATP reporting feature that integrates with Power BI.
Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access
Microsoft Defender ATP data using Microsoft Graph.
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine
data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
Creating a dashboard on the Power BI service
Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting
requirements of your organization
You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI
Desktop are supported.

Create a Microsoft Defender ATP dashboard on Power BI service

Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the
portal.
1. In the navigation pane, select Settings > General > Power BI reports.
2. Click Create dashboard.
 You'll see a notification that things are being loaded.

NOTE
Loading your data in the Power BI service can take a few minutes.

3. Specify the following details:

extensionDataSourceKind: WDATPConnector
extensionDataSourcePath: WDATPConnector
Authentication method: OAuth2

4. Click Sign in. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign
in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing
Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report
 refresh.

5. Click Accept. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:

NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.

When importing data is completed and the dataset is ready, you’ll the following notification:

6. Click View dataset to explore your data.

For more information, see Create a Power BI dashboard from a report.

Create a Power BI dashboard from the Power BI portal

1. Login to Power BI.
2. Click Get Data.
3. Select Microsoft AppSource > My Organization > Get.

4. In the AppSource window, select Apps and search for Microsoft Defender Advanced Threat Protection.

5. Click Get it now.

6. Specify the following details:
extensionDataSourceKind: WDATPConnector
extensionDataSourcePath: WDATPConnector
Authentication method: OAuth2
7. Click Sign in. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign
in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing
Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report
refresh.

8. Click Accept. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
 NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.

When importing data is completed and the dataset is ready, you’ll the following notification:

9. Click View dataset to explore your data.

Build a custom Microsoft Defender ATP dashboard in Power BI Desktop

You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that
your organization requires.
Before you begin
1. Make sure you use Power BI Desktop June 2017 and above. Download the latest version.
2. In the Microsoft Defender Security Center navigation pane, select Settings > Power BI reports.

3. Click Download connector to download the WDATPPowerBI.zip file and extract it.
4. Create a new directory [Documents]\Power BI Desktop\Custom Connectors .
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
7. Click File > Options and settings > Custom data connectors.
8. Select New table and matrix visuals and Custom data connectors and click OK.

NOTE
If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select (Not
Recommended) Allow any extension to load without warning under Power BI Desktop > File > Options and
settings > Options > Security > Data Extensions".

NOTE
If you are using Power BI Desktop July 2017 version (or later), you won't need to select New table and matrix
visuals. You'll only need to select Custom data connectors.
9. Restart Power BI Desktop.

Customize the Microsoft Defender ATP Power BI dashboard

After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
2. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give
consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender
ATP Power BI to sign in and read your profile, and access your data.
3. Click Accept. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.

Mashup Microsoft Defender ATP data with other data sources

You can use Power BI Desktop to analyze data from Microsoft Defender ATP and mash that data up with other data
sources to gain better security perspective in your organization.
1. In Power BI Desktop, in the Home ribbon, click Get data and search for Microsoft Defender Advanced
Threat Protection.
2. Click Connect.
3. On the Preview Connector windows, click Continue.
4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give
consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender
ATP Power BI to sign in and read your profile, and access your data.

5. Click Accept. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your
reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking Get data item in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.

Using the Power BI reports

There are a couple of tabs on the report that's generated:
Machine and alerts
Investigation results and action center
Secure Score
In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched
vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level
mitigations are configured correctly on the machines and prioritize those that might need attention.

Related topic
Create custom Power BI reports
 Threat protection report in Microsoft Defender ATP
11/26/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
The threat protection report provides high-level information about alerts generated in your organization. The
report includes trending information showing the detection sources, categories, severities, statuses, classifications,
and determinations of alerts across time.
The dashboard is structured into two sections:

SECTION DESCRIPTION

1 Alerts trends

2 Alert summary
Alert trends
By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain
better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the
time period shown. To adjust the time period, select a time range from the drop-down options:
30 days
3 months
6 months
Custom

NOTE
These filters are only applied on the alert trends section. It doesn't affect the alert summary section.

Alert summary
While the alert trends shows trending alert information, the alert summary shows alert information scoped to the
current day.
The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it.
For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results
showing only alerts generated from EDR detections.

NOTE
The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is
November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.
The filter applied on the trends section is not applied on the summary section.

Alert attributes
The report is made up of cards that display the following alert attributes:
Detection sources: shows information about the sensors and detection technologies that provide the data
used by Microsoft Defender ATP to trigger alerts.
Threat categories: shows the types of threat or attack activity that triggered alerts, indicating possible
focus areas for your security operations.
Severity: shows the severity level of alerts, indicating the collective potential impact of threats to your
organization and the level of response needed to address them.
Status: shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of
automated remediation (if enabled).
Classification & determination: shows how you have classified alerts upon resolution, whether you have
classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show
the determination of resolved alerts, providing additional insight like the types of actual threats found or the
legitimate activities that were incorrectly detected.

Filter data
Use the provided filters to include or exclude alerts with certain attributes.
 NOTE
These filters apply to all the cards in the report.

For example, to show data about high-severity alerts only:

1. Under Filters > Severity, select High
2. Ensure that all other options under Severity are deselected.
3. Select Apply.

Related topic
Machine health and compliance report
 Machine health and compliance report in Microsoft
Defender ATP
11/26/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
The machines status report provides high-level information about the devices in your organization. The report
includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10
versions.
The dashboard is structured into two sections:

SECTION DESCRIPTION

1 Machine trends

2 Machine summary (current day)

Machine trends
By default, the machine trends displays machine information from the 30-day period ending in the latest full day.
To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by
adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
30 days
3 months
 6 months
Custom

NOTE
These filters are only applied on the machine trends section. It doesn't affect the machine summary section.

Machine summary
While the machines trends shows trending machine information, the machine summary shows machine
information scoped to the current day.

NOTE
The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is
March 27, 2019, the data on the summary section will reflect numbers starting from September 28, 2018 to March 27,
2019.
The filter applied on the trends section is not applied on the summary section.

The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it.
For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with
results showing only machines whose sensor status is inactive.

Machine attributes
The report is made up of cards that display the following machine attributes:
Health state: shows information about the sensor state on devices, providing an aggregated view of
devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
Antivirus status for active Windows 10 machines: shows the number of machines and status of
Windows Defender Antivirus.
OS platforms: shows the distribution of OS platforms that exists within your organization.
Windows 10 versions: shows the distribution of Windows 10 machines and their versions in your
organization.

Filter data
Use the provided filters to include or exclude machines with certain attributes.
You can select multiple filters to apply from the machine attributes.

NOTE
These filters apply to all the cards in the report.

For example, to show data about Windows 10 machines with Active sensor health state:
1. Under Filters > Sensor health state > Active.
2. Then select OS platforms > Windows 10.
3. Select Apply.
Related topic
Threat protection report
 Partner applications in Microsoft Defender ATP
8/9/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat
intelligence capabilities of the platform.
The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other
vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
Microsoft Defender ATP seamlessly integrates with existing security solutions - providing out of the box
integration with SIEM, ticketing and IT service management solutions, managed security service providers
(MSSP ), IoC indicators ingestions and matching, automated device investigation and remediation based on
external alerts, and integration with Security orchestration and automation response (SOAR ) systems.

SIEM integration
Microsoft Defender ATP supports SIEM integration through a variety of methods - specialized SIEM system
interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API
enabling alert status management. For more information, see Enable SIEM integration.

Ticketing and IT service management

Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender
ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are
closed using the alerts API.

Security orchestration and automation response (SOAR) integration

Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft
Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger machine isolation,
block/allow, resolve alert and others.

External alert correlation and Automated investigation and remediation

Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident
response at scale.
Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help
to address alerts and minimize the complexities surrounding network and device signal correlation, effectively
streamlining the investigation and threat remediation actions on devices.
External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-
based alerts from Microsoft Defender ATP. This view provides a full context of the alert - with the real process and
the full story of attack.

Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise
(IOCs).
Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich
telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to
block execution and take remediation actions when there's a match.
Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators.
Blocking is supported for file indicators.

Support for non-Windows platforms

Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-
Windows platforms. You'll be able to see alerts from various supported operating systems (OS ) in the portal and
better protect your organization's network. This experience leverages on a third-party security products' sensor
data giving you a unified experience.
 Connected applications in Microsoft Defender ATP
10/23/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Windows Defender ATP )
Connected applications integrates with the Microsoft Defender ATP platform using APIs.
Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender
ATP APIs. In addition, Azure Active Directory (Azure AD ) applications allow tenant admins to set explicit control
over which APIs can be accessed using the corresponding app.
You'll need to follow these steps to use the APIs with the connected application.

Access the connected application page

From the left navigation menu, select Partners & APIs > Connected AAD applications.

View connected application details

The Connected applications page provides information about the Azure AD applications connected to Microsoft
Defender ATP in your organization. You can review the usage of the connected applications: last seen, number of
requests in the past 24 hours, and request trends in the last 30 days.

Edit, reconfigure, or delete a connected application

The Open application settings link opens the corresponding Azure AD application management page in the
Azure portal. From the Azure portal, you can manage permissions, reconfigure, or delete the connected
applications.
 API Explorer
10/23/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Windows Defender ATP )
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs
interactively.
The API Explorer makes it easy to construct and perform API queries, test and send requests for any available
Microsoft Defender ATP API endpoint. You can also use the API Explorer to perform actions or find data that might
not yet be available through the user interface.
The tool is useful during app development because it allows you to perform API queries that respect your user
access settings, reducing the need to generate access tokens.
You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug
information.
With the API Explorer, you can:
Run requests for any method and see responses in real-time
Quickly browse through the API samples and learn what parameters they support
Make API calls with ease; no need to authenticate beyond the management portal sign-in

Access API Explorer

From the left navigation menu, select Partners & APIs > API Explorer.

Supported APIs
API Explorer supports all the APIs offered by Microsoft Defender ATP.
The list of supported APIs is available in the APIs documentation.

Get started with the API Explorer

1. In the left pane, there is a list of sample requests that you can use.
2. Follow the links and click Run query.
Some of the samples may require specifying a parameter in the URL, for example, {machine- id}.

FAQ
Do I need to have an API token to use the API Explorer?
Credentials to access an API are not needed since the API Explorer uses the Microsoft Defender ATP management
portal token whenever it makes a request.
The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on
your behalf.
Specific API requests are limited based on your RBAC privileges; for example, a request to "Submit indicator" is
limited to the security admin role.
 Ensure your machines are configured properly
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

With properly configured machines, you can boost overall resilience against threats and enhance your capability to
detect and respond to attacks. Security configuration management helps ensure that your machines:
Onboard to Microsoft Defender ATP
Meet or exceed the Microsoft Defender ATP security baseline configuration
Have strategic attack surface mitigations in place

Machine configuration management page

You can track configuration status at an organizational level and quickly take action in response to poor
onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep
links to device management pages on Microsoft Intune and Microsoft 365 security center.
In doing so, you benefit from:
Comprehensive visibility of the events on your machines
Robust threat intelligence and powerful machine learning technologies for processing raw events and
identifying the breach activity and threat indicators
A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of
system files and process, data exfiltration, and other threat activities
Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing
impact to productivity

Enroll machines to Intune management

Machine configuration management works closely with Intune device management to establish the inventory of
the machines in your organization and the baseline security configuration. You will be able to track and manage
configuration issues on Intune-managed Windows 10 machines.
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune
enrollment is robust and has several enrollment options for Windows 10 machines. For more information about
Intune enrollment options, read about setting up enrollment for Windows devices.

NOTE
To enroll Windows devices to Intune, administrators must have already been assigned licenses. Read about assigning licenses
for device enrollment.

TIP
To optimize machine management through Intune, connect Intune to Microsoft Defender ATP.

Obtain required permissions

By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role
on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and
deploying the security baseline.
If you have been assigned other roles, ensure you have the necessary permissions:
Full permissions to device configurations
Full permissions to security baselines
Read permissions to device compliance policies
Read permissions to the organization

Device configuration permissions on Intune

TIP
To learn more about assigning permissions on Intune, read about creating custom roles.

In this section
TOPIC DESCRIPTION

Get machines onboarded to Microsoft Defender ATP Track onboarding status of Intune-managed machines and
onboard more machines through Intune.
TOPIC DESCRIPTION

Increase compliance to the Microsoft Defender ATP security Track baseline compliance and noncompliance. Deploy the
baseline security baseline to more Intune-managed machines.

Optimize ASR rule deployment and detections Review rule deployment and tweak detections using impact
analysis tools in Microsoft 365 security center.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

 Get machines onboarded to Microsoft Defender ATP
12/3/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Each onboarded machine adds an additional endpoint detection and response (EDR ) sensor and increases visibility
over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable
components as well security configuration issues and can receive critical remediation actions during attacks.
Before you can track and manage onboarding of machines:
Enroll your machines to Intune management
Ensure you have the necessary permissions

Discover and track unprotected machines

The Onboarding card provides a high-level overview of your onboarding rate by comparing the number of
Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of
Intune-managed Windows 10 machines.

Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine

NOTE
If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use
Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune
configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
Onboard more machines with Intune profiles
Microsoft Defender ATP provides several convenient options for onboarding Windows 10 machines. For Intune-
managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP
sensor to select machines, effectively onboarding these devices to the service.
From the Onboarding card, select Onboard more machines to create and assign a profile on Intune. The link
takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.

Microsoft Defender ATP device compliance page on Intune device management

TIP
Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the Microsoft Azure portal
from All services > Intune > Device compliance > Microsoft Defender ATP.

From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft
Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either:
Select Create a device configuration profile to configure ATP sensor to start with a predefined device
configuration profile.
Create the device configuration profile from scratch.
For more information, read about using Intune device configuration profiles to onboard machines to Microsoft
Defender ATP.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Ensure your machines are configured properly
Increase compliance to the Microsoft Defender ATP security baseline
Optimize ASR rule deployment and detections
 Increase compliance to the Microsoft Defender ATP
security baseline
12/3/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Security baselines ensure that security features are configured according to guidance from both security experts
and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets
Microsoft Defender ATP security controls to provide optimal protection.
To understand security baselines and how they are assigned on Intune using configuration profiles, read this FAQ.
Before you can deploy and track compliance to security baselines:
Enroll your machines to Intune management
Ensure you have the necessary permissions

Compare the Microsoft Defender ATP and the Windows Intune

security baselines
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely
configure machines running Windows, including browser settings, PowerShell settings, as well as settings for
some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline
provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for
endpoint detection and response (EDR ) as well as settings also found in the Windows Intune security baseline. For
more information about each baseline, see:
Windows security baseline settings for Intune
Microsoft Defender ATP baseline settings for Intune
Both baselines are maintained so that they complement one another and have identical values for shared settings.
Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to
Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure
Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the
Microsoft Defender ATP security controls.

NOTE
The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for
use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on
virtualized environments.

Monitor compliance to the Microsoft Defender ATP security baseline

The Security baseline card on machine configuration management provides an overview of compliance across
Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline.
Card showing compliance to the Microsoft Defender ATP security baseline
Each machine is given one of the following status types:
Matches baseline—machine settings match all the settings in the baseline
Does not match baseline—at least one machine setting doesn't match the baseline
Misconfigured—at least one baseline setting isn't properly configured on the machine and is in a conflict,
error, or pending state
Not applicable—At least one baseline setting isn't applicable on the machine
To review specific machines, select Configure security baseline on the card. This takes you to Intune device
management. From there, select Device status for the names and statuses of the machines.

NOTE
You might experience discrepancies in aggregated data displayed on the machine configuration management page and
those displayed on overview screens in Intune.

Review and assign the Microsoft Defender ATP security baseline

Machine configuration management monitors baseline compliance only of Windows 10 machines that have been
specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and
assign it to machines on Intune device management.
1. Select Configure security baseline on the Security baseline card to go to Intune device management. A
similar overview of baseline compliance is displayed.

TIP
Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from
All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline.

2. Create a new profile.

 Microsoft Defender ATP security baseline overview on Intune
3. During profile creation, you can review and adjust specific settings on the baseline.

Security baseline options during profile creation on Intune

4. Assign the profile to the appropriate machine group.
 Assigning the security baseline profile on Intune
5. Create the profile to save it and deploy it to the assigned machine group.

Creating the security baseline profile on Intune

TIP
Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. Learn more
about security baselines on Intune.
 Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Ensure your machines are configured properly
Get machines onboarded to Microsoft Defender ATP
Optimize ASR rule deployment and detections
 Optimize ASR rule deployment and detections
1/3/2020 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Attack surface reduction (ASR ) rules identify and prevent actions that are typically taken by malware during
exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent
JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or
block processes that run from USB drives.

Attack surface management card

The Attack surface management card is an entry point to tools in Microsoft 365 security center that you can
use to:
Understand how ASR rules are currently deployed in your organization
Review ASR detections and identify possible incorrect detections
Analyze the impact of exclusions and generate the list of file paths to exclude
Selecting Go to attack surface management takes you to Monitoring & reports > Attack surface reduction
rules > Add exclusions. From there, you can navigate to other sections of Microsoft 365 security center.
Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center

NOTE
To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on
Azure Active Directory. Read more about required licenses and permissions

For more information about optimizing ASR rule deployment in Microsoft 365 security center, read Monitor and
manage ASR rule deployment and detections

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Ensure your machines are configured properly
Get machines onboarded to Microsoft Defender ATP
Increase compliance to the Microsoft Defender ATP security baseline
 Manage portal access using role-based access control
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Using role-based access control (RBAC ), you can create roles and groups within your security operations team to
grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control
over what users with access to the portal can see and do.
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access
to security portals. Typical tiers include the following three levels:

TIER DESCRIPTION

Tier 1 Local security operations team / IT team

This team usually triages and investigates alerts contained
within their geolocation and escalates to Tier 2 in cases where
an active remediation is required.

Tier 2 Regional security operations team

This team can see all the machines for their region and
perform remediation actions.

Tier 3 Global security operations team

This team consists of security experts and are authorized to
see and perform all actions from the portal.

Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you
granular control over what roles can see, machines they can access, and actions they can take. The RBAC
framework is centered around the following controls:
Control who can take specific action
Create custom roles and control what Microsoft Defender ATP capabilities they can access with
granularity.
Control who can see information on specific machine group or groups
Create machine groups by specific criteria such as names, tags, domains, and others, then grant role
access to them using a specific Azure Active Directory (Azure AD ) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign
Azure AD user groups assigned to the roles.
Before you begin
Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences
of turning on RBAC.
 WARNING
Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure
AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.

When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access.
Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read
only access is granted to users with a Security Reader role in Azure AD.
Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines,
regardless of their machine group association and the Azure AD user groups assignments

WARNING
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles
in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users assigned to
Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator role
with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security
Administrators to the Microsoft Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.

Related topic
Create and manage machine groups in Microsoft Defender ATP
 Create and manage roles for role-based access
control
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you
have already created Azure Active Directory user groups.
1. In the navigation pane, select Settings > Roles.
2. Click Add role.
3. Enter the role name, description, and permissions you'd like to assign to the role.
Role name
Description
Permissions
View data - Users can view information in the portal.

NOTE
To view Threat & Vulnerability Management data, select Threat and vulnerability management.

Alerts investigation - Users can manage alerts, initiate automated investigations, collect
investigation packages, manage machine tags, and export machine timeline.
Active remediation actions - Users can take response actions and approve or dismiss pending
remediation actions.

NOTE
To enable your Security operation personnel to choose remediation options and file exceptions, select Threat
and vulnerability management - Remediation handling, and Threat and vulnerability management -
Exception handling.

Manage portal system settings - Users can configure storage settings, SIEM and threat intel
API settings (applies globally), advanced settings, automated file uploads, roles and machine
 groups.

NOTE
This setting is only available in the Microsoft Defender ATP administrator (default) role.

Manage security settings - Users can configure alert suppression settings, manage
allowed/blocked lists for automation, create and manage custom detections, manage folder
exclusions for automation, onboard and offboard machines, and manage email notifications.
Live response capabilities - Users can take basic or advanced live response commands.
Basic commands allow users to:
Start a live response session
Run read only live response commands on a remote machine
Advanced commands allow users to:
Run basic actions
Download a file from the remote machine
View a script from the files library
Run a script on the remote machine from the files library take read and write
commands.
For more information on the available commands, see Investigate machines using Live response.
4. Click Next to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
6. Click Save and close.
7. Apply the configuration settings.
After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it
to a role that you just created.

Edit roles
1. Select the role you'd like to edit.
2. Click Edit.
3. Modify the details or the groups that are assigned to the role.
4. Click Save and close.

Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select Delete role.

Related topic
User basic permissions to access the portal
Create and manage machine groups
 Create and manage machine groups
5/31/2019 • 3 minutes to read • Edit Online

Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are
grouped together based on a set of attributes such as their domains, computer names, or designated tags.
In Microsoft Defender ATP, you can create machine groups and use them to:
Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
Configure different auto-remediation settings for different sets of machines
Assign specific remediation levels to apply during automated investigations
In an investigation, filter the Machines list to just specific machine groups by using the Group filter.
You can create machine groups in the context of role-based access (RBAC ) to control who can take specific action or
see information by assigning the machine group(s) to a user group. For more information, see Manage portal
access using role-based access control.

TIP
For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.

As part of the process of creating a machine group, you'll:

Set the automated remediation level for that group. For more information on remediation levels, see Use
Automated investigation to investigate and remediate threats.
Specify the matching rule that determines which machine group belongs to the group based on the machine
name, ___domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the
highest ranked machine group.
Select the Azure AD user group that should have access to the machine group.
Rank the machine group relative to other groups after it is created.

NOTE
A machine group is accessible to all users if you don’t assign any Azure AD groups to it.

Create a machine group

1. In the navigation pane, select Settings > Machine groups.
2. Click Add machine group.
3. Enter the group name and automation settings and specify the matching rule that determines which
machines belong to the group. For more information on automation levels, see Understand the Automated
investigation flow.
 TIP
If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For
more information on device tagging, see Create and manage machine tags.

4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the User
access tab.
5. Assign the user groups that can access the machine group you created.

NOTE
You can only grant access to Azure AD user groups that have been assigned to RBAC roles.

6. Click Close. The configuration changes are applied.

Manage machine groups

You can promote or demote the rank of a machine group so that it is given higher or lower priority during
matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You
can also edit and delete groups.

WARNING
Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule,
it will be removed from that rule. If the machine group is the only group configured for an email notification, that email
notification rule will be deleted along with the machine group.

By default, machine groups are accessible to all users with portal access. You can change the default behavior by
assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot
change the rank of this group or delete it. However, you can change the remediation level of this group, and define
the Azure AD user groups that can access this group.

NOTE
Applying changes to machine group configuration may take up to several minutes.

Related topics
Related topic
Manage portal access using role-based based access control
Create and manage machine tags
Get list of tenant machine groups using Graph API
 Create and manage machine tags
12/30/2019 • 2 minutes to read • Edit Online

Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the network,
enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
Tags can be used as a filter in Machines list view, or to group machines. For more information on machine
grouping, see Create and manage machine groups.
You can add tags on machines using the following ways:
Using the portal
Setting a registry key value

NOTE
There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine
page.

To add machine tags using API, see Add or remove machine tags API.

Add and manage machine tags using the portal

1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the
following views:
Security operations dashboard - Select the machine name from the Top machines with active
alerts section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Select Manage Tags from the row of Response actions.

3. Type to find or create tags

Tags are added to the machine view and will also be reflected on the Machines list view. You can then use the Tags
filter to see the relevant list of machines.

NOTE
Filtering might not work on tag names that contain parenthesis.

You can also delete tags from this view.

Add machine tags by setting a registry key value

NOTE
Applicable only on the following machines:
Windows 10, version 1709 or later
Windows Server, version 1803 or later
Windows Server 2016
Windows Server 2012 R2
Windows Server 2008 R2 SP1
Windows 8.1
Windows 7 SP1

Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (REG_SZ ): Group
Registry key data: Name of the tag you want to set

NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to
restart the endpoint that would transfer a new machine information report.
 Configure managed security service provider
integration
12/10/2019 • 8 minutes to read • Edit Online

Applies to:
Windows Defender Advanced Threat Protection (Windows Defender ATP )

Want to experience Windows Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

You'll need to take the following configuration steps to enable the managed security service provider (MSSP )
integration.

NOTE
The following terms are used in this article to distinguish between the service provider and service consumer:
MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
MSSP customers: Organizations that engage the services of MSSPs.

The integration will allow MSSPs to take the following actions:

Get access to MSSP customer's Windows Defender Security Center portal
Get email notifications, and
Fetch alerts through security information and event management (SIEM ) tools
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender
ATP tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender
Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP
customer or the MSSP.
In general, the following configuration steps need to be taken:
Grant the MSSP access to Windows Defender Security Center
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's
Windows Defender ATP tenant.
Configure alert notifications sent to MSSPs
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they
need to address for the MSSP customer.
Fetch alerts from MSSP customer's tenant into SIEM system
This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
 Fetch alerts from MSSP customer's tenant using APIs
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.

Grant the MSSP access to the portal

NOTE
These set of steps are directed towards the MSSP customer.
Access to the portal can only be done by the MSSP customer.

As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows
Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD ) B2B
functionality.
You'll need to take the following 2 steps:
Add MSSP user to your tenant as a guest user
Grant MSSP user access to Windows Defender Security Center
Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more
information, see Add Azure Active Directory B2B collaboration users in the Azure portal.
Grant MSSP user access to Windows Defender Security Center
Grant the guest user access and permissions to your Windows Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator
role in your tenant. For more information, see Use basic permissions to access the portal.
If you're using role-based access control (RBAC ), the guest user must be to added to the appropriate group or
groups in your tenant. Fore more information on RBAC in Windows Defender ATP, see Manage portal access
using RBAC.

NOTE
There is no difference between the Member user and Guest user roles from RBAC perspective.

It is recommended that groups are created for MSSPs to make authorization access more manageable.
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the
Azure AD user groups.

Access the Windows Defender Security Center MSSP customer portal

NOTE
These set of steps are directed towards the MSSP.
By default, MSSP customers access their Windows Defender Security Center tenant through the following URL:
https://securitycenter.windows.com .

MSSPs however, will need to use a tenant-specific URL in the following format:
https://securitycenter.windows.com?tid=customer_tenant_id to access the MSSP customer portal.

In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific
URL:
1. As an MSSP, login to Azure AD with your credentials.
2. Switch directory to the MSSP customer's tenant.
3. Select Azure Active Directory > Properties. You'll find the tenant ID in the Directory ID field.
4. Access the MSSP customer portal by replacing the customer_tenant_id value in the following URL:
https://securitycenter.windows.com?tid=customer_tenant_id .

Configure alert notifications that are sent to MSSPs

NOTE
This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to
configure this on behalf of the MSSP customer.

After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when
alerts associated with the tenant are created and set conditions are met.
For more information, see Create rules for alert notifications.
These check boxes must be checked:
Include organization name - The customer name will be added to email notifications
Include tenant-specific portal link - Alert link URL will have tenant specific parameter (tid=target_tenant_id)
that allows direct access to target tenant portal

Fetch alerts from MSSP customer's tenant into the SIEM system
NOTE
This action is taken by the MSSP.

To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: Whitelist your application on Windows Defender Security Center
Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows
Defender ATP tenant.
1. Sign in to the Azure AD portal.
 2. Select Azure Active Directory > App registrations.
3. Click New registration.
4. Specify the following values:
Name: <Tenant_name> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
Supported account types: Account in this organizational directory only
Redirect URI: Select Web and type https://<domain_name>/SiemMsspConnector (replace
<domain_name> with the tenant name)
5. Click Register. The application is displayed in the list of applications you own.
6. Select the application, then click Overview.
7. Copy the value from the Application (client) ID field to a safe place, you will need this in the next step.
8. Select Certificate & secrets in the new application panel.
9. Click New client secret.
Description: Enter a description for the key.
Expires: Select In 1 year
10. Click Add, copy the value of the client secret to a safe place, you will need this in the next step.
Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This
script uses the application from the previous step to get the access and refresh tokens using the OAuth
Authorization Code Flow.
After providing your credentials, you'll need to grant consent to the application so that the application is
provisioned in the customer's tenant.
1. Create a new folder and name it: MsspTokensAcquisition .
2. Download the LoginBrowser.psm1 module and save it in the MsspTokensAcquisition folder.

NOTE
In line 30, replace authorzationUrl with authorizationUrl .

3. Create a file with the following content and save it with the name MsspTokensAcquisition.ps1 in the folder:
 param (
[Parameter(Mandatory=$true)][string]$clientId,
[Parameter(Mandatory=$true)][string]$secret,
[Parameter(Mandatory=$true)][string]$tenantId
)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# Load our Login Browser Function

Import-Module .\LoginBrowser.psm1

# Configuration parameters
$login = "https://login.microsoftonline.com"
$redirectUri = "https://SiemMsspConnector"
$resourceId = "https://graph.windows.net"

Write-Host 'Prompt the user for his credentials, to get an authorization code'
$authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id=
{2}&redirect_uri={3}&resource={4}" -f
$login, $tenantId, $clientId, $redirectUri, $resourceId)
Write-Host "authorzationUrl: $authorizationUrl"

# Fake a proper endpoint for the Redirect URI

$code = LoginBrowser $authorizationUrl $redirectUri

# Acquire token using the authorization code

$Body = @{
grant_type = 'authorization_code'
client_id = $clientId
code = $code
redirect_uri = $redirectUri
resource = $resourceId
client_secret = $secret
}

$tokenEndpoint = "$login/$tenantId/oauth2/token?"
$Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
$token = $Response.access_token
$refreshToken= $Response.refresh_token

Write-Host " ----------------------------------- TOKEN ---------------------------------- "

Write-Host $token

Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "

Write-Host $refreshToken

4. Open an elevated PowerShell command prompt in the MsspTokensAcquisition folder.

5. Run the following command: Set-ExecutionPolicy -ExecutionPolicy Bypass

6. Enter the following commands:

.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>

Replace <client_id> with the Application (client) ID you got from the previous step.
Replace <app_key> with the Client Secret you created from the previous step.
Replace <customer_tenant_id> with your customer's Tenant ID.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to
configure your SIEM connector.
Step 3: Whitelist your application on Windows Defender Security Center
You'll need to whitelist the application you created in Windows Defender Security Center.
You'll need to have Manage portal system settings permission to whitelist the application. Otherwise, you'll
need to request your customer to whitelist the application for you.
1. Go to https://securitycenter.windows.com?tid=<customer_tenant_id> (replace <customer_tenant_id> with
the customer's tenant ID.
2. Click Settings > SIEM.
3. Select the MSSP tab.
4. Enter the Application ID from the first step and your Tenant ID.
5. Click Authorize application.
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP
API. For more information see, Pull alerts to your SIEM tools.
In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application
key manually by settings the secret value.
Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh
token (or acquire it by other means).

Fetch alerts from MSSP customer's tenant using APIs

For information on how to fetch alerts using REST API, see Pull alerts using REST API.

Related topics
Use basic permissions to access the portal
Manage portal access using RBAC
Pull alerts to your SIEM tools
Pull alerts using REST API
 Configure Conditional Access in Microsoft Defender
ATP
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
This section guides you through all the steps you need to take to properly implement Conditional Access.
Before you begin

WARNING
It's important to note that Azure AD registered devices is not supported in this scenario.
Only Intune enrolled devices are supported.

You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to
enroll devices in Intune:
IT Admin: For more information on how to enabling auto-enrollment, see Windows Enrollment
End-user: For more information on how to enroll your Windows 10 device in Intune, see Enroll your Windows
10 device in Intune
End-user alternative: For more information on joining an Azure AD ___domain, see How to: Plan your Azure AD
join implementation.
There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
It's important to note the required roles to access these portals and implement Conditional access:
Microsoft Defender Security Center - You'll need to sign into the portal with a global administrator role to
turn on the integration.
Intune - You'll need to sign in to the portal with security administrator rights with management permissions.
Azure AD portal - You'll need to sign in as a global administrator, security administrator, or Conditional
Access administrator.

NOTE
You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.

Take the following steps to enable Conditional Access:

Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center
Step 2: Turn on the Microsoft Defender ATP integration in Intune
Step 3: Create the compliance policy in Intune
Step 4: Assign the policy
Step 5: Create an Azure AD Conditional Access policy
Step 1: Turn on the Microsoft Intune connection
1. In the navigation pane, select Settings > Advanced features > Microsoft Intune connection.
2. Toggle the Microsoft Intune setting to On.
3. Click Save preferences.
Step 2: Turn on the Microsoft Defender ATP integration in Intune
1. Sign in to the Azure portal.
2. Select Device compliance > Microsoft Defender ATP.
3. Set Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection to On.
4. Click Save.
Step 3: Create the compliance policy in Intune
1. In the Azure portal, select All services, filter on Intune, and select Microsoft Intune.
2. Select Device compliance > Policies > Create policy.
3. Enter a Name and Description.
4. In Platform, select Windows 10 and later.
5. In the Device Health settings, set Require the device to be at or under the Device Threat Level to
your preferred level:
Secured: This level is the most secure. The device cannot have any existing threats and still access
company resources. If any threats are found, the device is evaluated as noncompliant.
Low: The device is compliant if only low -level threats exist. Devices with medium or high threat levels
are not compliant.
Medium: The device is compliant if the threats found on the device are low or medium. If high-level
threats are detected, the device is determined as noncompliant.
High: This level is the least secure, and allows all threat levels. So devices that with high, medium or low
threat levels are considered compliant.
6. Select OK, and Create to save your changes (and create the policy).
Step 4: Assign the policy
1. In the Azure portal, select All services, filter on Intune, and select Microsoft Intune.
2. Select Device compliance > Policies> select your Microsoft Defender ATP compliance policy.
3. Select Assignments.
4. Include or exclude your Azure AD groups to assign them the policy.
5. To deploy the policy to the groups, select Save. The user devices targeted by the policy are evaluated for
compliance.
Step 5: Create an Azure AD Conditional Access policy
1. In the Azure portal, open Azure Active Directory > Conditional Access > New policy.
2. Enter a policy Name, and select Users and groups. Use the Include or Exclude options to add your groups
for the policy, and select Done.
3. Select Cloud apps, and choose which apps to protect. For example, choose Select apps, and select Office
365 SharePoint Online and Office 365 Exchange Online. Select Done to save your changes.
4. Select Conditions > Client apps to apply the policy to apps and browsers. For example, select Yes, and
then enable Browser and Mobile apps and desktop clients. Select Done to save your changes.
5. Select Grant to apply Conditional Access based on device compliance. For example, select Grant access >
Require device to be marked as compliant. Choose Select to save your changes.
6. Select Enable policy, and then Create to save your changes.
For more information, see Enable Microsoft Defender ATP with Conditional Access in Intune.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

 Configure Microsoft Cloud App Security in Microsoft
Defender ATP
12/24/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

To benefit from Microsoft Defender Advanced Threat Protection (ATP ) cloud app discovery signals, turn on
Microsoft Cloud App Security integration.

NOTE
This feature will be available with an E5 license for Enterprise Mobility + Security on machines running Windows 10, version
1709 (OS Build 16299.1085 with KB4493441), Windows 10, version 1803 (OS Build 17134.704 with KB4493464), Windows
10, version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.

See Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security for
detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security.

Enable Microsoft Cloud App Security in Microsoft Defender ATP

1. In the navigation pane, select Preferences setup > Advanced features.
2. Select Microsoft Cloud App Security and switch the toggle to On.
3. Click Save preferences.
Once activated, Microsoft Defender ATP will immediately start forwarding discovery signals to Cloud App
Security.

View the data collected

To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see Investigate machines in
Cloud App Security.
For more information about cloud discovery, see Working with discovered apps.
If you are interested in trying Microsoft Cloud App Security, see Microsoft Cloud App Security Trial.

Related topic
Microsoft Cloud App Security integration
 Configure information protection in Windows
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP )
to protect files based on their label, regardless of their origin.

TIP
Read our blog post about how Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect,
and monitor sensitive data on Windows devices.

If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured,
WIP will be enabled for that file.

Prerequisites
Endpoints need to be on Windows 10, version 1809 or later
You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection
integration
Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see
Configure a Log Analytics workspace for the reports

Configure endpoint data loss prevention

Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored
on the device and enable WIP on them.

NOTE
The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take
effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
Data forwarded to Azure Information Protection is stored in the same ___location as your other Azure Information
Protection data.

1. Define a WIP policy and assign it to the relevant devices. For more information, see Protect your enterprise
data using Windows Information Protection (WIP ). If WIP is already configured on the relevant devices,
skip this step.
2. Define which labels need to get WIP protection in Office 365 Security and Compliance.
a. Go to: Classifications > Labels.
 b. Create a label or edit an existing one.
c. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.

d. Repeat for every label that you want to get WIP applied to in Windows.

Configure auto labeling

Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it
based on context to identify sensitive information types.
Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the
same way as if the file was labeled. The file is protected with Endpoint data loss prevention.

NOTE
Auto-labeling requires Windows 10, version 1903.

1. In Office 365 Security & Compliance, go to Classifications > Labels.

2. Create a new label or edit an existing one.
3. Set a policy for Data classification:
a. Go through the label creation wizard.
b. When you reach the Auto labeling page, turn on auto labeling toggle on.
c. Add a new auto-labeling rule with the conditions that you require.
 d. Validate that "When content matches these conditions" setting is set to "Automatically apply the
label".

Related topic
Information protection in Windows overview
 Configure Microsoft Defender Security Center
settings
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Use the Settings menu to modify general settings, advanced features, enable the preview experience, email
notifications, and the custom threat intelligence feature.

In this section
TOPIC DESCRIPTION

General settings Modify your general settings that were previously defined as
part of the onboarding process.

Permissions Manage portal access using RBAC as well as machine groups.

APIs Enable the threat intel and SIEM integration.

Rules Configure suppressions rules and automation settings.

Machine management Onboard and offboard machines.

 Update data retention settings for Microsoft
Defender ATP
12/3/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After
onboarding, you might want to update the data retention settings.
1. In the navigation pane, select Settings > Data retention.
2. Select the data retention duration from the drop-down list.

NOTE
Other settings are not editable.

3. Click Save preferences.

Related topics
Update data retention settings
Configure alert notifications in Microsoft Defender ATP
Enable and create Power BI reports using Microsoft Defender ATP data
Enable Secure Score security controls
Configure advanced features
 Configure alert notifications in Microsoft Defender
ATP
12/23/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This
feature enables you to identify a group of individuals who will immediately be informed and can act on alerts
based on their severity.

NOTE
Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic
permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.

You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email
notification. New recipients get notified about alerts encountered after they are added. For more information
about alerts, see View and organize the Alerts queue.
If you're using role-based access control (RBAC ), recipients will only receive notifications based on the machine
groups that were configured in the notification rule. Users with the proper permission can only create, edit, or
delete notifications that are limited to their machine group management scope. Only users assigned to the Global
administrator role can manage notification rules that are configured for all machine groups.
The email notification includes basic information about the alert and a link to the portal where you can do further
investigation.

Create rules for alert notifications

You can create rules that determine the machines and alert severities to send email notifications for and the
notification recipients.
1. In the navigation pane, select Settings > Alert notifications.
2. Click Add notification rule.
3. Specify the General information:
Rule name - Specify a name for the notification rule.
Include organization name - Specify the customer name that appears on the email notification.
Include tenant-specific portal link - Adds a link with the tenant ID to allow access to a specific
tenant.
Include machine information - Includes the machine name in the email alert body.
 NOTE
This information might be processed by recipient mail servers that ar not in the geographic ___location you
have selected for your Microsoft Defender ATP data.

Machines - Choose whether to notify recipients for alerts on all machines (Global administrator
role only) or on selected machine groups. For more information, see Create and manage machine
groups.
Alert severity - Choose the alert severity level.
4. Click Next.
5. Enter the recipient's email address then click Add recipient. You can add multiple email addresses.
6. Check that email recipients are able to receive the email notifications by selecting Send test email.
7. Click Save notification rule.
Here's an example email notification:

Edit a notification rule

1. Select the notification rule you'd like to edit.
2. Update the General and Recipient tab information.
3. Click Save notification rule.

Delete notification rule

1. Select the notification rule you'd like to delete.
2. Click Delete.
Troubleshoot email notifications for alerts
This section lists various issues that you may encounter when using email notifications for alerts.
Problem: Intended recipients report they are not getting the notifications.
Solution: Make sure that the notifications are not blocked by email filters:
1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as
Not junk.
2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email
notifications.

Related topics
Update data retention settings
Enable and create Power BI reports using Microsoft Defender ATP data
Enable Secure Score security controls
Configure advanced features
 Create and build Power BI reports using Microsoft
Defender ATP data connectors (Deprecated)
12/23/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

WARNING
This connector is being deprecated, learn how to Create Power-BI reports using Microsoft Defender ATP APIs.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Understand the security status of your organization, including the status of machines, alerts, and investigations
using the Microsoft Defender ATP reporting feature that integrates with Power BI.
Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access
Microsoft Defender ATP data using Microsoft Graph.
Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine
data to build reports and dashboards that meet the needs of your organization.
You can easily get started by:
Creating a dashboard on the Power BI service
Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting
requirements of your organization
You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI
Desktop are supported.

Create a Microsoft Defender ATP dashboard on Power BI service

Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the
portal.
1. In the navigation pane, select Settings > General > Power BI reports.
2. Click Create dashboard.
 You'll see a notification that things are being loaded.

NOTE
Loading your data in the Power BI service can take a few minutes.

3. Specify the following details:

extensionDataSourceKind: WDATPConnector
extensionDataSourcePath: WDATPConnector
Authentication method: OAuth2

4. Click Sign in. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to
sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing
Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report
 refresh.

5. Click Accept. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:

NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.

When importing data is completed and the dataset is ready, you’ll the following notification:

6. Click View dataset to explore your data.

For more information, see Create a Power BI dashboard from a report.

Create a Power BI dashboard from the Power BI portal

1. Login to Power BI.
2. Click Get Data.
3. Select Microsoft AppSource > My Organization > Get.

4. In the AppSource window, select Apps and search for Microsoft Defender Advanced Threat Protection.

5. Click Get it now.

6. Specify the following details:
extensionDataSourceKind: WDATPConnector
extensionDataSourcePath: WDATPConnector
Authentication method: OAuth2
7. Click Sign in. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to
sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing
Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report
refresh.

8. Click Accept. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft
Graph. After a successful login, you'll see a notification that data is being imported:
 NOTE
Depending on the number of onboarded machines, loading your data in the Power BI service can take several
minutes. A larger number of machines might take longer to load.

When importing data is completed and the dataset is ready, you’ll the following notification:

9. Click View dataset to explore your data.

Build a custom Microsoft Defender ATP dashboard in Power BI

Desktop
You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views
that your organization requires.
Before you begin
1. Make sure you use Power BI Desktop June 2017 and above. Download the latest version.
2. In the Microsoft Defender Security Center navigation pane, select Settings > Power BI reports.

3. Click Download connector to download the WDATPPowerBI.zip file and extract it.
4. Create a new directory [Documents]\Power BI Desktop\Custom Connectors .
5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
6. Open Power BI Desktop.
7. Click File > Options and settings > Custom data connectors.
8. Select New table and matrix visuals and Custom data connectors and click OK.

NOTE
If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select
(Not Recommended) Allow any extension to load without warning under Power BI Desktop > File > Options
and settings > Options > Security > Data Extensions".

NOTE
If you are using Power BI Desktop July 2017 version (or later), you won't need to select New table and matrix
visuals. You'll only need to select Custom data connectors.
9. Restart Power BI Desktop.

Customize the Microsoft Defender ATP Power BI dashboard

After completing the steps in the Before you begin section, you can proceed with building your custom
dashboard.
1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
2. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give
consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft
Defender ATP Power BI to sign in and read your profile, and access your data.
3. Click Accept. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.

Mashup Microsoft Defender ATP data with other data sources

You can use Power BI Desktop to analyze data from Microsoft Defender ATP and mash that data up with other
data sources to gain better security perspective in your organization.
1. In Power BI Desktop, in the Home ribbon, click Get data and search for Microsoft Defender Advanced
Threat Protection.
2. Click Connect.
3. On the Preview Connector windows, click Continue.
4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give
consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft
Defender ATP Power BI to sign in and read your profile, and access your data.

5. Click Accept. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft
Graph. When all data has been downloaded, you can proceed to customize your reports.
6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in
your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
7. Load other data sources by clicking Get data item in the Home ribbon, and select another data source.
8. Add visuals and select fields from the available data sources.

Using the Power BI reports

There are a couple of tabs on the report that's generated:
Machine and alerts
Investigation results and action center
Secure Score
In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched
vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level
mitigations are configured correctly on the machines and prioritize those that might need attention.

Related topic
Create custom Power BI reports
 Enable Secure Score security controls
10/22/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
Set the baselines for calculating the score of security controls on the Secure Score dashboard. If you use third-
party solutions, consider excluding the corresponding controls from the calculations.

NOTE
Changes might take up to a few hours to reflect on the dashboard.

1. In the navigation pane, select Settings > Secure Score.

2. Select the security control, then toggle the setting between On and Off.
3. Click Save preferences.

Related topics
View the Secure Score dashboard
Update data retention settings for Microsoft Defender ATP
Configure alert notifications in Microsoft Defender ATP
Enable and create Power BI reports using Microsoft Defender ATP data
Configure advanced features in Microsoft Defender ATP
 Configure advanced features in Microsoft
Defender ATP
12/6/2019 • 6 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Depending on the Microsoft security products that you use, some advanced features might be available for
you to integrate Microsoft Defender ATP with.
Use the following advanced features to get better protected from potentially malicious files and gain better
insight during security investigations:

Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and
remediation features of the service. For more information, see Automated investigation.

Live response
When you enable this feature, users with the appropriate permissions can initiate a live response session on
machines.
For more information on role assignments see, Create and manage roles.

Live response unsigned script execution

Enabling this feature allows you to run unsigned scripts in a live response session.

Auto-resolve remediated alerts

For tenants created on or after Windows 10, version 1809 the automated investigation and remediation
capability is configured by default to resolve alerts where the automated analysis result status is "No threats
found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the
feature.

TIP
For tenants created prior that version, you'll need to manually turn this feature on from the Advanced features page.

NOTE
The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active
alerts found on a machine.
If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve
capability will not overwrite it.
Allow or block file
Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware
solution, and if the cloud-based protection feature is enabled.
This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it
from being read, written, or executed on machines in your organization.
To turn Allow or block files on:
1. In the navigation pane, select Settings > Advanced features > Allow or block file.
2. Toggle the setting between On and Off.

3. Select Save preferences at the bottom of the page.

Once you have enabled this feature, you can block files via the Add Indicator tab on a file's profile page.

Custom network indicators

Enabling this feature allows you to create indicators for IP addresses, domains, or URLs which determine
whether they will be allowed or blocked based on your custom indicator list.
To use this feature, machines must be running Windows 10 version 1709 or later. They should also have
network protection in block mode and version 4.18.1906.3 or later of the antimalware platform see KB
4052623.
For more information, see Manage indicators.

NOTE
Network protection leverages reputation services that process requests in locations that might be outside of the
___location you have selected for your Microsoft Defender ATP data.

Show user details

When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a
user's picture, name, title, and department information when investigating user account entities. You can find
user account information in the following views:
Security operations dashboard
Alert queue
Machine details page
For more information, see Investigate a user account.

Skype for Business integration

Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for
Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.

NOTE
When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and
Skype communications which allows communications to the user while they are disconnected from the network. This
setting applies to Skype and Outlook communication when machines are in isolation mode.

Azure Advanced Threat Protection integration

The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft
Identity security product. Azure Advanced Threat Protection augments an investigation with additional
insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich
the machine-based investigation capability by pivoting across the network from an identify point of view.

NOTE
You'll need to have the appropriate license to enable this feature.

Enable the Microsoft Defender ATP integration from the Azure ATP portal
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure
ATP portal.
1. Login to the Azure portal with a Global Administrator or Security Administrator role.
2. Click Create a workspace or use your primary workspace.
3. Toggle the Integration setting to On and click Save.
When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine
details or user details page.

Office 365 Threat Intelligence connection

This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more
information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection
into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365
mailboxes and Windows machines.

NOTE
You'll need to have the appropriate license to enable this feature.

To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the
Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see Office
365 Threat Intelligence overview.

Microsoft Threat Experts

Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability,
while experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if
you have applied for preview and your application has been approved. You can receive targeted attack
notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard
and via email if you configure it.

NOTE
The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for Enterprise Mobility
+ Security.

Microsoft Cloud App Security

Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide
deeper visibility into cloud application usage. Forwarded data is stored and processed in the same ___location as
your Cloud App Security data.

NOTE
This feature will be available with an E5 license for Enterprise Mobility + Security on machines running Windows 10,
version 1709 (OS Build 16299.1085 with KB4493441), Windows 10, version 1803 (OS Build 17134.704 with
KB4493464), Windows 10, version 1809 (OS Build 17763.379 with KB4489899) or later Windows 10 versions.

Azure Information Protection

Turning this setting on forwards signals to Azure Information Protection, giving data owners and
administrators visibility into protected data on onboarded machines and machine risk ratings.

Microsoft Intune connection

Microsoft Defender ATP can be integrated with Microsoft Intune to enable device risk-based conditional
access. When you enable this feature, you'll be able to share Microsoft Defender ATP device information with
Intune, enhancing policy enforcement.

IMPORTANT
You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more
information on specific steps, see Configure Conditional Access in Microsoft Defender ATP.

This feature is only available if you have the following:

A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5)
An active Microsoft Intune environment, with Intune-managed Windows 10 devices Azure AD -joined.
Conditional Access policy
When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy.
This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.

NOTE
The classic CA policy created by Intune is distinct from modern Conditional Access policies, which are used for
configuring endpoints.

Preview features
Learn about new features in the Microsoft Defender ATP preview release and be among the first to try
upcoming features by turning on the preview experience.
You'll have access to upcoming features which you can provide feedback on to help improve the overall
experience before features are generally available.

Enable advanced features

1. In the navigation pane, select Preferences setup > Advanced features.
2. Select the advanced feature you want to configure and toggle the setting between On and Off.
3. Click Save preferences.

Related topics
Update data retention settings
Configure alert notifications
Enable and create Power BI reports using Microsoft Defender ATP data
Enable Secure Score security controls
 Use basic permissions to access the portal
12/26/2019 • 2 minutes to read • Edit Online

Applies to:
Azure Active Directory
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Refer to the instructions below to use basic permissions management.

You can use either of the following:
Azure PowerShell
Azure Portal
For granular control over permissions, switch to role-based access control.

Assign user access using Azure PowerShell

You can assign users with one of the following levels of permissions:
Full access (Read and Write)
Read-only access
Before you begin
Install Azure PowerShell. For more information see, How to install and configure Azure PowerShell.

NOTE
You need to run the PowerShell cmdlets in an elevated command-line.

Connect to your Azure Active Directory. For more information see, Connect-MsolService.
Full access
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and
download the onboarding package. Assigning full access rights requires adding the users to the "Security
Administrator" or "Global Administrator" AAD built-in roles.
Read only access
Users with read only access can log in, view all alerts, and related information. They will not be able to change
alert states, submit files for deep analysis or perform any state changing operations. Assigning read only access
rights requires adding the users to the "Security Reader" AAD built-in role.
Use the following steps to assign security roles:
For read and write access, assign users to the security administrator role by using the following command:

Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress

"[email protected]"
 For read only access, assign users to the security reader role by using the following command:

Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "[email protected]"

For more information see, Add or remove group memberships.

Assign user access using the Azure portal

For more information, see Assign administrator and non-administrator roles to uses with Azure Active Directory.

Related topic
Manage portal access using RBAC
 Manage portal access using role-based access
control
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Using role-based access control (RBAC ), you can create roles and groups within your security operations team
to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained
control over what users with access to the portal can see and do.
Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize
access to security portals. Typical tiers include the following three levels:

TIER DESCRIPTION

Tier 1 Local security operations team / IT team

This team usually triages and investigates alerts contained
within their geolocation and escalates to Tier 2 in cases
where an active remediation is required.

Tier 2 Regional security operations team

This team can see all the machines for their region and
perform remediation actions.

Tier 3 Global security operations team

This team consists of security experts and are authorized to
see and perform all actions from the portal.

Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you
granular control over what roles can see, machines they can access, and actions they can take. The RBAC
framework is centered around the following controls:
Control who can take specific action
Create custom roles and control what Microsoft Defender ATP capabilities they can access with
granularity.
Control who can see information on specific machine group or groups
Create machine groups by specific criteria such as names, tags, domains, and others, then grant role
access to them using a specific Azure Active Directory (Azure AD ) user group.
To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and
assign Azure AD user groups assigned to the roles.
Before you begin
Before using RBAC, it's important that you understand the roles that can grant permissions and the
consequences of turning on RBAC.

WARNING
Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in
Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.

When you first log in to Microsoft Defender Security Center, you're granted either full access or read only
access. Full access rights are granted to users with Security Administrator or Global Administrator roles in
Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines,
regardless of their machine group association and the Azure AD user groups assignments

WARNING
Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign
roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
Turning on role-based access control will cause users with read-only permissions (for example, users assigned
to Azure AD Security reader role) to lose access until they are assigned to a role.
Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator
role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or
Security Administrators to the Microsoft Defender ATP global administrator role.
After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.

Related topic
Create and manage machine groups in Microsoft Defender ATP
 Create and manage roles for role-based
access control
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially
released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Create roles and assign the role to an Azure Active Directory

group
The following steps guide you on how to create roles in Microsoft Defender Security Center. It
assumes that you have already created Azure Active Directory user groups.
1. In the navigation pane, select Settings > Roles.
2. Click Add role.
3. Enter the role name, description, and permissions you'd like to assign to the role.
Role name
Description
Permissions
View data - Users can view information in the portal.

NOTE
To view Threat & Vulnerability Management data, select Threat and vulnerability
management.

Alerts investigation - Users can manage alerts, initiate automated investigations,

collect investigation packages, manage machine tags, and export machine timeline.
Active remediation actions - Users can take response actions and approve or
dismiss pending remediation actions.

NOTE
To enable your Security operation personnel to choose remediation options and file
exceptions, select Threat and vulnerability management - Remediation handling, and
Threat and vulnerability management - Exception handling.
 Manage portal system settings - Users can configure storage settings, SIEM and
threat intel API settings (applies globally), advanced settings, automated file
uploads, roles and machine groups.

NOTE
This setting is only available in the Microsoft Defender ATP administrator (default) role.

Manage security settings - Users can configure alert suppression settings,

manage allowed/blocked lists for automation, create and manage custom
detections, manage folder exclusions for automation, onboard and offboard
machines, and manage email notifications.
Live response capabilities - Users can take basic or advanced live response
commands.
Basic commands allow users to:
Start a live response session
Run read only live response commands on a remote machine
Advanced commands allow users to:
Run basic actions
Download a file from the remote machine
View a script from the files library
Run a script on the remote machine from the files library take read
and write commands.
For more information on the available commands, see Investigate machines using Live
response.
4. Click Next to assign the role to an Azure AD group.
5. Use the filter to select the Azure AD group that you'd like to add to this role.
6. Click Save and close.
7. Apply the configuration settings.
After creating roles, you'll need to create a machine group and provide access to the machine group
by assigning it to a role that you just created.

Edit roles
1. Select the role you'd like to edit.
2. Click Edit.
3. Modify the details or the groups that are assigned to the role.
4. Click Save and close.

Delete roles
1. Select the role you'd like to delete.
2. Click the drop-down button and select Delete role.

Related topic
User basic permissions to access the portal
Create and manage machine groups
 Create and manage machine groups
5/31/2019 • 3 minutes to read • Edit Online

Applies to:
Azure Active Directory
Office 365
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
In an enterprise scenario, security operation teams are typically assigned a set of machines. These
machines are grouped together based on a set of attributes such as their domains, computer names, or
designated tags.
In Microsoft Defender ATP, you can create machine groups and use them to:
Limit access to related alerts and data to specific Azure AD user groups with assigned RBAC roles
Configure different auto-remediation settings for different sets of machines
Assign specific remediation levels to apply during automated investigations
In an investigation, filter the Machines list to just specific machine groups by using the Group
filter.
You can create machine groups in the context of role-based access (RBAC ) to control who can take
specific action or see information by assigning the machine group(s) to a user group. For more
information, see Manage portal access using role-based access control.

TIP
For a comprehensive look into RBAC application, read: Is your SOC running flat with RBAC.

As part of the process of creating a machine group, you'll:

Set the automated remediation level for that group. For more information on remediation levels,
see Use Automated investigation to investigate and remediate threats.
Specify the matching rule that determines which machine group belongs to the group based on the
machine name, ___domain, tags, and OS platform. If a machine is also matched to other groups, it is
added only to the highest ranked machine group.
Select the Azure AD user group that should have access to the machine group.
Rank the machine group relative to other groups after it is created.

NOTE
A machine group is accessible to all users if you don’t assign any Azure AD groups to it.

Create a machine group

1. In the navigation pane, select Settings > Machine groups.
2. Click Add machine group.
3. Enter the group name and automation settings and specify the matching rule that determines
 which machines belong to the group. For more information on automation levels, see
Understand the Automated investigation flow.

TIP
If you want to group machines by organizational unit, you can configure the registry key for the group
affiliation. For more information on device tagging, see Create and manage machine tags.

4. Preview several machines that will be matched by this rule. If you are satisfied with the rule,
click the User access tab.
5. Assign the user groups that can access the machine group you created.

NOTE
You can only grant access to Azure AD user groups that have been assigned to RBAC roles.

6. Click Close. The configuration changes are applied.

Manage machine groups

You can promote or demote the rank of a machine group so that it is given higher or lower priority
during matching. When a machine is matched to more than one group, it is added only to the highest
ranked group. You can also edit and delete groups.

WARNING
Deleting a machine group may affect email notification rules. If a machine group is configured under an email
notification rule, it will be removed from that rule. If the machine group is the only group configured for an
email notification, that email notification rule will be deleted along with the machine group.

By default, machine groups are accessible to all users with portal access. You can change the default
behavior by assigning Azure AD user groups to the machine group.
Machines that are not matched to any groups are added to Ungrouped machines (default) group. You
cannot change the rank of this group or delete it. However, you can change the remediation level of
this group, and define the Azure AD user groups that can access this group.

NOTE
Applying changes to machine group configuration may take up to several minutes.

Related topics
Related topic
Manage portal access using role-based based access control
Create and manage machine tags
Get list of tenant machine groups using Graph API
 Create and manage machine tags
12/30/2019 • 2 minutes to read • Edit Online

Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the
network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of
an incident. Tags can be used as a filter in Machines list view, or to group machines. For more information on
machine grouping, see Create and manage machine groups.
You can add tags on machines using the following ways:
Using the portal
Setting a registry key value

NOTE
There may be some latency between the time a tag is added to a machine and its availability in the machines list and
machine page.

To add machine tags using API, see Add or remove machine tags API.

Add and manage machine tags using the portal

1. Select the machine that you want to manage tags on. You can select or search for a machine from any of
the following views:
Security operations dashboard - Select the machine name from the Top machines with active
alerts section.
Alerts queue - Select the machine name beside the machine icon from the alerts queue.
Machines list - Select the machine name from the list of machines.
Search box - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Select Manage Tags from the row of Response actions.

3. Type to find or create tags

Tags are added to the machine view and will also be reflected on the Machines list view. You can then use the
Tags filter to see the relevant list of machines.

NOTE
Filtering might not work on tag names that contain parenthesis.

You can also delete tags from this view.

Add machine tags by setting a registry key value

NOTE
Applicable only on the following machines:
Windows 10, version 1709 or later
Windows Server, version 1803 or later
Windows Server 2016
Windows Server 2012 R2
Windows Server 2008 R2 SP1
Windows 8.1
Windows 7 SP1

Machines with similar tags can be handy when you need to apply contextual action on a specific list of
machines.
Use the following registry key entry to add a tag on a machine:
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\
Registry key value (REG_SZ ): Group
Registry key data: Name of the tag you want to set

NOTE
The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose
to restart the endpoint that would transfer a new machine information report.
2 minutes to read
 Enable SIEM integration in Microsoft Defender ATP
12/11/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Enable security information and event management (SIEM ) integration so you can pull detections from
Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST
API.

NOTE
Microsoft Defender ATP Alert is composed from one or more detections
Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related
Alert details.

Prerequisites
The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD ).
This is typically someone with a Global administrator role.
During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you
allow pop-ups for this site.

Enabling SIEM integration

1. In the navigation pane, select Settings > SIEM.

TIP
If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker
settings of your browser. It might be blocking the new window being opened when you enable the capability.

2. Select Enable SIEM integration. This activates the SIEM connector access details section with pre-
 populated values and an application is created under you Azure Active Directory (AAD ) tenant.

WARNING
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.

3. Choose the SIEM type you use in your organization.

NOTE
If you select HP ArcSight, you'll need to save these two configuration files:
WDATP-connector.jsonparser.properties
WDATP-connector.properties

If you want to connect directly to the detections REST API through programmatic access, choose
Generic API.
4. Copy the individual values or select Save details to file to download a file that contains all the values.
5. Select Generate tokens to get an access and refresh token.
 NOTE
You'll need to generate a new Refresh token every 90 days.

You can now proceed with configuring your SIEM solution or connecting to the detections REST API through
programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive
detections from Microsoft Defender Security Center.

Integrate Microsoft Defender ATP with IBM QRadar

You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see
IBM Knowledge Center.

Related topics
Configure Splunk to pull Microsoft Defender ATP detections
Configure HP ArcSight to pull Microsoft Defender ATP detections
Microsoft Defender ATP Detection fields
Pull Microsoft Defender ATP detections using REST API
Troubleshoot SIEM tool integration issues
 Manage suppression rules
12/3/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
There might be scenarios where you need to suppress alerts from appearing in the portal. You can create
suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your
organization. For more information on how to suppress alerts, see Suppress alerts.
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert
suppression rule on or off.
1. In the navigation pane, select Settings > Alert suppression. The list of suppression rules that users in your
organization have created is displayed.
2. Select a rule by clicking on the check-box beside the rule name.
3. Click Turn rule on, Edit rule, or Delete rule. When making changes to a rule, you can choose to release
alerts that it has already suppressed, regardless whether or not these alerts match the new criteria.

View details of a suppression rule

1. In the navigation pane, select Settings > Alert suppression. The list of suppression rules that users in your
organization have created is displayed.
2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action,
number of matching alerts, created by, and date when the rule was created. You can also view associated
alerts and the rule conditions.

Related topics
Manage alerts
 Manage indicators
12/4/2019 • 5 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This
capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for
detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to
be taken as well as the duration for when to apply the action as well as the scope of the machine group to
apply it to.
Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated
investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV ).
Cloud detection engine
The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the
indicators you set. When there is a match, action will be taken according to the settings you specified for the
IoC.
Endpoint prevention engine
The same list of indicators is honored by the prevention agent. Meaning, if Windows Defender AV is the
primary AV configured, the matched indicators will be treated according to the settings. For example, if the
action is "Alert and Block", Windows Defender AV will prevent file executions (block and remediate) and a
corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Windows Defender AV
will not detect nor block the file from being run.
Automated investigation and remediation engine
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated
investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and
remediation will treat it as "bad".
The current supported actions are:
Allow
Alert only
Alert and block
You can create an indicator for:
Files
IP addresses
URLs/domains

NOTE
There is a limit of 5000 indicators per tenant.
Create indicators for files
You can prevent further propagation of an attack in your organization by banning potentially malicious files
or suspected malware. If you know a potentially malicious portable executable (PE ) file, you can block it. This
operation will prevent it from being read, written, or executed on machines in your organization.
There are two ways you can create indicators for files:
By creating an indicator through the settings page
By creating a contextual indicator using the add indicator button from the file details page
Before you begin
It's important to understand the following prerequisites prior to creating indicators for files:
This feature is available if your organization uses Windows Defender Antivirus and Cloud–based
protection is enabled. For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
Supported on machines on Windows 10, version 1703 or later.
To start blocking files, you first need to turn the Block or allow feature on in Settings.
This feature is designed to prevent suspected malware (or potentially malicious files) from being
downloaded from the web. It currently supports portable executable (PE ) files, including .exe and .dll files.
The coverage will be extended over time.

IMPORTANT
The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the
allow or block action
Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying
to block trusted signed files, in some cases, may have performance implications.
The PE file needs to be in the machine timeline for you to be able to take this action.

NOTE
There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Create an indicator for files from the settings page

1. In the navigation pane, select Settings > Indicators.
2. Select the File hash tab.
3. Select Add indicator.
4. Specify the following details:
Indicator - Specify the entity details and define the expiration of the indicator.
 Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then click Save.
Create a contextual indicator from the file details page
One of the options when taking response actions on a file is adding an indicator for the file.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a
machine in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be
visible in the Alerts queue.

Create indicators for IPs and URLs/domains (preview)

Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows
Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers
or calls made outside of a browser.
The threat intelligence data set for this has been managed by Microsoft.
By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based
on your own threat intelligence. You can do this through the settings page or by machine groups if you deem
certain groups to be more or less at risk than others.
Before you begin
It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or
domains:
URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be
enabled in block mode. For more information on Network Protection and configuration instructions, see
Protect your network.
The Antimalware client version must be 4.18.1906.x or later.
Supported on machines on Windows 10, version 1709 or later.
Ensure that Custom network indicators is enabled in Microsoft Defender Security Center> Settings
> Advanced features. For more information, see Advanced features.

IMPORTANT
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.

NOTE
There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being
blocked.

Create an indicator for IPs, URLs or domains from the settings page
1. In the navigation pane, select Settings > Indicators.
2. Select the IP addresses or URLs/Domains tab.
3. Select Add indicator.
4. Specify the following details:
 Indicator - Specify the entity details and define the expiration of the indicator.
Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then click Save.

Manage indicators
1. In the navigation pane, select Settings > Indicators.
2. Select the tab of the entity type you'd like to manage.
3. Update the details of the indicator and click Save or click the Delete button if you'd like to remove the
entity from the list.

Import a list of IoCs

You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and
other details.
Download the sample CSV to know the supported column attributes.

Related topic
Create contextual IoC
Use the Microsoft Defender ATP indicators API
Use partner integrated solutions
 Manage automation file uploads
10/4/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to
the cloud for additional inspection in Automated investigation.
Identify the files and email attachments by specifying the file extension names and email attachment extension
names.
For example, if you add exe and bat as file or attachment extension names, then all files or attachments with those
extensions will automatically be sent to the cloud for additional inspection during Automated investigation.

Add file extension names and attachment extension names.

1. In the navigation pane, select Settings > Automation file uploads.
2. Toggle the content analysis setting between On and Off.
3. Configure the following extension names and separate extension names with a comma:
File extension names - Suspicious files except email attachments will be submitted for additional
inspection

Related topics
Manage automation folder exclusions
 Manage automation folder exclusions
9/30/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
You can control the following attributes about the folder that you'd like to be skipped:
Folders
Extensions of the files
File names
Folders
You can specify a folder and its subfolders to be skipped.

NOTE
At this time, use of wild cards as a way to exclude files under a directory is not yet supported.

Extensions
You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker
from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
File names
You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent
an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.

Add an automation folder exclusion

1. In the navigation pane, select Settings > Automation folder exclusions.
2. Click New folder exclusion.
3. Enter the folder details:
Folder
Extensions
File names
Description
4. Click Save.

Edit an automation folder exclusion

1. In the navigation pane, select Settings > Automation folder exclusions.
2. Click Edit on the folder exclusion.
3. Update the details of the rule and click Save.

Remove an automation folder exclusion

1. In the navigation pane, select Settings > Automation folder exclusions.
2. Click Remove exclusion.

Related topics
Manage automation allowed/blocked lists
Manage automation file uploads
 Onboard machines to the Microsoft Defender ATP
service
12/10/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

IMPORTANT
Some information relates to prereleased product which may be substantially modified before it's commercially released.
Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

You'll need to go the onboarding section of the Microsoft Defender ATP portal to onboard any of the supported
devices. Depending on the device, you'll be guided with appropriate steps and provided management and
deployment tool options suitable for the device.
In general, to onboard devices to the service:
Verify that the device fulfills the minimum requirements
Depending on the device, follow the configuration steps provided in the onboarding section of the Microsoft
Defender ATP portal
Use the appropriate management tool and deployment method for your devices
Run a detection test to verify that the devices are properly onboarded and reporting to the service

In this section
TOPIC DESCRIPTION

Onboard previous versions of Windows Onboard Windows 7 and Windows 8.1 machines to
Microsoft Defender ATP.

Onboard Windows 10 machines You'll need to onboard machines for it to report to the
Microsoft Defender ATP service. Learn about the tools and
methods you can use to configure machines in your
enterprise.

Onboard servers Onboard Windows Server 2012 R2 and Windows Server

2016 to Microsoft Defender ATP

Onboard non-Windows machines Microsoft Defender ATP provides a centralized security

operations experience for Windows as well as non-Windows
platforms. You'll be able to see alerts from various supported
operating systems (OS) in Microsoft Defender Security Center
and better protect your organization's network. This
experience leverages on a third-party security products'
sensor data.
TOPIC DESCRIPTION

Run a detection test on a newly onboarded machine Run a script on a newly onboarded machine to verify that it is
properly reporting to the Microsoft Defender ATP service.

Configure proxy and Internet settings Enable communication with the Microsoft Defender ATP
cloud service by configuring the proxy and Internet
connectivity settings.

Troubleshoot onboarding issues Learn about resolving issues that might arise during
onboarding.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

 Offboard machines from the Microsoft Defender ATP
service
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
macOS
Linux
Windows Server 2012 R2
Windows Server 2016
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Follow the corresponding instructions depending on your preferred deployment method.

Offboard Windows 10 machines

Offboard machines using a local script
Offboard machines using Group Policy
Offboard machines using System Center Configuration Manager
Offboard machines using Mobile Device Management tools

Offboard Servers
Offboard servers

Offboard non-Windows machines

Offboard non-Windows machines
 Microsoft Defender Security Center time zone
settings
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Use the Time zone menu to configure the time zone and view license information.

Time zone settings

The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that
your system reflects the correct time zone settings.
Microsoft Defender ATP can display either Coordinated Universal Time (UTC ) or local time.
Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time
zone in the Time zone menu.

.
UTC time zone
Microsoft Defender ATP uses UTC time by default.
Setting the Microsoft Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others)
in UTC for all users. This can help security analysts working in different locations across the globe to use the same
time stamps while investigating events.
Local time zone
You can choose to have Microsoft Defender ATP use local time zone settings. All alerts and events will be displayed
using your local time zone.
The local time zone is taken from your machine’s regional settings. If you change your regional settings, the
Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in
Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in
different global locations will now see the Microsoft Defender ATP alerts according to their regional settings.
Choosing to use local time can be useful if the analysts are located in a single ___location. In this case it might be
easier to correlate events to local time, for example – when a local user clicked on a suspicious email link.
Set the time zone
The Microsoft Defender ATP time zone is set by default to UTC. Setting the time zone also changes the times for all
Microsoft Defender ATP views. To set the time zone:

1. Click the Time zone menu .

2. Select the Timezone UTC indicator.
3. Select Timezone UTC or your local time zone, for example -7:00.
Regional settings
To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE ) and
Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to
change the time and date settings for that browser.
Internet Explorer (IE ) and Microsoft Edge
IE and Microsoft Edge use the Region settings configured in the Clocks, Language, and Region option in the
Control panel.
Known issues with regional formats
Date and time formats
There are some known issues with the time and date formats.
The following date formats are supported:
MM/dd/yyyy
dd/MM/yyyy
The following date and time formats are currently not supported:
Date format yyyy-MM -dd
Date format dd-MMM -yy
Date format dd/MM/yy
Date format MM/dd/yy
Date format with yy. Will only show yyyy.
Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour
format is supported.
Decimal symbol used in numbers
Decimal symbol used is always a dot, even if a comma is selected in the Numbers format settings in Region
settings. For example, 15,5K is displayed as 15.5K.
 Check sensor health state in Microsoft Defender ATP
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The sensor health tile is found on the Security Operations dashboard. This tile provides information on the
individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It
reports how many machines require attention and helps you identify problematic machines and take action to
correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not
reporting properly to the service:
Misconfigured - These machines might partially be reporting sensor data to the Microsoft Defender ATP
service and might have configuration errors that need to be corrected.
Inactive - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven
days in the past month.
Clicking any of the groups directs you to Machines list, filtered according to your choice.
You can also download the entire list in CSV format using the Export to CSV feature. For more information on
filters, see View and organize the Machines list.
You can filter the health state list by the following status:
Active - Machines that are actively reporting to the Microsoft Defender ATP service.
Misconfigured - These machines might partially be reporting sensor data to the Microsoft Defender ATP
service but have configuration errors that need to be corrected. Misconfigured machines can have either one or
a combination of the following issues:
No sensor data - Machines has stopped sending sensor data. Limited alerts can be triggered from the
machine.
Impaired communications - Ability to communicate with machine is impaired. Sending files for deep
analysis, blocking files, isolating machine from network and other actions that require communication
with the machine may not work.
Inactive - Machines that have stopped reporting to the Microsoft Defender ATP service.
You can view the machine details when you click on a misconfigured or inactive machine.
In the Machines list, you can download a full list of all the machines in your organization in a CSV format.

NOTE
Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization,
regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on
how large your organization is.

Related topic
Fix unhealthy sensors in Microsoft Defender ATP
 Fix unhealthy sensors in Microsoft Defender ATP
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.

Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed
the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting
normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.

Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
 communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft
Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft
Defender ATP service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.

Related topic
Check sensor health state in Microsoft Defender ATP
 Fix unhealthy sensors in Microsoft Defender ATP
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.

Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause
a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed
the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting
normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.

Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
 communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft
Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data and
communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft
Defender ATP service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the
Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.

Related topic
Check sensor health state in Microsoft Defender ATP
 Fix unhealthy sensors in Microsoft Defender ATP
9/20/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section
provides some explanations as to what might have caused a machine to be categorized as inactive or
misconfigured.

Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can
cause a machine to be categorized as inactive:
Machine is not in use
If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the
portal.
Machine was reinstalled or renamed
A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The
previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and
deployed the Microsoft Defender ATP package, search for the new machine name to verify that the machine is
reporting normally.
Machine was offboarded
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should
change to inactive.
Machine is not sending signals If the machine is not sending any signals for more than 7 days to any of the
Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines
classification, a machine can be considered inactive.
Do you expect a machine to be in ‘Active’ status? Open a support ticket.

Misconfigured machines
Misconfigured machines can further be classified to:
Impaired communications
No sensor data
Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired
communications:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data
 and communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft
Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.
No sensor data
A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report
partial sensor data. Follow theses actions to correct known issues related to a misconfigured machine with status
‘No sensor data’:
Ensure the machine has Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP ) to report sensor data
and communicate with the Microsoft Defender ATP service.
Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate
through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft
Defender ATP service URLs.
Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data
service is set to automatically start and is running on the endpoint.
Ensure that Windows Defender Antivirus is not disabled by policy
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs
the Windows Defender Antivirus Early Launch Antimalware (ELAM ) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, open a support ticket.

Related topic
Check sensor health state in Microsoft Defender ATP
 Review events and errors using Event Viewer
9/20/2019 • 10 minutes to read • Edit Online

Applies to:
Event Viewer
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
You can review event IDs in the Event Viewer on individual machines.
For example, if machines are not appearing in the Machines list, you might need to look for event IDs on the
machines. You can then use this table to determine further troubleshooting steps.

NOTE
It can take several days for machines to begin reporting to the Microsoft Defender ATP service.

Open Event Viewer and find the Microsoft Defender ATP service event log:
1. Click Start on the Windows menu, type Event Viewer, and press Enter.
2. In the log list, under Log Summary, scroll until you see Microsoft-Windows-SENSE/Operational.
Double-click the item to open the log.
a. You can also access the log by expanding Applications and Services Logs > Microsoft > Windows >
SENSE and click on Operational.

NOTE
SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.

3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by
the service.

EVENT ID MESSAGE DESCRIPTION ACTION

1 Microsoft Defender Occurs during system start Normal operating

Advanced Threat Protection up, shut down, and during notification; no action
service started (Version onbboarding. required.
variable ).

2 Microsoft Defender Occurs when the machine is Normal operating

Advanced Threat Protection shut down or offboarded. notification; no action
service shutdown. required.

3 Microsoft Defender Service did not start. Review other messages to

Advanced Threat Protection determine possible cause
service failed to start. Failure and troubleshooting steps.
code: variable .
4 Microsoft Defender Variable = URL of the Normal operating
Advanced Threat Protection Microsoft Defender ATP notification; no action
service contacted the server processing servers. required.
at variable . This URL will match that
seen in the Firewall or
network activity.

5 Microsoft Defender Variable = URL of the Check the connection to the

Advanced Threat Protection Microsoft Defender ATP URL. See Configure proxy
service failed to connect to processing servers. and Internet connectivity.
the server at variable . The service could not
contact the external
processing servers at that
URL.

6 Microsoft Defender The machine did not Onboarding must be run

Advanced Threat Protection onboard correctly and will before starting the service.
service is not onboarded not be reporting to the Check that the onboarding
and no onboarding portal. settings and scripts were
parameters were found. deployed properly. Try to
redeploy the configuration
packages.
See Onboard Windows 10
machines.

7 Microsoft Defender Variable = detailed error Check that the onboarding

Advanced Threat Protection description. The machine did settings and scripts were
service failed to read the not onboard correctly and deployed properly. Try to
onboarding parameters. will not be reporting to the redeploy the configuration
Failure: variable . portal. packages.
See Onboard Windows 10
machines.

8 Microsoft Defender During onboarding: The Onboarding: No action

Advanced Threat Protection service failed to clean its required.
service failed to clean its configuration during the
configuration. Failure code: onboarding. The onboarding Offboarding: Reboot the
variable . process continues. system.
See Onboard Windows 10
During offboarding: The machines.
service failed to clean its
configuration during the
offboarding. The offboarding
process finished but the
service keeps running.

9 Microsoft Defender During onboarding: The Check that the onboarding

Advanced Threat Protection machine did not onboard settings and scripts were
service failed to change its correctly and will not be deployed properly. Try to
start type. Failure code: reporting to the portal. redeploy the configuration
variable . packages.
During offboarding: Failed See Onboard Windows 10
to change the service start machines.
type. The offboarding
process continues.
10 Microsoft Defender The machine did not Check that the onboarding
Advanced Threat Protection onboard correctly and will settings and scripts were
service failed to persist the not be reporting to the deployed properly. Try to
onboarding information. portal. redeploy the configuration
Failure code: variable . packages.
See Onboard Windows 10
machines.

11 Onboarding or re- The machine onboarded Normal operating

onboarding of Microsoft correctly. notification; no action
Defender Advanced Threat required.
Protection service It may take several hours for
completed. the machine to appear in
the portal.

12 Microsoft Defender Service was unable to apply This error should resolve
Advanced Threat Protection the default configuration. after a short period of time.
failed to apply the default
configuration.

13 Microsoft Defender Normal operating process. Normal operating

Advanced Threat Protection notification; no action
machine ID calculated: required.
variable .

15 Microsoft Defender Variable = URL of the Check the connection to the

Advanced Threat Protection Microsoft Defender ATP URL. See Configure proxy
cannot start command processing servers. and Internet connectivity.
channel with URL: The service could not
variable . contact the external
processing servers at that
URL.

17 Microsoft Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
service failed to change the Check that the onboarding
Connected User Experiences settings and scripts were
and Telemetry service deployed properly. Try to
___location. Failure code: redeploy the configuration
variable . packages.
See Onboard Windows 10
machines.

18 OOBE (Windows Welcome) Service will only start after Normal operating
is completed. any Windows updates have notification; no action
finished installing. required.

19 OOBE (Windows Welcome) Service will only start after Normal operating
has not yet completed. any Windows updates have notification; no action
finished installing. required.
If this error persists after a
system restart, ensure all
Windows updates have full
installed.

20 Cannot wait for OOBE Internal error. If this error persists after a
(Windows Welcome) to system restart, ensure all
complete. Failure code: Windows updates have full
variable . installed.
25 Microsoft Defender The machine did not Check that the onboarding
Advanced Threat Protection onboard correctly. It will settings and scripts were
service failed to reset health report to the portal, deployed properly. Try to
status in the registry. Failure however the service may redeploy the configuration
code: variable . not appear as registered in packages.
SCCM or the registry. See Onboard Windows 10
machines.

26 Microsoft Defender The machine did not Check that the onboarding
Advanced Threat Protection onboard correctly. settings and scripts were
service failed to set the It will report to the portal, deployed properly. Try to
onboarding status in the however the service may redeploy the configuration
registry. Failure code: not appear as registered in packages.
variable . SCCM or the registry. See Onboard Windows 10
machines.

27 Microsoft Defender Normally, Windows Check that the onboarding

Advanced Threat Protection Defender Antivirus will enter settings and scripts were
service failed to enable a special passive state if deployed properly. Try to
SENSE aware mode in another real-time redeploy the configuration
Windows Defender antimalware product is packages.
Antivirus. Onboarding running properly on the See Onboard Windows 10
process failed. Failure code: machine, and the machine is machines.
variable . reporting to Microsoft Ensure real-time
Defender ATP. antimalware protection is
running properly.

28 Microsoft Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
Connected User Experiences Check that the onboarding
and Telemetry service settings and scripts were
registration failed. Failure deployed properly. Try to
code: variable . redeploy the configuration
packages.
See Onboard Windows 10
machines.

29 Failed to read the This event occurs when the Ensure the machine has
offboarding parameters. system can't read the Internet access, then run the
Error type: %1, Error code: offboarding parameters. entire offboarding process
%2, Description: %3 again. Ensure the
offboarding package has not
expired.

30 Microsoft Defender Normally, Windows Check that the onboarding

Advanced Threat Protection Defender Antivirus will enter settings and scripts were
service failed to disable a special passive state if deployed properly. Try to
SENSE aware mode in another real-time redeploy the configuration
Windows Defender antimalware product is packages.
Antivirus. Failure code: running properly on the See Onboard Windows 10
variable . machine, and the machine is machines
reporting to Microsoft Ensure real-time
Defender ATP. antimalware protection is
running properly.

31 Microsoft Defender An error occurred with the Check for errors with the
Advanced Threat Protection Windows telemetry service Windows telemetry service.
Connected User Experiences during onboarding. The
and Telemetry service offboarding process
unregistration failed. Failure continues.
code: variable .
32 Microsoft Defender An error occurred during Reboot the machine.
Advanced Threat Protection offboarding.
service failed to request to
stop itself after offboarding
process. Failure code: %1

33 Microsoft Defender A unique identifier is used to Check registry permissions

Advanced Threat Protection represent each machine that on the machine to ensure
service failed to persist is reporting to the portal. the service can update the
SENSE GUID. Failure code: If the identifier does not registry.
variable . persist, the same machine
might appear twice in the
portal.

34 Microsoft Defender An error occurred with the Ensure the diagnostic data
Advanced Threat Protection Windows telemetry service. service is enabled.
service failed to add itself as Check that the onboarding
a dependency on the settings and scripts were
Connected User Experiences deployed properly. Try to
and Telemetry service, redeploy the configuration
causing onboarding process packages.
to fail. Failure code: See Onboard Windows 10
variable . machines.

35 Microsoft Defender An error occurred with the Check for errors with the
Advanced Threat Protection Windows telemetry service Windows diagnostic data
service failed to remove during offboarding. The service.
itself as a dependency on offboarding process
the Connected User continues.
Experiences and Telemetry
service. Failure code:
variable .

36 Microsoft Defender Registering Microsoft Normal operating

Advanced Threat Protection Defender Advanced Threat notification; no action
Connected User Experiences Protection with the required.
and Telemetry service Connected User Experiences
registration succeeded. and Telemetry service
Completion code: completed successfully.
variable .

37 Microsoft Defender The machine has almost Normal operating

Advanced Threat Protection used its allocated quota of notification; no action
A module is about to exceed the current 24-hour window. required.
its quota. Module: %1, It’s about to be throttled.
Quota: {%2} {%3},
Percentage of quota
utilization: %4.

38 Network connection is The machine is using a Normal operating

identified as low. Microsoft metered/paid network and notification; no action
Defender Advanced Threat will be contacting the server required.
Protection will contact the less frequently.
server every %1 minutes.
Metered connection: %2,
internet available: %3, free
network available: %4.
39 Network connection is The machine is not using a Normal operating
identified as normal. metered/paid connection notification; no action
Microsoft Defender and will contact the server required.
Advanced Threat Protection as usual.
will contact the server every
%1 minutes. Metered
connection: %2, internet
available: %3, free network
available: %4.

40 Battery state is identified as The machine has low battery Normal operating
low. Microsoft Defender level and will contact the notification; no action
Advanced Threat Protection server less frequently. required.
will contact the server every
%1 minutes. Battery state:
%2.

41 Battery state is identified as The machine doesn’t have Normal operating

normal. Microsoft Defender low battery level and will notification; no action
Advanced Threat Protection contact the server as usual. required.
will contact the server every
%1 minutes. Battery state:
%2.

42 Microsoft Defender Internal error. The service If this error persists, contact
Advanced Threat Protection failed to start. Support.
WDATP component failed to
perform action. Component:
%1, Action: %2, Exception
Type: %3, Exception
message: %4

43 Microsoft Defender Internal error. The service If this error persists, contact
Advanced Threat Protection failed to start. Support.
WDATP component failed to
perform action. Component:
%1, Action: %2, Exception
Type: %3, Exception Error:
%4, Exception message: %5

44 Offboarding of Microsoft The service was offboarded. Normal operating

Defender Advanced Threat notification; no action
Protection service required.
completed.

45 Failed to register and to An error occurred on service If this error persists, contact
start the event trace session startup while creating ETW Support.
[%1]. Error code: %2 session. This caused service
start-up failure.

46 Failed to register and start An error occurred on service Normal operating

the event trace session [%1] startup while creating ETW notification; no action
due to lack of resources. session due to lack of required. The service will try
Error code: %2. This is most resources. The service to start the session every
likely because there are too started and is running, but minute.
many active event trace will not report any sensor
sessions. The service will event until the ETW session
retry in 1 minute. is started.
 47 Successfully registered and This event follows the Normal operating
started the event trace previous event after notification; no action
session - recovered after successfully starting of the required.
previous failed attempts. ETW session.

48 Failed to add a provider [%1] Failed to add a provider to Check the error code. If the
to event trace session [%2]. ETW session. As a result, the error persists contact
Error code: %3. This means provider events aren’t Support.
that events from this reported.
provider will not be
reported.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics
Onboard Windows 10 machines
Configure machine proxy and Internet connectivity settings
Troubleshoot Microsoft Defender ATP
 Troubleshoot service issues
9/20/2019 • 2 minutes to read • Edit Online

This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.

Server error - Access is denied due to invalid credentials

If you encounter a server error when trying to access the service, you’ll need to change your browser cookie
settings. Configure your browser to allow cookies.

Elements or data missing on the portal

If some UI elements or data is missing on Microsoft Defender Security Center it’s possible that proxy settings are
blocking it.
Make sure that *.securitycenter.windows.com is included the proxy whitelist.

NOTE
You must use the HTTPS protocol when adding the following endpoints.

Microsoft Defender ATP service shows event or error logs in the Event
Viewer
See the topic Review events and errors using Event Viewer for a list of event IDs that are reported by the
Microsoft Defender ATP service. The topic also contains troubleshooting steps for event errors.

Microsoft Defender ATP service fails to start after a reboot and shows
error 577
If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and
shows error 577, check that Windows Defender is not disabled by a policy.
For more information, see Ensure that Windows Defender Antivirus is not disabled by policy.

Known issues with regional formats

Date and time formats
There are some known issues with the time and date formats.
The following date formats are supported:
MM/dd/yyyy
dd/MM/yyyy
The following date and time formats are currently not supported:
Date format yyyy/MM/dd
Date format dd/MM/yy
Date format with yy. Will only show yyyy.
 Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour
format is supported.
Use of comma to indicate thousand
Support of use of comma as a separator in numbers are not supported. Regions where a number is separated
with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed
as 15.5K.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP tenant was automatically created in Europe

When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically
created. The Microsoft Defender ATP data is stored in Europe by default.

Related topics
Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
Review events and errors using Event Viewer
 Check the Microsoft Defender Advanced Threat
Protection service health
9/20/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The Service health provides information on the current status of the Window Defender ATP service. You'll be
able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details
related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected
resolution time.
You'll also see information on historical issues that have been resolved and details such as the date and time when
the issue was resolved. When there are no issues on the service, you'll see a healthy status.
You can view details on the service health by clicking the tile from the Security operations dashboard or
selecting the Service health menu from the navigation pane.
The Service health details page has the following tabs:
Current status
Status history

Current status
The Current status tab shows the current state of the Microsoft Defender ATP service. When the service is
running smoothly a healthy service health is shown. If there are issues seen, the following service details are
shown to help you gain better insight about the issue:
Date and time for when the issue was detected
A short description of the issue
Update time
Summary of impact
Preliminary root cause
Next steps
Expected resolution time
Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on
information such as an updated estimate resolution time or next steps.
When an issue is resolved, it gets recorded in the Status history tab.

Status history
The Status history tab reflects all the historical issues that were seen and resolved. You'll see details of the
resolved issues along with the other information that were included while it was being resolved.
Related topic
View the Security operations dashboard
 Troubleshoot Microsoft Defender Advanced Threat
Protection live response issues
7/23/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
This page provides detailed steps to troubleshoot live response issues.

File cannot be accessed during live response sessions

If while trying to take an action during a live response session, you encounter an error message stating that the file
can't be accessed, you'll need to use the steps below to address the issue.
1. Copy the following script code snippet and save it as a PS1 file:

$copied_file_path=$args[0]
$action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -ErrorAction silentlyContinue

if ($action){
Write-Host "You copied the file specified in $copied_file_path to $env:TEMP Succesfully"
}

else{
Write-Output "Error occoured while trying to copy a file, details:"
Write-Output $error[0].exception.message

2. Add the script to the live response library.

3. Run the script with one parameter: the file path of the file to be copied.
4. Navigate to your TEMP folder.
5. Run the action you wanted to take on the copied file.
 Troubleshoot network protection
12/23/2019 • 2 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
IT administrators
When you use Network protection you may encounter issues, such as:
Network protection blocks a website that is safe (false positive)
Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
4. Submit support logs

Confirm prerequisites
Network protection will only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators
Update).
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other
antivirus app will cause Windows Defender AV to disable itself.
Real-time protection is enabled.
Cloud-delivered protection is enabled.
Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0).

Use audit mode

You can enable network protection in audit mode and then visit a website that we've created to demo the feature.
All website connections will be allowed by network protection but an event will be logged to indicate any
connection that would have been blocked if network protection was enabled.
1. Set network protection to Audit mode.

Set-MpPreference -EnableNetworkProtection AuditMode

2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to
the IP address you do or don't want to block).
3. Review the network protection event logs to see if the feature would have blocked the connection if it had
been set to Enabled.
If network protection is not blocking a connection that you are expecting it should block, enable the feature.
 Set-MpPreference -EnableNetworkProtection Enabled

Report a false positive or false negative

If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-
configured scenarios, but is not working as expected for a specific connection, use the Windows Defender Security
Intelligence web-based submission form to report a false negative or false positive for network protection. With an
E5 subscription, you can also provide a link to any associated alert.

Exclude website from network protection scope

To whitelist the website that is being blocked (false positive), add its URL to the list of trusted sites. Web resources
from this list bypass the network protection check.

Collect diagnostic data for file submissions

When you report a problem with network protection, you are asked to collect and submit diagnostic data that can
be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:

cd c:\program files\windows defender

2. Run this command to generate the diagnostic logs:

mpcmdrun -getfiles

3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.

Attach the file to the submission form.

Related topics
Network protection
Evaluate network protection
Enable network protection
 Troubleshoot attack surface reduction rules
12/23/2019 • 3 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
When you use attack surface reduction rules you may run into issues, such as:
A rule blocks a file, process, or performs some other action that it should not (false positive)
A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
4. Submit support logs

Confirm prerequisites
Attack surface reduction rules will only work on devices with the following conditions:
Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other
antivirus app will cause Windows Defender AV to disable itself.
Real-time protection is enabled.
Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in Enable
attack surface reduction rules.
If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.

Use audit mode to test the rule

You can visit the Windows Defender Test ground website at demo.wd.microsoft.com to confirm attack surface
reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit
mode, which enables rules for reporting only.
Follow these instructions in Use the demo tool to see how attack surface reduction rules work to test the specific
rule you are encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to Audit mode
(value: 2) as described in Enable attack surface reduction rules. Audit mode allows the rule to report the file
or process, but will still allow it to run.
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be
blocked but is being allowed).
3. Review the attack surface reduction rule event logs to see if the rule would have blocked the file or process if
 the rule had been set to Enabled.
If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may
not have been disabled after the tests were completed.
If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on
pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based
on your situation:
1. If the attack surface reduction rule is blocking something that it should not block (also known as a false
positive), you can first add an attack surface reduction rule exclusion.
2. If the attack surface reduction rule is not blocking something that it should block (also known as a false
negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue
to us.

Add exclusions for a false positive

If the attack surface reduction rule is blocking something that it should not block (also known as a false positive),
you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
To add an exclusion, see Customize Attack surface reduction.

IMPORTANT
You can specify individual files and folders to be excluded, but you cannot specify individual rules. This means any files or
folders that are excluded will be excluded from all ASR rules.

Report a false positive or false negative

Use the Windows Defender Security Intelligence web-based submission form to report a false negative or false
positive for network protection. With a Windows E5 subscription, you can also provide a link to any associated
alert.

Collect diagnostic data for file submissions

When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data
that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:

cd c:\program files\windows defender

2. Run this command to generate the diagnostic logs:

mpcmdrun -getfiles

3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab . Attach

the file to the submission form.

Related articles
Attack surface reduction rules
Enable attack surface reduction rules
Evaluate attack surface reduction rules
 Review event logs and error codes to troubleshoot
issues with Windows Defender Antivirus
11/20/2019 • 33 minutes to read • Edit Online

Applies to:
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP )
If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a
matching issue and potential solution.
The tables list:
Windows Defender Antivirus event IDs (these apply to both Windows 10 and Windows Server 2016)
Windows Defender Antivirus client error codes
Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)

TIP
You can also visit the Microsoft Defender ATP demo website at demo.wd.microsoft.com to confirm the following features
are working:
Cloud-delivered protection
Fast learning (including Block at first sight)
Potentially unwanted application blocking

Windows Defender Antivirus event IDs

Windows Defender Antivirus records event IDs in the Windows event log.
You can directly view the event log, or if you have a third-party security information and event management
(SIEM ) tool, you can also consume Windows Defender Antivirus client event IDs to review specific events and
errors from your endpoints.
The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides
suggested solutions to fix or resolve the error.

To view a Windows Defender Antivirus event

1. Open Event Viewer.
2. In the console tree, expand Applications and Services Logs, then Microsoft, then Windows, then
Windows Defender Antivirus.
3. Double-click on Operational.
4. In the details pane, view the list of individual events to find your event.
5. Click the event to see specific details about an event in the lower pane, under the General and Details tabs.

EVENT ID: 1000

Symbolic name: MALWAREPROTECTION_SCAN_STARTED

Message: An antimalware scan started.

Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:

F
u
l
l
s
c
a
n

Q
u
i
c
k
s
c
a
n

C
u
s
t
o
m
e
r
s
c
a
n
Scan
Res
ourc
es:
<Re
sour
ces
(suc
h as
files/
dire
ctori
es/B
HO)
that
wer
e
scan
ned.
>
User
:
<Do
 mai
n>\
<Us
er>

EVENT ID: 1001

Symbolic name: MALWAREPROTECTION_SCAN_COMPLETED

Message: An antimalware scan finished.

Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
 l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:

F
u
l
l
s
c
a
n

Q
u
i
c
k
s
c
a
n

C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Scan
Tim
e:
<Th
e
dura
 tion
of a
scan
.>

EVENT ID: 1002

Symbolic name: MALWAREPROTECTION_SCAN_CANCELLED

Message: An antimalware scan was stopped before it finished.

Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
 l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:

F
u
l
l
s
c
a
n

Q
u
i
c
k
s
c
a
n

C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>
&lt;
User
>
Scan
Tim
e:
<Th
e
 dura
tion
of a
scan
.>

EVENT ID: 1003

Symbolic name: MALWAREPROTECTION_SCAN_PAUSED

Message: An antimalware scan was paused.

Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
 a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:

F
u
l
l
s
c
a
n

Q
u
i
c
k
s
c
a
n

C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>

EVENT ID: 1004

Symbolic name: MALWAREPROTECTION_SCAN_RESUMED

Message: An antimalware scan was resumed.

Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
 <Sc
an
para
met
ers>
, for
exa
mpl
e:

F
u
l
l
s
c
a
n

Q
u
i
c
k
s
c
a
n

C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>

EVENT ID: 1005

Symbolic name: MALWAREPROTECTION_SCAN_FAILED

Message: An antimalware scan failed.

Description:
Scan
ID:
<ID
num
ber
of
the
rele
vant
scan
.>
Scan
Typ
e:
<Sc
an
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
l
w
a
r
e
Scan
Para
met
ers:
<Sc
an
para
met
ers>
, for
exa
mpl
e:

F
 u
l
l
s
c
a
n

Q
u
i
c
k
s
c
a
n

C
u
s
t
o
m
e
r
s
c
a
n
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
 Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.

User action: The antivirus client encountered an error, and the current
scan has stopped. The scan might fail due to a client-side
issue. This event record includes the scan ID, type of scan
(Windows Defender Antivirus, antispyware, antimalware), scan
parameters, the user that started the scan, the error code,
and a description of the error. To troubleshoot this event:
1. Run the scan again.
2. If it fails in the same way, go to the Microsoft Support
site, enter the error number in the Search box to look
for the error code.
3. Contact Microsoft Technical Support.

EVENT ID: 1006

Symbolic name: MALWAREPROTECTION_MALWARE_DETECTED

Message: The antimalware engine found malware or other

potentially unwanted software.

Description: For more information, see the following:

Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
 w

M
o
d
e
r
a
t
e

H
i
g
h

S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:
U
n
k
n
o
w
n

L
o
c
a
l
c
o
m
p
u
t
e
r

N
e
t
w
o
r
k
s
h
a
r
e

I
n
t
e
r
n
e
t

I
n
c
o
m
i
n
g
t
r
a
f
f
i
c

O
u
t
 g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:

H
e
u
r
i
s
t
i
c
s

G
e
n
e
r
i
c

C
o
n
c
r
e
t
e

D
y
n
a
m
i
c
s
i
 g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:

U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d

S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d
R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d

I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d

N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m

I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s

E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
 o
o
t
s
e
q
u
e
n
c
e

R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
 UAC
Stat
us:
<St
atus
>
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>

EVENT ID: 1007

Symbolic name: MALWAREPROTECTION_MALWARE_ACTION_TAKEN

Message: The antimalware platform performed an action to

protect your system from malware or other potentially
unwanted software.

Description: Windows Defender Antivirus has taken action to protect this

machine from malware or other potentially unwanted
software. For more information, see the following:
User
:
<Do
mai
n>\
<Us
er>
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
i
g
h

S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:

C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d

Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d

R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d

A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t

U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d

N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n
 B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Stat
us:
<St
atus
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
 ne
versi
on>

EVENT ID: 1008

Symbolic name: MALWAREPROTECTION_MALWARE_ACTION_FAILED

Message: The antimalware platform attempted to perform an

action to protect your system from malware or other
potentially unwanted software, but the action failed.

Description: Windows Defender Antivirus has encountered an error when

taking action on malware or other potentially unwanted
software. For more information, see the following:
User
:
<Do
mai
n>\
<Us
er>
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
i
g
h

S
 e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:

C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d

Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d

R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d

A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t

U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d

N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n

B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
 c
u
t
i
n
g
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Stat
us:
<St
atus
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
 on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>

EVENT ID: 1009

Symbolic name: MALWAREPROTECTION_QUARANTINE_RESTORE

Message: The antimalware platform restored an item from

quarantine.

Description: Windows Defender Antivirus has restored an item from

quarantine. For more information, see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
i
g
h

S
e
 v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>

EVENT ID: 1010

Symbolic name: MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED

Message: The antimalware platform could not restore an item

from quarantine.

Description: Windows Defender Antivirus has encountered an error trying

to restore an item from quarantine. For more information,
see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
i
g
h

S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
 of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>

EVENT ID: 1011

Symbolic name: MALWAREPROTECTION_QUARANTINE_DELETE

Message: The antimalware platform deleted an item from

quarantine.

Description: Windows Defender Antivirus has deleted an item from

quarantine.
For more information, see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
 o
d
e
r
a
t
e

H
i
g
h

S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
 Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>

EVENT ID: 1012

Symbolic name: MALWAREPROTECTION_QUARANTINE_DELETE_FAILED

Message: The antimalware platform could not delete an item

from quarantine.

Description: Windows Defender Antivirus has encountered an error trying

to delete an item from quarantine. For more information, see
the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
i
g
h

S
 e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
 T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>

EVENT ID: 1013

Symbolic name: MALWAREPROTECTION_MALWARE_HISTORY_DELETE

Message: The antimalware platform deleted history of malware

and other potentially unwanted software.

Description: Windows Defender Antivirus has removed history of malware

and other potentially unwanted software.
Tim
e:
The
time
whe
n
the
eve
nt
occu
rred,
for
exa
mpl
e
whe
n
the
hist
ory
is
pur
ged.
This
para
met
er is
not
use
d in
thre
at
eve
nts
so
that
ther
e is
no
conf
usio
n
rega
rdin
g
whe
ther
it is
rem
edia
tion
time
or
infec
tion
time
. For
thos
e,
we
spec
ifical
ly
call
the
m
as
Acti
on
Tim
e or
Det
ecti
on
Tim
 e.
User
:
<Do
mai
n>\
<Us
er>

EVENT ID: 1014

Symbolic name: MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FA

ILED

Message: The antimalware platform could not delete history of malware

and other potentially unwanted software.

Description: Windows Defender Antivirus has encountered an error trying

to remove history of malware and other potentially
unwanted software.
Tim
e:
The
time
whe
n
the
eve
nt
occu
rred,
for
exa
mpl
e
whe
n
the
hist
ory
is
pur
ged.
This
para
met
er is
not
use
d in
thre
at
eve
nts
so
that
ther
e is
no
conf
usio
n
rega
rdin
g
whe
ther
it is
rem
edia
tion
time
or
infec
tion
time
. For
thos
e,
we
spec
ifical
ly
call
the
m
as
Acti
on
Tim
e or
Det
ecti
on
Tim
e.
User
:
<Do
mai
n>\
<Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
 valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.

EVENT ID: 1015

Symbolic name: MALWAREPROTECTION_BEHAVIOR_DETECTED

Message: The antimalware platform detected suspicious behavior.

Description: Windows Defender Antivirus has detected a suspicious

behavior.
For more information, see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e
 H
i
g
h

S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:

U
n
k
n
o
w
n

L
o
c
a
l
c
o
m
p
u
t
e
r

N
e
t
w
o
r
k
s
h
a
r
e

I
n
t
e
r
n
e
t

I
n
c
o
m
i
n
g
t
r
a
f
f
i
c

O
u
t
g
o
i
n
g
t
r
a
f
f
i
 c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:

H
e
u
r
i
s
t
i
c
s

G
e
n
e
r
i
c

C
o
n
c
r
e
t
e

D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:

U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d

S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d

R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d

I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d

N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m

I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s

E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e
 R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
Stat
us:
<St
atus
>
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e ID:
Enu
mer
atio
n
mat
chin
g
seve
rity.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
Fidel
ity
Lab
el:
Targ
et
File
Na
me:
<Fil
e
nam
e>
Na
me
of
the
file.
EVENT ID: 1116

Symbolic name: MALWAREPROTECTION_STATE_MALWARE_DETECTED

Message: The antimalware platform detected malware or other

potentially unwanted software.

Description: Windows Defender Antivirus has detected malware or other

potentially unwanted software.
For more information, see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
i
g
h

S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:

U
n
k
n
o
w
n

L
o
c
a
l
c
o
m
p
u
t
e
r

N
e
t
w
o
r
k
 s
h
a
r
e

I
n
t
e
r
n
e
t

I
n
c
o
m
i
n
g
t
r
a
f
f
i
c

O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:

H
e
u
 r
i
s
t
i
c
s

G
e
n
e
r
i
c

C
o
n
c
r
e
t
e

D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:

U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d

S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d

R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d

I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d

N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m

I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s

E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
 .
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e

R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
 ion:
<An
tima
lwar
e
Engi
ne
versi
on>

User action: No action is required. Windows Defender Antivirus can

suspend and take routine action on this threat. If you want to
remove the threat manually, in the Windows Defender
Antivirus interface, click Clean Computer.

EVENT ID: 1117

Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_TAK

EN

Message: The antimalware platform performed an action to

protect your system from malware or other potentially
unwanted software.

Description: Windows Defender Antivirus has taken action to protect this

machine from malware or other potentially unwanted
software.
For more information, see the following:
Na NOTE: Whenever Windows Defender Antivirus, Microsoft
me: Security Essentials, Malicious Software Removal Tool, or
<Th System Center Endpoint Protection detects a malware, it
reat will restore the following system settings and services
nam that the malware might have changed:
e> Default Internet Explorer or Microsoft Edge setting
ID: User Access Control settings
<Th Chrome settings
reat Boot Control Data
ID>
Regedit and Task Manager registry settings
Seve
rity: Windows Update, Background Intelligent Transfer
<Se Service, and Remote Procedure Call service
verit Windows Operating System files
y>, The above context applies to the following client and
for server versions:
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
 i
g
h

S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:

U
n
k
n
o
w
n

L
o
c
a
l
c
o
m
p
u
t
e
r

N
e
t
w
o
r
k
s
h
a
r
e

I
n
t
e
r
n
e
t

I
n
c
o
m
i
n
g
t
r
a
f
f
i
c

O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det O PERATING SYSTEM O PERATING SYSTEM VERSIO N
ecti
on Client Operating System Windows Vista (Service Pack
Typ 1, or Service Pack 2),
e: Windows 7 and later
<De
tecti Server Operating System Windows Server 2008,
on Windows Server 2008 R2,
type Windows Server 2012, and
>, Windows Server 2016
for
exa
mpl
e:

H
e
u
r
i
s
t
i
c
s

G
e
n
e
r
i
c

C
o
n
c
r
e
t
e

D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:

U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d

S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d

R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d

I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d

N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m

I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s

E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e

R
 e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:

C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d

Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d

R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d

A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t

U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d

N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
 n

B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: No action is necessary. Windows Defender Antivirus removed
or quarantined a threat.

EVENT ID: 1118

Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_FAIL

ED

Message: The antimalware platform attempted to perform an

action to protect your system from malware or other
potentially unwanted software, but the action failed.

Description: Windows Defender Antivirus has encountered a non-critical

error when taking action on malware or other potentially
unwanted software.
For more information, see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
i
g
h
 S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:

U
n
k
n
o
w
n

L
o
c
a
l
c
o
 m
p
u
t
e
r

N
e
t
w
o
r
k
s
h
a
r
e

I
n
t
e
r
n
e
t

I
n
c
o
m
i
n
g
t
r
a
f
f
i
c

O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:

H
e
u
r
i
s
t
i
c
s

G
e
n
e
r
i
c

C
o
n
c
r
e
t
e

D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:

U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d

S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d

R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d

I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d

N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m

I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s

E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e

R
e
m
o
t
 e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:

C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d

Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d

R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d

A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t

U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d

N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n

B
l
 o
c
k
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
 asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>

User action: No action is necessary. Windows Defender Antivirus failed to

complete a task related to the malware remediation. This is
not a critical failure.

EVENT ID: 1119

Symbolic name: MALWAREPROTECTION_STATE_MALWARE_ACTION_CRIT
ICALLY_FAILED

Message: The antimalware platform encountered a critical error

when trying to take action on malware or other
potentially unwanted software. There are more details
in the event message.

Description: Windows Defender Antivirus has encountered a critical error

when taking action on malware or other potentially
unwanted software.
For more information, see the following:
Na
me:
<Th
reat
nam
e>
ID:
<Th
reat
ID>
Seve
rity:
<Se
verit
y>,
for
exa
mpl
e:

L
o
w

M
o
d
e
r
a
t
e

H
i
g
h

S
e
v
e
r
e
Cate
gory
:
<Ca
tego
ry
desc
ripti
on>
, for
exa
mpl
e,
any
thre
at
or
mal
war
e
type
.
Path
:
<Fil
e
path
>
Det
ecti
on
Orig
in:
<De
tecti
on
origi
n>,
for
exa
mpl
e:

U
n
k
n
o
w
n

L
o
c
a
l
c
o
m
p
u
t
e
r

N
e
t
w
o
r
 k
s
h
a
r
e

I
n
t
e
r
n
e
t

I
n
c
o
m
i
n
g
t
r
a
f
f
i
c

O
u
t
g
o
i
n
g
t
r
a
f
f
i
c
Det
ecti
on
Typ
e:
<De
tecti
on
type
>,
for
exa
mpl
e:

H
e
 u
r
i
s
t
i
c
s

G
e
n
e
r
i
c

C
o
n
c
r
e
t
e

D
y
n
a
m
i
c
s
i
g
n
a
t
u
r
e
Det
ecti
on
Sour
ce:
<De
tecti
on
sour
ce>
for
exa
mpl
e:

U
s
e
r
:
u
s
e
r
i
n
i
t
i
a
t
e
d

S
y
s
t
e
m
:
s
y
s
t
e
m
i
n
i
t
i
a
t
e
d

R
e
a
l
-
t
i
m
e
:
r
e
a
l
-
t
i
m
e
c
o
m
p
o
n
e
n
t
i
n
i
t
i
a
t
e
d

I
O
A
V
:
I
E
D
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
A
t
t
a
c
h
m
e
n
t
s
i
n
i
t
i
a
t
e
d

N
I
S
:
N
e
t
w
o
r
k
i
n
s
p
e
c
t
i
o
n
s
y
s
t
e
m

I
E
P
R
O
T
E
C
T
:
I
E
-
I
E
x
t
e
n
s
i
o
n
V
a
l
i
d
a
t
i
o
n
;
t
h
i
s
p
r
o
t
e
c
t
s
a
g
a
i
n
s
t
m
a
l
i
c
i
o
u
s
w
e
b
p
a
g
e
c
o
n
t
r
o
l
s

E
a
r
l
y
L
a
u
n
c
h
A
n
t
i
m
a
l
w
a
r
e
(
E
L
A
M
)
.
T
h
i
s
i
n
c
l
u
d
e
s
m
a
l
w
a
r
e
d
e
t
e
c
t
e
d
b
y
t
h
e
b
o
o
t
s
e
q
u
e
n
c
e

R
e
m
o
t
e
a
t
t
e
s
t
a
t
i
o
n
Anti
mal
war
e
Scan
Inte
rfac
e
(AM
SI).
Prim
arily
use
d to
prot
ect
scrip
ts
(PS,
VBS)
,
tho
ugh
it
can
be
invo
ked
by
thir
d
parti
es
as
well.
UAC
User
:
<Do
mai
n>\
<Us
er>
Proc
ess
Na
me:
<Pr
oces
s in
the
PID
>
Acti
on:
<Ac
tion
>,
for
exa
mpl
e:

C
l
e
a
n
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
c
l
e
a
n
e
d

Q
u
a
r
a
n
t
i
n
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
q
u
a
r
a
n
t
i
n
e
d

R
e
m
o
v
e
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
d
e
l
e
t
e
d

A
l
l
o
w
:
T
h
e
r
e
s
o
u
r
c
e
w
a
s
a
l
l
o
w
e
d
t
o
e
x
e
c
u
t
e
/
e
x
i
s
t

U
s
e
r
d
e
f
i
n
e
d
:
U
s
e
r
-
d
e
f
i
n
e
d
a
c
t
i
o
n
t
h
a
t
i
s
n
o
r
m
a
l
l
y
o
n
e
f
r
o
m
t
h
i
s
l
i
s
t
o
f
a
c
t
i
o
n
s
t
h
a
t
t
h
e
u
s
e
r
h
a
s
s
p
e
c
i
f
i
e
d

N
o
a
c
t
i
o
n
:
N
o
a
c
t
i
o
n

B
l
o
c
k
:
T
h
e
r
e
s
o
u
r
 c
e
w
a
s
b
l
o
c
k
e
d
f
r
o
m
e
x
e
c
u
t
i
n
g
Acti
on
Stat
us:
<De
scrip
tion
of
addi
tion
al
acti
ons
>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
User action: The Windows Defender Antivirus client encountered this error
due to critical issues. The endpoint might not be protected.
Review the error description then follow the relevant User
action steps below.

ACTIO N USER ACTIO N

Remove Update the definitions then

verify that the removal was
successful.

Clean Update the definitions then

verify that the remediation
was successful.

Quarantine Update the definitions and

verify that the user has
permission to access the
necessary resources.

Allow Verify that the user has

permission to access the
necessary resources.

If this event persists:

1. Run the scan again.
2. If it fails in the same way, go to the Microsoft Support
site, enter the error number in the Search box to look
for the error code.
3. Contact Microsoft Technical Support.

EVENT ID: 1120

Symbolic name: MALWAREPROTECTION_THREAT_HASH

Message: Windows Defender Antivirus has deduced the hashes for

a threat resource.
Description: Windows Defender Antivirus client is up and running in a
healthy state.
Curr
ent
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
Thre
at
Res
ourc
e
Path
:
<Pa
th>
Has
hes:
<Ha
shes
>

Note: This event will only be logged if the following

policy is set: ThreatFileHashLogging unsigned.

EVENT ID: 1150

Symbolic name: MALWAREPROTECTION_SERVICE_HEALTHY

Message: If your antimalware platform reports status to a

monitoring platform, this event indicates that the
antimalware platform is running and in a healthy state.
Description: Windows Defender Antivirus client is up and running in a
healthy state.
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
Sign
atur
e
Vers
ion:
<De
finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>

User action: No action is necessary. The Windows Defender Antivirus

client is in a healthy state. This event is reported on an hourly
basis.

EVENT ID: 1151

Symbolic name: MALWAREPROTECTION_SERVICE_HEALTH_REPORT

Message: Endpoint Protection client health report (time in UTC)

Description: Antivirus client health report.

Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
Engi
ne
versi
on>
Net
wor
k
Real
time
Insp
ecti
on
engi
ne
versi
on:
<Ne
twor
k
Real
time
Insp
ecti
on
engi
ne
versi
on>
Anti
viru
s
sign
atur
e
versi
on:
<An
tivir
us
sign
atur
e
versi
on>
Anti
spy
war
e
sign
atur
e
versi
on:
<An
tisp
ywa
re
sign
atur
e
versi
on>
Net
wor
k
Real
time
Insp
ecti
on
sign
atur
e
versi
on:
<Ne
twor
k
Real
time
Insp
ecti
on
sign
atur
e
versi
on>
RTP
stat
e:
<Re
alti
me
prot
ecti
on
stat
e>
(Ena
bled
or
Disa
bled
)
OA
stat
e:
<O
n
Acce
ss
stat
e>
(Ena
bled
or
Disa
bled
)
IOA
V
stat
e:
<IE
Dow
nloa
ds
and
Outl
ook
Expr
ess
Atta
chm
ents
stat
e>
(Ena
bled
or
Disa
bled
)
BM
stat
e:
<Be
havi
or
Mo
nito
ring
stat
e>
(Ena
bled
or
Disa
bled
)
Anti
viru
s
sign
atur
e
age:
<An
tivir
us
sign
atur
e
age
>
(in
days
)
Anti
spy
war
e
sign
atur
e
age:
<An
tisp
ywa
re
sign
atur
e
age
>
(in
days
)
Last
quic
k
scan
age:
<La
st
quic
k
scan
age
>
(in
days
)
Last
full
scan
age:
<La
st
full
scan
age
>
(in
days
)
Anti
viru
s
sign
atur
e
crea
tion
time
:?
<An
tivir
us
sign
atur
e
crea
tion
time
>
Anti
spy
war
e
sign
atur
e
crea
tion
time
:?
<An
tisp
ywa
re
sign
atur
e
crea
tion
time
>
Last
quic
k
scan
start
time
:?
<La
st
quic
k
scan
start
time
>
Last
quic
k
scan
end
time
:?
<La
st
quic
k
scan
end
time
>
Last
quic
k
scan
sour
ce:
<La
st
quic
k
scan
sour
ce>
(0 =
scan
didn
't
run,
1=
user
initi
ated
,2
=
syst
em
initi
ated
)
Last
full
scan
start
time
:?
<La
st
full
scan
start
time
>
Last
full
scan
end
time
:?
<La
st
full
scan
end
time
>
Last
full
scan
sour
ce:
<La
st
full
scan
sour
ce>
(0 =
scan
didn
't
run,
1=
user
initi
ated
,2
=
syst
em
initi
ated
)
Pro
duct
stat
 us:
For
inter
nal
trou
bles
hoo
ting

EVENT ID: 2000

Symbolic name: MALWAREPROTECTION_SIGNATURE_UPDATED

Message: The antimalware definitions updated successfully.

Description: Antivirus signature version has been updated.

Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Prev
ious
Sign
atur
e
Vers
ion:
<Pr
evio
us
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:

A
 n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
l
w
a
r
e

N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Upd
ate
Typ
e:
<Up
date
type
>,
 eith
er
Full
or
Delt
a.
User
:
<Do
mai
n>\
<Us
er>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>

User action: No action is necessary. The Windows Defender Antivirus

client is in a healthy state. This event is reported when
signatures are successfully updated.

EVENT ID: 2001

Symbolic name: MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED

Message: The security intelligence update failed.

Description: Windows Defender Antivirus has encountered an error trying

to update signatures.
New
secu
rity
intel
lige
nce
versi
on:
<Ne
w
versi
on
num
ber
>
Prev
ious
secu
rity
intel
lige
nce
versi
on:
<Pr
evio
us
versi
on>
Upd
ate
Sour
ce:
<Up
date
sour
ce>,
for
exa
mpl
e:

S
e
c
u
r
i
t
y
i
n
t
e
l
l
i
g
e
n
c
e
u
p
d
a
t
e
f
o
l
d
e
r
I
n
t
e
r
n
a
l
s
e
c
u
r
i
t
y
i
n
t
e
l
l
i
g
e
n
c
e
u
p
d
a
t
e
s
e
r
v
e
r

M
i
c
r
o
s
o
f
t
U
p
d
a
t
e
S
e
r
v
e
r

F
i
 l
e
s
h
a
r
e

M
i
c
r
o
s
o
f
t
M
a
l
w
a
r
e
P
r
o
t
e
c
t
i
o
n
C
e
n
t
e
r
(
M
M
P
C
)
Upd
ate
Stag
e:
<Up
date
stag
e>,
for
exa
mpl
e:

S
e
a
r
c
 h

D
o
w
n
l
o
a
d

I
n
s
t
a
l
l
Sour
ce
Path
: File
shar
e
nam
e for
Univ
ersal
Na
min
g
Con
vent
ion
(UN
C),
serv
er
nam
e for
Win
dow
s
Serv
er
Upd
ate
Serv
ices
(WS
US)/
Micr
osof
t
Upd
ate/
ADL
.
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
l
w
a
r
e

N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
 m
Upd
ate
Typ
e:
<Up
date
type
>,
eith
er
Full
or
Delt
a.
User
:
<Do
mai
n>\
<Us
er>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
 thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.

User action: This error occurs when there is a problem updating

definitions. To troubleshoot this event:
1. Update definitions and force a rescan directly on the
endpoint.
2. Review the entries in the
%Windir%\WindowsUpdate.log file for more
information about this error.
3. Contact Microsoft Technical Support.

EVENT ID: 2002

Symbolic name: MALWAREPROTECTION_ENGINE_UPDATED

Message: The antimalware engine updated successfully.

Description: Windows Defender Antivirus engine version has been
updated.
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
Engi
ne
Typ
e:
<En
gine
type
>,
eith
er
anti
mal
war
e
engi
ne
or
Net
wor
k
Insp
ecti
on
Syst
em
engi
ne.
User
:
<Do
mai
n>\
<Us
er>
User action: No action is necessary. The Windows Defender Antivirus
client is in a healthy state. This event is reported when the
antimalware engine is successfully updated.

EVENT ID: 2003

Symbolic name: MALWAREPROTECTION_ENGINE_UPDATE_FAILED

Message: The antimalware engine update failed.

Description: Windows Defender Antivirus has encountered an error trying

to update the engine.
New
Engi
ne
Vers
ion:
Prev
ious
Engi
ne
Vers
ion:
<Pr
evio
us
engi
ne
versi
on>
Engi
ne
Typ
e:
<En
gine
type
>,
eith
er
anti
mal
war
e
engi
ne
or
Net
wor
k
Insp
ecti
on
Syst
em
engi
ne.
User
:
<Do
mai
n>\
 <Us
er>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.

User action: The Windows Defender Antivirus client update failed. This
event occurs when the client fails to update itself. This event
is usually due to an interruption in network connectivity
during an update. To troubleshoot this event:
1. Update definitions and force a rescan directly on the
endpoint.
2. Contact Microsoft Technical Support.

EVENT ID: 2004

Symbolic name: MALWAREPROTECTION_SIGNATURE_REVERSION

Message: There was a problem loading antimalware definitions.
The antimalware engine will attempt to load the last-
known good set of definitions.

Description: Windows Defender Antivirus has encountered an error trying

to load signatures and will attempt reverting back to a
known-good set of signatures.
Sign
atur
es
Atte
mpt
ed:
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Sign
atur
e
Vers
ion:
<De
 finiti
on
versi
on>
Engi
ne
Vers
ion:
<An
tima
lwar
e
engi
ne
versi
on>

User action: The Windows Defender Antivirus client attempted to

download and install the latest definitions file and failed. This
error can occur when the client encounters an error while
trying to load the definitions, or if the file is corrupt. Windows
Defender Antivirus will attempt to revert back to a known-
good set of definitions. To troubleshoot this event:
1. Restart the computer and try again.
2. Download the latest definitions from the Microsoft
Security Intelligence site. Note: The size of the
definitions file downloaded from the site can exceed
60 MB and should not be used as a long-term
solution for updating definitions.
3. Contact Microsoft Technical Support.

EVENT ID: 2005

Symbolic name: MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOU

TOFDATE

Message: The antimalware engine failed to load because the

antimalware platform is out of date. The antimalware
platform will load the last-known good antimalware
engine and attempt to update.

Description: Windows Defender Antivirus could not load antimalware

engine because current platform version is not supported.
Windows Defender Antivirus will revert back to the last
known-good engine and a platform update will be
attempted.
Curr
ent
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
EVENT ID: 2006

Symbolic name: MALWAREPROTECTION_PLATFORM_UPDATE_FAILED

Message: The platform update failed.

Description: Windows Defender Antivirus has encountered an error trying
to update the platform.
Curr
ent
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.

EVENT ID: 2007

Symbolic name: MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDAT
E

Message: The platform will soon be out of date. Download the

latest platform to maintain up-to-date protection.

Description: Windows Defender Antivirus will soon require a newer

platform version to support future versions of the
antimalware engine. Download the latest Windows Defender
Antivirus platform to maintain the best level of protection
available.
Curr
ent
Platf
orm
Vers
ion:
<Cu
rren
t
platf
orm
versi
on>

EVENT ID: 2010

Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE

D

Message: The antimalware engine used the Dynamic Signature

Service to get additional definitions.

Description: Windows Defender Antivirus used Dynamic Signature Service

to retrieve additional signatures to help protect your
machine.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
l
w
a
r
e

N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:

V
e
r
s
i
o
n

T
i
m
e
s
t
a
m
p

N
o
l
i
m
i
t

D
u
r
a
t
i
o
 n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:

V
D
M
v
e
r
s
i
o
 n

T
i
m
e
s
t
a
m
p

N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.

EVENT ID: 2011

Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETE

D

Message: The Dynamic Signature Service deleted the out-of-date

dynamic definitions.

Description: Windows Defender Antivirus used Dynamic Signature Service

to discard obsolete signatures.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
l
w
a
r
e

N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
 n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:

V
e
r
s
i
o
n

T
i
m
e
s
t
a
m
p

N
o
l
i
m
i
 t

D
u
r
a
t
i
o
n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Rem
oval
Reas
on:
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
 exa
mpl
e:

V
D
M
v
e
r
s
i
o
n

T
i
m
e
s
t
a
m
p

N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.

User action: No action is necessary. The Windows Defender Antivirus

client is in a healthy state. This event is reported when the
Dynamic Signature Service successfully deletes out-of-date
dynamic definitions.

EVENT ID: 2012

Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE

_FAILED

Message: The antimalware engine encountered an error when

trying to use the Dynamic Signature Service.
Description: Windows Defender Antivirus has encountered an error trying
to use Dynamic Signature Service.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Sign
atur
e
Typ
e:
<Sig
natu
re
type
>,
for
exa
mpl
e:

A
n
t
i
v
i
r
u
s

A
n
t
i
s
p
y
w
a
r
e

A
n
t
i
m
a
l
w
a
r
 e

N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Dyn
amic
Sign
atur
e
Typ
e:
<Dy
nam
ic
sign
atur
e
type
>,
for
exa
mpl
e:

V
e
r
s
i
o
n

T
i
m
e
s
t
a
m
p

N
o
l
i
m
i
t

D
 u
r
a
t
i
o
n
Pers
iste
nce
Path
:
<Pa
th>
Dyn
amic
Sign
atur
e
Vers
ion:
<Ve
rsio
n
num
ber
>
Dyn
amic
Sign
atur
e
Co
mpil
atio
n
Tim
esta
mp:
<Ti
mes
tam
p>
Pers
iste
nce
Limi
t
Typ
e:
<Pe
rsist
ence
limit
type
>,
for
exa
mpl
e:

V
D
M
 v
e
r
s
i
o
n

T
i
m
e
s
t
a
m
p

N
o
l
i
m
i
t
Pers
iste
nce
Limi
t:
Pers
iste
nce
limit
of
the
fast
path
sign
atur
e.

User action: Check your Internet connectivity settings.

EVENT ID: 2013

Symbolic name: MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETE

D_ALL

Message: The Dynamic Signature Service deleted all dynamic

definitions.
Description: Windows Defender Antivirus discarded all
Dynamic Signature Service signatures.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>

EVENT ID: 2020

Symbolic name: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_D

OWNLOADED

Message: The antimalware engine downloaded a clean file.

Description: Windows Defender Antivirus downloaded a clean file.
Filen
ame
:
<Fil
e
nam
e>
Na
me
of
the
file.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>

EVENT ID: 2021

Symbolic name: MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_D

OWNLOAD_FAILED

Message: The antimalware engine failed to download a clean file.

Description: Windows Defender Antivirus has encountered an error trying

to download a clean file.
Filen
ame
:
<Fil
e
nam
e>
Na
me
of
the
file.
Curr
ent
Sign
atur
e
Vers
ion:
<Cu
rren
t
sign
atur
e
versi
on>
Curr
ent
Engi
ne
Vers
ion:
<Cu
rren
t
engi
ne
versi
on>
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
 ripti
on>
Des
cript
ion
of
the
erro
r.

User action: Check your Internet connectivity settings. The Windows

Defender Antivirus client encountered an error when using
the Dynamic Signature Service to download the latest
definitions to a specific threat. This error is likely caused by a
network connectivity issue.

EVENT ID: 2030

Symbolic name: MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED

Message: The antimalware engine was downloaded and is

configured to run offline on the next system restart.

Description: Windows Defender Antivirus downloaded and configured

offline antivirus to run on the next reboot.

EVENT ID: 2031

Symbolic name: MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED

Message: The antimalware engine was unable to download and

configure an offline scan.
Description: Windows Defender Antivirus has encountered an error trying
to download and configure offline antivirus.
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.

EVENT ID: 2040

Symbolic name: MALWAREPROTECTION_OS_EXPIRING

Message: Antimalware support for this operating system version

will soon end.

Description: The support for your operating system will expire shortly.
Running Windows Defender Antivirus on an out of support
operating system is not an adequate solution to protect
against threats.

EVENT ID: 2041

Symbolic name: MALWAREPROTECTION_OS_EOL

Message: Antimalware support for this operating system has

ended. You must upgrade the operating system for
continued support.

Description: The support for your operating system has expired. Running
Windows Defender Antivirus on an out of support operating
system is not an adequate solution to protect against threats.

EVENT ID: 2042

Symbolic name: MALWAREPROTECTION_PROTECTION_EOL

Message: The antimalware engine no longer supports this

operating system, and is no longer protecting your
system from malware.

Description: The support for your operating system has expired. Windows
Defender Antivirus is no longer supported on your operating
system, has stopped functioning, and is not protecting
against malware threats.

EVENT ID: 3002

Symbolic name: MALWAREPROTECTION_RTP_FEATURE_FAILURE

Message: Real-time protection encountered an error and failed.

Description: Windows Defender Antivirus Real-Time Protection feature has

encountered an error and failed.
Feat
ure:
<Fe
atur
e>,
for
exa
mpl
e:

O
n
A
c
c
e
s
s

I
n
t
e
r
n
e
t
E
x
p
l
o
r
e
r
d
o
w
n
l
o
a
d
s
a
n
d
M
i
c
r
o
s
o
f
t
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s

B
e
h
a
v
i
o
r
m
o
n
i
 t
o
r
i
n
g

N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
 desc
ripti
on>
Des
cript
ion
of
the
erro
r.
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
real-
time
prot
ecti
on
has
rest
arte
da
feat
ure.

User action: You should restart the system then run a full scan because
it's possible the system was not protected for some time. The
Windows Defender Antivirus client's real-time protection
feature encountered an error because one of the services
failed to start. If it is followed by a 3007 event ID, the failure
was temporary and the antimalware client recovered from
the failure.

EVENT ID: 3007

Symbolic name: MALWAREPROTECTION_RTP_FEATURE_RECOVERED

Message: Real-time protection recovered from a failure. We

recommend running a full system scan when you see this
error.

Description: Windows Defender Antivirus Real-time Protection has

restarted a feature. It is recommended that you run a full
system scan to detect any items that may have been missed
while this agent was down.
Feat
ure:
<Fe
atur
e>,
for
exa
mpl
e:

O
n
A
c
c
e
s
s

I
E
d
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s

B
e
h
a
v
i
o
r
m
o
n
i
t
 o
r
i
n
g

N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
real-
time
prot
ecti
on
has
rest
arte
da
feat
ure.

User action: The real-time protection feature has restarted. If this event
happens again, contact Microsoft Technical Support.

EVENT ID: 5000

Symbolic name: MALWAREPROTECTION_RTP_ENABLED

Message: Real-time protection is enabled.

Description: Windows Defender Antivirus real-time protection scanning

for malware and other potentially unwanted software was
enabled.

EVENT ID: 5001

Symbolic name: MALWAREPROTECTION_RTP_DISABLED

Message: Real-time protection is disabled.

Description: Windows Defender Antivirus real-time protection scanning

for malware and other potentially unwanted software was
disabled.

EVENT ID: 5004

Symbolic name: MALWAREPROTECTION_RTP_FEATURE_CONFIGURED

Message: The real-time protection configuration changed.

Description: Windows Defender Antivirus real-time protection feature

configuration has changed.
Feat
ure:
<Fe
atur
e>,
for
exa
mpl
e:

O
n
A
c
c
e
s
s

I
E
d
o
w
n
l
o
a
d
s
a
n
d
O
u
t
l
o
o
k
E
x
p
r
e
s
s
a
t
t
a
c
h
m
e
n
t
s

B
e
h
a
v
i
o
r
m
o
n
i
t
o
r
i
n
g

N
e
t
w
o
r
k
I
n
s
p
e
c
t
i
o
n
S
y
s
t
e
m
 Con
figur
atio
n:

EVENT ID: 5007

Symbolic name: MALWAREPROTECTION_CONFIG_CHANGED

Message: The antimalware platform configuration changed.

Description: Windows Defender Antivirus configuration has changed. If

this is an unexpected event, you should review the settings as
this may be the result of malware.
Old
valu
e:
<Ol
d
valu
e
num
ber
>
Old
anti
viru
s
conf
igur
atio
n
valu
e.
New
valu
e:
<Ne
w
valu
e
num
ber
>
New
anti
viru
s
conf
igur
atio
n
valu
e.

EVENT ID: 5008

Symbolic name: MALWAREPROTECTION_ENGINE_FAILURE

Message: The antimalware engine encountered an error and
failed.

Description: Windows Defender Antivirus engine has been terminated due

to an unexpected error.
Failu
re
Typ
e:
<Fai
lure
type
>,
for
exa
mpl
e:
Cras
h or
Han
g
Exce
ptio
n
Cod
e:
<Err
or
cod
e>
Res
ourc
e:
<Re
sour
ce>

User action: To troubleshoot this event:

1. Try to restart the service.
For antimalware, antivirus and spyware, at an
elevated command prompt, type net stop
msmpsvc, and then type net start msmpsvc
to restart the antimalware engine.
For the Network Inspection System, at an
elevated command prompt, type net start
nissrv, and then type net start nissrv to
restart the Network Inspection System engine
by using the NiSSRV.exe file.
2. If it fails in the same way, look up the error code by
accessing the Microsoft Support Site and entering the
error number in the Search box, and contact
Microsoft Technical Support.
User action: The Windows Defender Antivirus client engine stopped due
to an unexpected error. To troubleshoot this event:
1. Run the scan again.
2. If it fails in the same way, go to the Microsoft Support
site, enter the error number in the Search box to look
for the error code.
3. Contact Microsoft Technical Support.

EVENT ID: 5009

Symbolic name: MALWAREPROTECTION_ANTISPYWARE_ENABLED

Message: Scanning for malware and other potentially unwanted

software is enabled.

Description: Windows Defender Antivirus scanning for malware and other

potentially unwanted software has been enabled.

EVENT ID: 5010

Symbolic name: MALWAREPROTECTION_ANTISPYWARE_DISABLED

Message: Scanning for malware and other potentially unwanted

software is disabled.

Description: Windows Defender Antivirus scanning for malware and other

potentially unwanted software is disabled.

EVENT ID: 5011

Symbolic name: MALWAREPROTECTION_ANTIVIRUS_ENABLED

Message: Scanning for viruses is enabled.

Description: Windows Defender Antivirus scanning for viruses has been

enabled.

EVENT ID: 5012

Symbolic name: MALWAREPROTECTION_ANTIVIRUS_DISABLED

Message: Scanning for viruses is disabled.

Description: Windows Defender Antivirus scanning for viruses is disabled.

EVENT ID: 5100

Symbolic name: MALWAREPROTECTION_EXPIRATION_WARNING_STATE

Message: The antimalware platform will expire soon.

Description: Windows Defender Antivirus has entered a grace period and
will soon expire. After expiration, this program will disable
protection against viruses, spyware, and other potentially
unwanted software.
Expi
ratio
n
Reas
on:
The
reas
on
Win
dow
s
Defe
nder
Anti
viru
s
will
expi
re.
Expi
ratio
n
Dat
e:
The
date
Win
dow
s
Defe
nder
Anti
viru
s
will
expi
re.

EVENT ID: 5101

Symbolic name: MALWAREPROTECTION_DISABLED_EXPIRED_STATE

Message: The antimalware platform is expired.

 Description: Windows Defender Antivirus grace period has expired.
Protection against viruses, spyware, and other potentially
unwanted software is disabled.
Expi
ratio
n
Reas
on:
Expi
ratio
n
Dat
e:
Erro
r
Cod
e:
<Err
or
cod
e>
Res
ult
cod
e
asso
ciate
d
with
thre
at
stat
us.
Stan
dard
HRE
SUL
T
valu
es.
Erro
r
Des
cript
ion:
<Err
or
desc
ripti
on>
Des
cript
ion
of
the
erro
r.

Windows Defender Antivirus client error codes

If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you
troubleshoot the issue. Most often an error means there was a problem installing an update. This section
provides the following information about Windows Defender Antivirus client errors.
The error code
The possible reason for the error
Advice on what to do now
Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes.

ERROR CODE: 0X80508007

Message ERR_MP_NO_MEMORY

Possible reason This error indicates that you might have run out of memory.

Resolution 1. Check the available memory on your device.

2. Close any unused applications that are running to free
up memory on your device.
3. Restart the device and run the scan again.

ERROR CODE: 0X8050800C

Message ERR_MP_BAD_INPUT_DATA

Possible reason This error indicates that there might be a problem with your
security product.

Resolution 1. Update the definitions. Either:

a. Click the Update definitions button on the
Update tab in Windows Defender Antivirus.

Or,
b. Download the latest definitions from the
Microsoft Security Intelligence site. Note: The
size of the definitions file downloaded from the
site can exceed 60 MB and should not be used
as a long-term solution for updating
definitions.
2. Run a full scan.
3. Restart the device and try again.

ERROR CODE: 0X80508020

Message ERR_MP_BAD_CONFIGURATION

Possible reason This error indicates that there might be an engine

configuration error; commonly, this is related to input data
that does not allow the engine to function properly.
ERROR CODE: 0X805080211

Message ERR_MP_QUARANTINE_FAILED

Possible reason This error indicates that Windows Defender Antivirus failed to
quarantine a threat.

ERROR CODE: 0X80508022

Message ERR_MP_REBOOT_REQUIRED

Possible reason This error indicates that a reboot is required to complete

threat removal.

0X80508023

Message ERR_MP_THREAT_NOT_FOUND

Possible reason This error indicates that the threat might no longer be
present on the media, or malware might be stopping you
from scanning your device.

Resolution Run the Microsoft Safety Scanner then update your security
software and try again.

ERROR CODE: 0X80508024

Message ERR_MP_FULL_SCAN_REQUIRED

Possible reason This error indicates that a full system scan might be required.

Resolution Run a full system scan.

ERROR CODE: 0X80508025

Message ERR_MP_MANUAL_STEPS_REQUIRED

Possible reason This error indicates that manual steps are required to
complete threat removal.

Resolution Follow the manual remediation steps outlined in the

Microsoft Malware Protection Encyclopedia. You can find a
threat-specific link in the event history.

ERROR CODE: 0X80508026

Message ERR_MP_REMOVE_NOT_SUPPORTED

Possible reason This error indicates that removal inside the container type
might not be not supported.

Resolution Windows Defender Antivirus is not able to remediate threats

detected inside the archive. Consider manually removing the
detected resources.

ERROR CODE: 0X80508027

 Message ERR_MP_REMOVE_LOW_MEDIUM_DISABLED

Possible reason This error indicates that removal of low and medium threats
might be disabled.

Resolution Check the detected threats and resolve them as required.

ERROR CODE: 0X80508029

Message ERROR_MP_RESCAN_REQUIRED

Possible reason This error indicates a rescan of the threat is required.

Resolution Run a full system scan.

ERROR CODE: 0X80508030

Message ERROR_MP_CALLISTO_REQUIRED

Possible reason This error indicates that an offline scan is required.

Resolution Run offline Windows Defender Antivirus. You can read about
how to do this in the offline Windows Defender Antivirus
article.

ERROR CODE: 0X80508031

Message ERROR_MP_PLATFORM_OUTDATED

Possible reason This error indicates that Windows Defender Antivirus does
not support the current version of the platform and requires
a new version of the platform.

Resolution You can only use Windows Defender Antivirus in Windows

10. For Windows 8, Windows 7 and Windows Vista, you can
use System Center Endpoint Protection.

The following error codes are used during internal testing of Windows Defender Antivirus.
If you see these errors, you can try to update definitions and force a rescan directly on the endpoint.

INTERNAL ERROR CODES

ERROR CODE MESSAGE DISPLAYED POSSIBLE REASON FOR ERROR

AND RESOLUTION

0x80501004 ERROR_MP_NO_INTERNET Check your Internet

_CONN connection, then run the
scan again.

0x80501000 ERROR_MP_UI_CONSOLID This is an internal error. The

ATION_BASE cause is not clearly defined.

0x80501001 ERROR_MP_ACTIONS_FAIL
ED

0x80501002 ERROR_MP_NOENGINE
0x80501003 ERROR_MP_ACTIVE_THRE
ATS

0x805011011 MP_ERROR_CODE_LUA_CA
NCELLED

0x80501101 ERROR_LUA_CANCELLATI
ON

0x80501102 MP_ERROR_CODE_ALREA
DY_SHUTDOWN

0x80501103 MP_ERROR_CODE_RDEVIC
E_S_ASYNC_CALL_PENDIN
G

0x80501104 MP_ERROR_CODE_CANCE
LLED

0x80501105 MP_ERROR_CODE_NO_TA
RGETOS

0x80501106 MP_ERROR_CODE_BAD_RE
GEXP

0x80501107 MP_ERROR_TEST_INDUCE
D_ERROR

0x80501108 MP_ERROR_SIG_BACKUP_
DISABLED

0x80508001 ERR_MP_BAD_INIT_MODU
LES

0x80508002 ERR_MP_BAD_DATABASE

0x80508004 ERR_MP_BAD_UFS

0x8050800C ERR_MP_BAD_INPUT_DAT
A

0x8050800D ERR_MP_BAD_GLOBAL_ST
ORAGE

0x8050800E ERR_MP_OBSOLETE

0x8050800F ERR_MP_NOT_SUPPORTE
D

0x8050800F 0x80508010 ERR_MP_NO_MORE_ITEMS

0x80508011 ERR_MP_DUPLICATE_SCA
NID

0x80508012 ERR_MP_BAD_SCANID
 0x80508013 ERR_MP_BAD_USERDB_VE
RSION

0x80508014 ERR_MP_RESTORE_FAILED

0x80508016 ERR_MP_BAD_ACTION

0x80508019 ERR_MP_NOT_FOUND

0x80509001 ERR_RELO_BAD_EHANDLE

0x80509003 ERR_RELO_KERNEL_NOT_L
OADED

0x8050A001 ERR_MP_BADDB_OPEN

0x8050A002 ERR_MP_BADDB_HEADER

0x8050A003 ERR_MP_BADDB_OLDENGI
NE

0x8050A004 ERR_MP_BADDB_CONTEN
T

0x8050A005 ERR_MP_BADDB_NOTSIG
NED

0x8050801 ERR_MP_REMOVE_FAILED This is an internal error. It

might be triggered when
malware removal is not
successful.

0x80508018 ERR_MP_SCAN_ABORTED This is an internal error. It

might have triggered when
a scan fails to complete.

Related topics
Report on Windows Defender Antivirus protection
Windows Defender Antivirus in Windows 10
 Security intelligence
5/28/2019 • 2 minutes to read • Edit Online

Here you will find information about different types of malware, safety tips on how you can protect your
organization, and resources for industry collaboration programs
Understand malware & other threats
How Microsoft identifies malware and PUA
Submit files for analysis
Safety Scanner download
Keep up with the latest malware news and research. Check out our Microsoft Security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
 Understanding malware & other threats
12/23/2019 • 2 minutes to read • Edit Online

Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use
of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your
computer and ask for ransom, and more.
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch
attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or
extort payment from victims.
As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most
secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or
on the go. With Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ), businesses can stay
protected with next-generation protection and other security capabilities.
For good general tips, check out the prevent malware infection topic.
There are many types of malware, including:
Coin miners
Exploits and exploit kits
Macro malware
Phishing
Ransomware
Rootkits
Supply chain attacks
Tech support scams
Trojans
Unwanted software
Worms
Keep up with the latest malware news and research. Check out our Microsoft security blogs and follow us on
Twitter for the latest news, discoveries, and protections.
Learn more about Windows security.
 Prevent malware infection
12/30/2019 • 6 minutes to read • Edit Online

Malware authors are always looking for new ways to infect computers. Follow the tips below to stay protected
and minimize threats to your data and accounts.

Keep software up to date

Exploits typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and
Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits
anymore.
To keep Microsoft software up to date, ensure that automatic Microsoft Updates are enabled. Also, upgrade to the
latest version of Windows to benefit from a host of built-in security enhancements.

Be wary of links and attachments

Email and other messaging tools are a few of the most common ways your device can get infected. Attachments
or links in messages can open malware directly or can stealthily trigger a download. Some emails give
instructions to allow macros or other executable content designed to make it easier for malware to infect your
devices.
Use an email service that provides protection against malicious attachments, links, and abusive senders.
Microsoft Office 365 has built-in antimalware, link protection, and spam filtering.
For more information, see phishing.

Watch out for malicious or compromised websites

When you visit malicious or compromised sites, your device can get infected with malware automatically or you
can get tricked into downloading and installing malware. See exploits and exploit kits as an example of how some
of these sites can automatically install malware to visiting computers.
To identify potentially harmful websites, keep the following in mind:
The initial part (___domain) of a website address should represent the company that owns the site you are
visiting. Check the ___domain for misspellings. For example, malicious sites commonly use ___domain names
that swap the letter O with a zero (0) or the letters L and I with a one (1). If example.com is spelled
examp1e.com, the site you are visiting is suspect.
Sites that aggressively open popups and display misleading buttons often trick users into accepting
content through constant popups or mislabeled buttons.
To block malicious websites, use a modern web browser like Microsoft Edge that identifies phishing and malware
websites and checks downloads for malware.
If you encounter an unsafe site, click More [… ] > Send feedback on Microsoft Edge. You can also report unsafe
sites directly to Microsoft.
Pirated material on compromised websites
Using pirated content is not only illegal, it can also expose your device to malware. Sites that offer pirated
software and media are also often used to distribute malware when the site is visited. Sometimes pirated
software is bundled with malware and other unwanted software when downloaded, including intrusive browser
plugins and adware.
Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a
streamlined OS such as Windows 10 Pro SKU S Mode, which ensures that only vetted apps from the Windows
Store are installed.

Don't attach unfamiliar removable drives

Some types of malware spread by copying themselves to USB flash drives or other removable drives. There are
malicious individuals that intentionally prepare and distribute infected drives by leaving them in public places for
unsuspecting individuals.
Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used
in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on
your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including
Office and PDF documents and executable files.

Use a non-administrator account

At the time they are launched, whether inadvertently by a user or automatically, most malware run under the
same privileges as the active user. This means that by limiting account privileges, you can prevent malware from
making consequential changes any devices.
By default, Windows uses User Account Control (UAC ) to provide automatic, granular control of privileges—it
temporarily restricts privileges and prompts the active user every time an application attempts to make
potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users
can override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow
malware to run.
To help ensure that everyday activities do not result in malware infection and other potentially catastrophic
changes, it is recommended that you use a non-administrator account for regular use. By using a non-
administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to
system settings. Avoid browsing the web or checking email using an account with administrator privileges.
Whenever necessary, log in as an administrator to install apps or make configuration changes that require admin
privileges.
Read about creating user accounts and giving administrator privileges

Other safety tips

To further ensure that data is protected from malware and other threats:
Backup files. Follow the 3-2-1 rule: make 3 copies, store in at least 2 locations, with at least 1 offline
copy. Use OneDrive for reliable cloud-based copies that allow access to files from multiple devices and
helps recover damaged or lost files, including files locked by ransomware.
Be wary when connecting to public hotspots, particularly those that do not require authentication.
Use strong passwords and enable multi-factor authentication.
Do not use untrusted devices to log on to email, social media, and corporate accounts.
Avoid downloading or running older apps. Some of these apps might have vulnerabilities. Also, older file
formats for Office 2003 (.doc, .pps, and .xls) allow macros or run. This could be a security risk.
Software solutions
Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
Automatic Microsoft updates keeps software up to date to get the latest protections.
Controlled folder access stops ransomware in its tracks by preventing unauthorized access to your
important files. Controlled folder access locks down folders, allowing only authorized apps to access files.
Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are
denied access.
Microsoft Edge browser protects against threats such as ransomware by preventing exploit kits from
running. By using Windows Defender SmartScreen, Microsoft Edge blocks access to malicious websites.
Microsoft Exchange Online Protection (EOP ) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies.
Microsoft Safety Scanner helps remove malicious software from computers. NOTE: This tool does not
replace your antimalware product.
Microsoft 365 includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources
power productivity while providing intelligent security across users, devices, and data.
Office 365 Advanced Threat Protection includes machine learning capabilities that block dangerous
emails, including millions of emails carrying ransomware downloaders.
OneDrive for Business can back up files, which you would then use to restore files in the event of an
infection.
Microsoft Defender Advanced Threat Protection provides comprehensive endpoint protection, detection,
and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP
alerts security operations teams about suspicious activities and automatically attempts to resolve the
problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website,
launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free
of charge.
Windows Hello for Business replaces passwords with strong two-factor authentication on your devices.
This authentication consists of a new type of user credential that is tied to a device and uses a biometric or
PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
Earlier than Windows 10 (not recommended)
Microsoft Security Essentials provides real-time protection for your home or small business device that
guards against viruses, spyware, and other malicious software.

What to do with a malware infection

Microsoft Defender ATP antivirus capabilities help reduce the chances of infection and will automatically remove
threats that it detects.
In case threat removal is unsuccessful, read about troubleshooting malware detection and removal problems.
 Malware names
8/9/2019 • 3 minutes to read • Edit Online

We name the malware and unwanted software that we detect according to the Computer Antivirus Research
Organization (CARO ) malware naming scheme. The scheme uses the following format:

When our analysts research a particular threat, they will determine what each of the components of the name will
be.

Type
Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are
some of the most common types of malware.
Adware
Backdoor
Behavior
BrowserModifier
Constructor
DDoS
Exploit
Hacktool
Joke
Misleading
MonitoringTool
Program
PWS
Ransom
RemoteAccess
Rogue
SettingsModifier
SoftwareBundler
Spammer
 Spoofer
Spyware
Tool
Trojan
TrojanClicker
TrojanDownloader
TrojanNotifier
TrojanProxy
TrojanSpy
VirTool
Virus
Worm

Platforms
Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work
on. The platform is also used to indicate programming languages and file formats.
Operating systems
AndroidOS: Android operating system
DOS: MS -DOS platform
EPOC: Psion devices
FreeBSD: FreeBSD platform
iPhoneOS: iPhone operating system
Linux: Linux platform
MacOS: MAC 9.x platform or earlier
MacOS_X: MacOS X or later
OS2: OS2 platform
Palm: Palm operating system
Solaris: System V -based Unix platforms
SunOS: Unix platforms 4.1.3 or lower
SymbOS: Symbian operating system
Unix: general Unix platforms
Win16: Win16 (3.1) platform
Win2K: Windows 2000 platform
Win32: Windows 32-bit platform
Win64: Windows 64-bit platform
Win95: Windows 95, 98 and ME platforms
Win98: Windows 98 platform only
WinCE: Windows CE platform
WinNT: WinNT
Scripting languages
ABAP: Advanced Business Application Programming scripts
ALisp: ALisp scripts
AmiPro: AmiPro script
ANSI: American National Standards Institute scripts
AppleScript: compiled Apple scripts
 ASP: Active Server Pages scripts
AutoIt: AutoIT scripts
BAS: Basic scripts
BAT: Basic scripts
CorelScript: Corelscript scripts
HTA: HTML Application scripts
HTML: HTML Application scripts
INF: Install scripts
IRC: mIRC/pIRC scripts
Java: Java binaries (classes)
JS: Javascript scripts
LOGO: LOGO scripts
MPB: MapBasic scripts
MSH: Monad shell scripts
MSIL: .Net intermediate language scripts
Perl: Perl scripts
PHP: Hypertext Preprocessor scripts
Python: Python scripts
SAP: SAP platform scripts
SH: Shell scripts
VBA: Visual Basic for Applications scripts
VBS: Visual Basic scripts
WinBAT: Winbatch scripts
WinHlp: Windows Help scripts
WinREG: Windows registry scripts
Macros
A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
HE: macro scripting
O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
V5M: Visio5 macros
W1M: Word1Macro
W2M: Word2Macro
W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
WM: Word 95 macros
X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
XF: Excel formulas
XM: Excel 95 macros
Other file types
ASX: XML metafile of Windows Media .asf files
HC: HyperCard Apple scripts
MIME: MIME packets
Netware: Novell Netware files
QT: Quicktime files
SB: StarBasic (Staroffice XML ) files
 SWF: Shockwave Flash files
TSQL: MS SQL server files
XML: XML files

Family
Grouping of malware based on common characteristics, including attribution to the same authors. Security
software providers sometimes use different names for the same malware family.

Variant letter
Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF"
would have been created after the detection for the variant ".AE".

Suffixes
Provides extra detail about the malware, including how it is used as part of a multicomponent threat. In the
example above, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
.dam: damaged malware
.dll: Dynamic Link Library component of a malware
.dr: dropper component of a malware
.gen: malware that is detected using a generic signature
.kit: virus constructor
.ldr: loader component of a malware
.pak: compressed malware
.plugin: plug-in component
.remnants: remnants of a virus
.worm: worm component of that malware
!bit: an internal category used to refer to some threats
!cl: an internal category used to refer to some threats
!dha: an internal category used to refer to some threats
!pfn: an internal category used to refer to some threats
!plock: an internal category used to refer to some threats
!rfn: an internal category used to refer to some threats
!rootkit: rootkit component of that malware
@m: worm mailers
@mm: mass mailer worm
 Coin miners
8/9/2019 • 2 minutes to read • Edit Online

Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as
cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by
reconfiguring malware.

How coin miners work

Many infections start with:
Email messages with attachments that try to install malware.
Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to
install coin miners.
Websites taking advantage of computer processing power by running scripts while users browse the
website.
Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger.
This process generates coins but requires significant computing resources.
Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric
power for legitimate coin mining operations. However, others look for alternative sources of computing power and
try to find their way into corporate networks. These coin miners are not wanted in enterprise environments
because they eat up precious computing resources.
Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run
trojanized miners at the expense of other people’s computing resources.
Examples
DDE exploits, which have been known to distribute ransomware, are now delivering miners.
For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256:
7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by
Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which
then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero
cryptocurrency.

How to protect against coin miners

Enable PUA detection: Some coin mining tools are not considered malware but are detected as potentially
unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and
employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by
enabling PUA detection.
Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to
prevent malware infection.
For more information on coin miners, see the blog post Invisible resource thieves: The increasing threat of
cryptocurrency miners.
 Exploits and exploit kits
8/9/2019 • 2 minutes to read • Edit Online

Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware
can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security
safeguards to infect your device.

How exploits and exploit kits work

Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical
vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called
"shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled
networks. This allows hackers to infect devices and infiltrate organizations.
Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different
kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits
can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer,
Oracle Java and Sun Java.
The most common method used by attackers to distribute exploits and exploit kits is through webpages, but
exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in
their ads.
The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage
is visited.

Figure 1. Example of how exploit kits work

Several notable threats, including Wannacry, exploit the Server Message Block (SMB ) vulnerability CVE -2017-
0144 to launch malware.
Examples of exploit kits:
 Angler / Axpergle
Neutrino
Nuclear
To learn more about exploits, read this blog post on taking apart a double zero-day sample discovered in joint
hunt with ESET.

How we name exploits

We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE -
2013-1489.A is an exploit that targets a vulnerability in Java.
A project called "Common Vulnerabilities and Exposures (CVE )" is used by many security software vendors. The
project gives each vulnerability a unique number, for example, CVE -2016-0778. The portion "2016" refers to the
year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.
You can read more on the CVE website.

How to protect against exploits

The best prevention for exploits is to keep your organization's software up to date. Software vendors provide
updates for many known vulnerabilities and making sure these updates are applied to all devices is an important
step to prevent malware.
For more general tips, see prevent malware infection.
 Fileless threats
9/4/2019 • 10 minutes to read • Edit Online

What exactly are fileless threats? The term "fileless" suggests that a threat does not come in a file, such as a
backdoor that lives only in the memory of a machine. However, there's no generally accepted definition for fileless
malware. The term is used broadly; it's also used to describe malware families that do rely on files to operate.
Given that attacks involve several stages for functionalities like execution, persistence, or information theft, some
parts of the attack chain may be fileless, while others may involve the filesystem in some form.
For clarity, fileless threats are grouped into different categories.

Figure 1. Comprehensive diagram of fileless malware

Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine.
They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts.
Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a
type of hardware vector, and scripts and executables are sub-categories of the execution vector.
Finally, classify the host of the infection. For example, a Flash application that may contain an exploit, a simple
executable, malicious firmware from a hardware device, or an infected MBR, which could bootstrap the execution
of a malware before the operating system even loads.
This helps you divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same:
some are more dangerous but also more difficult to implement, while others are more commonly used despite (or
precisely because of) not being very advanced.
From this categorization, you can glean three main types of fileless threats based on how much fingerprint they
may leave on infected machines.

Type I: No file activity performed

A completely fileless malware can be considered one that never requires writing a file on the disk. How would such
malware infect a machine in the first place? An example scenario could be a target machine receiving malicious
network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor,
which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
Another scenario could involve compromised devices, where malicious code could be hiding in device firmware
(such as a BIOS ), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these
examples do not require a file on the disk to run and can theoretically live only in memory, surviving even reboots,
disk reformats, and OS reinstalls.
Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the
capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and
remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often
depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and
reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not
practical for most attacks.

Type II: Indirect file activity

There are other ways that malware can achieve fileless presence on a machine without requiring significant
engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up
using files indirectly. This is the case for Poshspy backdoor. Attackers installed a malicious PowerShell command
within the WMI repository and configured a WMI filter to run such command periodically.
It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be
on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file
system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM
Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a
physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose
data container that cannot be simply detected and removed.

Type III: Files required to operate

Some malware can have some sort of fileless persistence but not without using files to operate. An example for this
scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action
means that opening a file with such extension will lead to the execution of a script through the legitimate tool
mshta.exe.
Figure 2. Kovter’s registry key
When the open verb is invoked, the associated command from the registry is launched, which results in the
execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the
loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the
same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-
run key configured to open such file when the machine starts.
Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension
contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are
containers that cannot be detected and deleted if malicious content is present.

Categorizing fileless threats by infection host

Having described the broad categories, we can now dig into the details and provide a breakdown of the infection
hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It
drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure
malware does not get the upper hand in the arms race.
Exploits
File-based (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the
browser, the Java engine, the Flash engine, etc. to execute a shellcode and deliver a payload in memory. While the
payload is fileless, the initial entry vector is a file.
Network-based (Type I): A network communication that takes advantage of a vulnerability in the target machine
can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a
previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
Hardware
Device-based (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and
dedicated software to function. Software residing and running in the chipset of a device is called firmware.
Although a complex task, the firmware can be infected by malware, as the Equation espionage group has been
caught doing.
CPU -based (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for
management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code
that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that
can allow attackers to execute code inside the Management Engine (ME ) present in any modern CPU from Intel.
Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's Active
Management Technology (AMT) to perform invisible network communications bypassing the installed operating
system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a
very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to
hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being
vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware
circuitry. This attack has been researched and proved possible in the past. Just recently it has been reported that
certain models of x86 processors contain a secondary embedded RISC -like CPU core that can effectively provide a
backdoor through which regular applications can gain privileged execution.
USB -based (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting
with the operating system in nefarious ways. This is the case of the BadUSB technique, demonstrated few years
ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via
keystrokes, or as a network card that can redirect traffic at will.
BIOS -based (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on,
initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates
at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with
malicious code, as has happened in the past with the Mebromi rootkit.
Hypervisor-based (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to
create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory
unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself
outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and
eventually real hypervisor rootkits have been observed, although very few are known to date.
Execution and injection
File-based (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple
executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other
legitimate running processes.
Macro-based (Type III: Office documents): The VBA language is a flexible and powerful tool designed to automate
editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out
malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire
ransomware, like in the case of qkG. Macros are executed within the context of an Office process (e.g.,
Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus
can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers
use social engineering techniques to trick users into allowing macros to execute.
Script-based (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting
languages are available by default on Windows platforms. Scripts have the same advantages as macros: they are
textual files (not binary executables) and run within the context of the interpreter (e.g., wscript.exe, powershell.exe,
etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by
double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run
on the command line can allow malware to encode malicious command-line scripts as auto-start services inside
autorun registry keys as WMI event subscriptions from the WMI repo. Furthermore, an attacker who has gained
access to an infected machine may input the script on the command prompt.
Disk-based (Type II: Boot Record): The Boot Record is the first sector of a disk or volume and contains executable
code required to start the boot process of the operating system. Threats like Petya are capable of infecting the Boot
Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains
control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system,
but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it.

Defeating fileless malware

At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that
continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that
are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring,
memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection (Microsoft
Defender ATP ) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud
allow us to scale these protections against new and emerging threats.
To learn more, read: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and
next-gen AV
 Macro malware
9/4/2019 • 2 minutes to read • Edit Online

Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive.
However, macro malware uses this functionality to infect your device.

How macro malware works

Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files
use names that are intended to entice or scare people into opening them. They often look like invoices, receipts,
legal documents, and more.
Macro malware was fairly common several years ago because macros ran automatically whenever a document
was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware
authors need to convince users to turn on macros so that their malware can run. They do this by showing fake
warnings when a malicious document is opened.
We've seen macro malware download threats from the following families:
Ransom:MSIL/Swappa
Ransom:Win32/Teerac
TrojanDownloader:Win32/Chanitor
TrojanSpy:Win32/Ursnif
Win32/Fynloski
Worm:Win32/Gamarue

How to protect against macro malware

Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the
default setting for macros:
Enable or disable macros in Office documents
Don’t open suspicious emails or suspicious attachments.
Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro
malware spreads.
Enterprises can prevent macro malware from running executable content using ASR rules
For more tips on protecting yourself from suspicious emails, see phishing.
For more general tips, see prevent malware infection.
 Phishing
8/9/2019 • 9 minutes to read • Edit Online

Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of
electronic communication that often look to be official communication from legitimate companies or individuals.
The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be
user names and passwords, credit card details, bank account information, or other credentials. Attackers can then
use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from
bank accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.

How phishing works

Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season,
bait content involves tax-filing announcements that attempt to lure you into providing your personal information
such as your Social Security number or bank account information.
Legitimate-looking communication, usually email, that links to a phishing site is one of the most common
methods used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login
credentials and account information. The phishing site then captures the sensitive information as soon as the user
provides it, giving attackers access to the information.
Another common phishing technique is the use of emails that direct you to open a malicious attachment, for
example a PDF file. The attachment often contains a message asking you to provide login credentials to another
site such as email or file sharing websites to open the document. When you access these phishing sites using your
login credentials, the attacker now has access to your information and can gain additional personal information
about you.

Phishing trends and techniques

Invoice phishing
In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a
known vendor or company and provides a link for you to access and pay your invoice. When you access the site,
the attacker is poised to steal your personal information and funds.
Payment/delivery scam
You are asked to provide a credit card or other personal information so that your payment information can be
updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your
ordered goods. Generally, you may be familiar with the company and have likely done business with them in the
past, but you are not aware of any items you have recently purchased from them.
Tax-themed phishing scams
A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the
IRS. Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes.
When you access the site, the attackers can steal your personal credit card or bank information and drain your
accounts.
Downloads
Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to
open or download a document, often one requiring you to sign in.
Phishing emails that deliver other threats
Phishing emails can be very effective, and so attackers can using them to distribute ransomware through links or
attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to
pay a sum of money to access to your files.
We have also seen phishing emails that have links to tech support scam websites, which use various scare tactics
to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix
contrived device, platform, or software problems.

Targeted attacks against enterprises

Spear phishing
Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear
phishing, attackers will typically do reconnaissance work, surveying social media and other information sources
about their intended target.
Spear phishing may involve tricking you into logging into fake sites and divulging credentials. Spear phishing may
also be designed to lure you into opening documents by clicking on links that automatically install malware. With
this malware in place, attackers can remotely manipulate the infected computer.
The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced
persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As
part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers,
compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
Whaling
Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific
companies with the direct goal of gaining access to their credentials and/or bank information. The content of the
email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can
also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the
attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT.
Business email compromise
Business email compromise (BEC ) is a sophisticated scam that targets businesses often working with foreign
suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used
by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the
attacker creates a ___domain similar to the company they are targeting or spoofs their email to scam users into
releasing personal account information for money transfers.

How to protect against phishing attacks

Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware
and never provide sensitive or personal information through email or unknown websites, or over the phone.
Remember, phishing emails are designed to appear legitimate.
Awareness
The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if
the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and
verify the URL.
Enterprises should educate and train their employees to be wary of any communication that requests personal or
financial information, and instruct them to report the threat to the company’s security operations team
immediately.
Here are several telltale signs of a phishing scam:
 The links or URLs provided in emails are not pointing to the correct ___location or are attempting to have
you access a third-party site that is not affiliated with the sender of the email. For example, in the image
below the URL provided does not match the URL that you will be taken to.

There is a request for personal information such as social security numbers or bank or financial
information. Official communications won't generally request personal information from you in the form of
an email.
Items in the email address will be changed so that it is similar enough to a legitimate email address but
has added numbers or changed letters.
The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person
you rarely deal with, consider this email suspect.
The message or the attachment asks you to enable macros, adjust security settings, or install
applications. Normal emails will not ask you to do this.
The message contains errors. Legitimate corporate messages are less likely to have typographic or
grammatical errors or contain wrong information.
The sender address does not match the signature on the message itself. For example, an email is
purported to be from Mary of Contoso Corp, but the sender address is [email protected].
There are multiple recipients in the “To” field and they appear to be random addresses. Corporate
messages are normally sent directly to individual recipients.
The greeting on the message itself does not personally address you. Apart from messages that
mistakenly address a different person, those that misuse your name or pull your name directly from your
email address tend to be malicious.
The website looks familiar but there are inconsistencies or things that are not quite right such as
outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in
websites.
The page that opens is not a live page but rather an image that is designed to look like the site you are
familiar with. A pop-up may appear that requests credentials.
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
For more information, download and read this Microsoft e-book on preventing social engineering attacks,
especially in enterprise environments.
Software solutions for organizations
Microsoft Edge and Windows Defender Application Guard offer protection from the increasing threat of
targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website
is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby
preventing access to your enterprise data.
Microsoft Exchange Online Protection (EOP ) offers enterprise-class reliability and protection against spam
and malware, while maintaining access to email during and after emergencies. Using various layers of
filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international
spam, that will further enhance your protection services.
Use Office 365 Advanced Threat Protection (ATP ) to help protect your email, files, and online storage
 against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint
Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection
against malicious links, it complements the security features of Exchange Online Protection to provide
better zero-day protection.
For more tips and software solutions, see prevent malware infection.

What do I do if I've already been a victim of a phishing scam?

If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately
change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card
company, etc.
Reporting spam
Submit phishing scam emails to Microsoft by sending an email with the scam as an attachment to:
[email protected]. For more information on submitting messages to Microsoft, see Submit spam,
non-spam, and phishing scam messages to Microsoft for analysis.
For Outlook and Outlook on the web users, use the Report Message Add-in for Microsoft Outlook. For
information about how to install and use this tool, see Enable the Report Message add-in.
Send an email with the phishing scam to The Anti-Phishing Working Group: [email protected]. The
group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors,
financial institutions and law enforcement agencies are involved.

Where to find more information about phishing attacks

For information on the latest phishing attacks, techniques, and trends, you can read these entries on the Microsoft
Security blog:
Phishers unleash simple but effective social engineering techniques using PDF attachments
Tax themed phishing and malware attacks proliferate during the tax filing season
Phishing like emails lead to tech support scam
 Ransomware
9/10/2019 • 2 minutes to read • Edit Online

Ransomware is a type of malware that encrypts files and folders, preventing access to important files.
Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in
exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they
encrypted.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack
vectors, makes older platforms especially susceptible to ransomware attacks.

How ransomware works

Most ransomware infections start with:
Email messages with attachments that try to install ransomware.
Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to
install ransomware.
Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption
algorithms like RSA or RC4.
Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually
improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal
business model in which malware creators sell their ransomware and other services to cybercriminals, who then
operate the ransomware attacks. The business model also defines profit sharing between the malware creators,
ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business,
at the expense of individuals and businesses.
Examples
Sophisticated ransomware like Spora, WannaCrypt (also known as WannaCry), and Petya (also known as
NotPetya) spread to other computers via network shares or exploits.
Spora drops ransomware copies in network shares.
WannaCrypt exploits the Server Message Block (SMB ) vulnerability CVE -2017-0144 (also called
EternalBlue) to infect other computers.
A Petya variant exploits the same vulnerability, in addition to CVE -2017-0145 (also known as
EternalRomance), and uses stolen credentials to move laterally across networks.
Older ransomware like Reveton locks screens instead of encrypting files. They display a full screen image and
then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a
message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal
activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
Ransomware like Cerber and Locky search for and encrypt specific file types, typically document and media files.
When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with
instructions to pay a ransom to recover files.
Bad Rabbit ransomware was discovered attempting to spread across networks using hardcoded usernames and
passwords in brute force attacks.
How to protect against ransomware
Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal
operations. Large organizations are high value targets and attackers can demand bigger ransoms.
We recommend:
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different
storage types, and at least one backup offsite.
Apply the latest updates to your operating systems and apps.
Educate your employees so they can identify social engineering and spear-phishing attacks.
Controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom.
For more general tips, see prevent malware infection.
 Rootkits
9/4/2019 • 2 minutes to read • Edit Online

Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A
successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal
information and resources.

How rootkits work

Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust
any information that device reports about itself.
For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily
remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide
both themselves and their malicious activity on a device.
Many modern malware families use rootkits to try and avoid detection and removal, including:
Alureon
Cutwail
Datrahere (Zacinlo)
Rustock
Sinowal
Sirefef

How to protect against rootkits

Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.
Apply the latest updates to operating systems and apps.
Educate your employees so they can be wary of suspicious websites and emails.
Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different
storage types, and at least one backup offsite.
For more general tips, see prevent malware infection.
What if I think I have a rootkit on my device?
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think
you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra
tool that lets you boot to a known trusted environment.
Windows Defender Offline can be launched from Windows Security Center and has the latest anti-malware
updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible
malware infection.
System Guard in Windows 10 protects against rootkits and threats that impact system integrity.
What if I can’t remove a rootkit?
If the problem persists, we strongly recommend reinstalling the operating system and security software. You
should then restore your data from a backup.
 Supply chain attacks
8/9/2019 • 2 minutes to read • Edit Online

Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to
access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.

How supply chain attacks work

Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices.
They break in, change source codes, and hide malware in build and update processes.
Because software is built and released by trusted vendors, these apps and updates are signed and certified. In
software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious
code when they’re released to the public. The malicious code then runs with the same trust and permissions as the
app.
The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file
compression app was poisoned and deployed to customers in a country where it was the top utility app.
Types of supply chain attacks
Compromised software building tools or updated infrastructure
Stolen code-sign certificates or signed malicious apps using the identity of dev company
Compromised specialized code shipped into hardware or firmware components
Pre-installed malware on devices (cameras, USB, phones, etc.)
To learn more about supply chain attacks, read this blog post called attack inception: compromised supply chain
within a supply chain poses new risks.

How to protect against supply chain attacks

Deploy strong code integrity policies to allow only authorized apps to run.
Use endpoint detection and response solutions that can automatically detect and remediate suspicious
activities.
For software vendors and developers
Maintain a highly secure build and update infrastructure.
Immediately apply security patches for OS and software.
Implement mandatory integrity controls to ensure only trusted tools run.
Require multi-factor authentication for admins.
Build secure software updaters as part of the software development lifecycle.
Require SSL for update channels and implement certificate pinning.
Sign everything, including configuration files, scripts, XML files, and packages.
Check for digital signatures, and don’t let the software updater accept generic input and commands.
Develop an incident response process for supply chain attacks.
Disclose supply chain incidents and notify customers with accurate and timely information
For more general tips on protecting your systems and devices, see prevent malware infection.
 Tech support scams
8/9/2019 • 2 minutes to read • Edit Online

Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for
unnecessary technical support services that supposedly fix contrived device, platform, or software problems.

How tech support scams work

Scammers may call you directly on your phone and pretend to be representatives of a software company. They
might even spoof the caller ID so that it displays a legitimate support phone number from a trusted company.
They can then ask you to install applications that give them remote access to your device. Using remote access,
these experienced scammers can misrepresent normal system output as signs of problems.
Scammers might also initiate contact by displaying fake error messages on websites you visit, displaying support
numbers and enticing you to call. They can also put your browser on full screen and display pop-up messages that
won't go away, essentially locking your browser. These fake error messages aim to trick you into calling an
indicated technical support hotline. Note that Microsoft error and warning messages never include phone
numbers.
When you engage with the scammers, they can offer fake solutions for your “problems” and ask for payment in
the form of a one-time fee or subscription to a purported support service.
For more information, view known tech support scam numbers and popular web scams.

How to protect against tech support scams

Share and implement the general tips on how to prevent malware infection.
It is also important to keep the following in mind:
Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or
financial information, or to fix your computer.
Any communication with Microsoft has to be initiated by you.
Don’t call the number in the pop-ups. Microsoft’s error and warning messages never include a phone
number.
Download software only from official vendor websites or the Microsoft Store. Be wary of downloading
software from third-party sites, as some of them might have been modified without the author’s knowledge
to bundle support scam malware and other threats.
Use Microsoft Edge when browsing the internet. It blocks known support scam sites using Windows
Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop
pop-up dialogue loops used by these sites.
Enable Windows Defender Antivirus in Windows 10. It detects and removes known support scam malware.

What to do if information has been given to a tech support person

Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the
device
Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as
 soon as they are available.
Change passwords.
Call your credit card provider to reverse the charges, if you have already paid.
Monitor anomalous logon activity. Use Windows Defender Firewall to block traffic to services that you
would not normally access.
Reporting tech support scams
Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by
reporting tech support scams:
www.microsoft.com/reportascam
You can also report any unsafe website that you suspect is a phishing website or contains malicious content
directly to Microsoft by filling out a Report an unsafe site form or using built in web browser functionality.
 Trojans
8/9/2019 • 2 minutes to read • Edit Online

Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either
have to be downloaded manually or another malware needs to download and install them.
Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan
thinking that it is a legitimate app.

How trojans work

Trojans can come in many different varieties, but generally they do the following:
Download and install other malware, such as viruses or worms.
Use the infected device for click fraud.
Record keystrokes and websites visited.
Send information about the infected device to a malicious hacker including passwords, login details for
websites, and browsing history.
Give a malicious hacker control over the infected device.

How to protect against trojans

Use the following free Microsoft software to detect and remove it:
Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for
previous versions of Windows.
Microsoft Safety Scanner
For more general tips, see prevent malware infection.
 Unwanted software
12/4/2019 • 2 minutes to read • Edit Online

Unwanted software are programs that alter the Windows experience without your consent or control. This can take
the form of modified browsing experience, lack of control over downloads and installation, misleading messages,
or unauthorized changes to Windows settings.

How unwanted software works

Unwanted software can be introduced when a user searches for and downloads applications from the internet.
Some applications are software bundlers, which means that they are packed with other applications. As a result,
other programs can be inadvertently installed when the original application is downloaded.
Here are some indications of unwanted software:
There are programs that you did not install and that may be difficult to uninstall
Browser features or settings have changed, and you can’t view or modify them
There are excessive messages about your device's health or about files and programs
There are ads that cannot be easily closed
Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example,
unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of
the browser.
Microsoft uses an extensive evaluation criteria to identify unwanted software.

How to protect against unwanted software

To prevent unwanted software infection, download software only from official websites, or from the Microsoft
Store. Be wary of downloading software from third-party sites.
Use Microsoft Edge when browsing the internet. Microsoft Edge includes additional protections that effectively
block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites
hosting unwanted software using Windows Defender SmartScreen (also used by Internet Explorer).
Enable Windows Defender Antivirus in Windows 10. It provides real-time protection against threats and detects
and removes known unwanted software.
Download Microsoft Security Essentials for real-time protection in Windows 7 or Windows Vista.
For more general tips, see prevent malware infection.
What should I do if my device is infected?
If you suspect that you have unwanted software, you can submit files for analysis.
Some unwanted software adds uninstallation entries, which means that you can remove them using Settings.
1. Select the Start button
2. Go to Settings > Apps > Apps & features.
3. Select the app you want to uninstall, then click Uninstall.
If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date,
and then uninstall the most recent apps that you did not install.
You may also need to remove browser add-ons in your browsers, such as Internet Explorer, Firefox, or Chrome.
In case threat removal is unsuccessful, read about troubleshooting malware detection and removal problems.
 Worms
9/4/2019 • 2 minutes to read • Edit Online

A worm is a type of malware that can copy itself and often spreads through a network by exploiting security
vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking
sites, network shares, removable drives, and software vulnerabilities.

How worms work

Worms represent a large category of malware. Different worms use different methods to infect devices.
Depending on the variant, they can steal sensitive information, change security settings, send information to
malicious hackers, stop users from accessing files, and other malicious activities.
Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the
top of the list of malware that infect users running Microsoft security software. Although these worms share some
commonalities, it is interesting to note that they also have distinct characteristics.
Jenxcus has capabilities of not only infecting removable drives but can also act as a backdoor that connects
back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's
installed when users just visit a compromised web page.
Gamarue typically arrives through spam campaigns, exploits, downloaders, social networking sites, and
removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware.
We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
Bondat typically arrives through fictitious Nullsoft Scriptable Install System (NSIS ), Java installers, and
removable drives. When Bondat infects a system, it gathers information about the machine such as device
name, Globally Unique Identifier (GUID ), and OS build. It then sends that information to a remote server.
Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are
doing, they try to avoid detection by security software.
WannaCrypt also deserves a mention here. Unlike older worms that often spread just because they could,
modern worms often spread to drop a payload (e.g. ransomware).
This image shows how a worm can quickly spread through a shared USB drive.
Figure worm spreading from a shared USB drive
How to protect against worms
Enable Windows Defender Antivirus in Windows 10. It provides real-time protection against threats and detects
and removes known unwanted software.
Download Microsoft Security Essentials for real-time protection in Windows 7 or Windows Vista.
In case threat removal is unsuccessful, read about troubleshooting malware detection and removal problems.
For more general tips, see prevent malware infection.
 How Microsoft identifies malware and potentially
unwanted applications
1/3/2020 • 7 minutes to read • Edit Online

Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and
in control of your devices. When you download, install, and run software, you have access to information and tools
to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and
online content. That information is then compared against criteria described in this article.
You can participate in this process by submitting software for analysis to ensure undesirable software is covered
by our security solutions.
Because new forms of malware and potentially unwanted applications are being developed and distributed
rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or
announcements.

Malware
Malware is the overarching name for applications and other code, like software, that Microsoft classifies more
granularly as malicious software or unwanted software.
Malicious software
Malicious software is an application or code that compromises user security. Malicious software may steal your
personal information, lock your device until you pay a ransom, use your device to send spam, or download other
malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in
vulnerable states.
Microsoft classifies most malicious software into one of the following categories:
Backdoor: A type of malware that gives malicious hackers remote access to and control of your device.
Downloader: A type of malware that downloads other malware onto your device. It must connect to the
internet to download files.
Dropper: A type of malware that installs other malware files onto your device.Unlike a downloader, a
dropper doesn’t have to connect to the internet to drop malicious files. The dropped files are typically
embedded in the dropper itself.
Exploit: A piece of code that uses software vulnerabilities to gain access to your device and perform other
tasks, such as installing malware. See more information about exploits.
Hacktool: A type of tool that can be used to gain unauthorized access to your device.
Macro virus: A type of malware that spreads through infected documents, such as Microsoft Word or
Excel documents. The virus is run when you open an infected document.
Obfuscator: A type of malware that hides its code and purpose, making it more difficult for security
software to detect or remove.
Password stealer: A type of malware that gathers your personal information, such as user names and
passwords. It often works along with a keylogger, which collects and sends information about the keys you
press and websites you visit.
 Ransomware: A type of malware that encrypts your files or makes other modifications that can prevent
you from using your device. It then displays a ransom note which states you must pay money, complete
surveys, or perform other actions before you can use your device again. See more information about
ransomware.
Rogue security software: Malware that pretends to be security software but doesn't provide any
protection. This type of malware usually displays alerts about nonexistent threats on your device. It also
tries to convince you to pay for its services.
Trojan: A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't
spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once
installed, trojans perform various malicious activities such as stealing personal information, downloading
other malware, or giving attackers access to your device.
Trojan clicker: A type of trojan that automatically clicks buttons or similar controls on websites or
applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online
polls or other tracking systems and can even install applications on your device.
Worm: A type of malware that spreads to other devices. Worms can spread through email, instant
messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated
worms take advantage of software vulnerabilities to propagate.
Unwanted software
Microsoft believes that you should have control over your Windows experience. Software running on Windows
should keep you in control of your device through informed choices and accessible controls. Microsoft identifies
software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these
behaviors as "unwanted software".
Lack of choice
You must be notified about what is happening on your device, including what software does and whether it is
active.
Software that exhibits lack of choice might:
Fail to provide prominent notice about the behavior of the software and its purpose and intent.
Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
Install, reinstall, or remove software without your permission, interaction, or consent.
Install other software without a clear indication of its relationship to the primary software.
Circumvent user consent dialogs from the browser or operating system.
Falsely claim to be software from Microsoft.
Software must not mislead or coerce you into making decisions about your device. This is considered behavior
that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
Display exaggerated claims about your device’s health.
Make misleading or inaccurate claims about files, registry entries, or other items on your device.
Display claims in an alarming manner about your device's health and require payment or certain actions in
exchange for fixing the purported issues.
Software that stores or transmits your activities or data must:
Give you notice and get consent to do so. Software should not include an option that configures it to hide
activities associated with storing or transmitting your data.
Lack of control
You must be able to control software on your device. You must be able to start, stop, or otherwise revoke
authorization to software.
Software that exhibits lack of control might:
Prevent or limit you from viewing or modifying browser features or settings.
Open browser windows without authorization.
Redirect web traffic without giving notice and getting consent.
Modify or manipulate webpage content without your consent.
Software that changes your browsing experience must only use the browser's supported extensibility model for
installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are
considered non-extensible and should not be modified.
Installation and removal
You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your
consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or
disable it.
Software that delivers poor installation experience might bundle or download other "unwanted software" as
classified by Microsoft.
Software that delivers poor removal experience might:
Present confusing or misleading prompts or pop-ups when you try to uninstall it.
Fail to use standard install/uninstall features, such as Add/Remove Programs.
Advertising and advertisements
Software that promotes a product or service outside of the software itself can interfere with your computing
experience. You should have clear choice and control when installing software that presents advertisements.
The advertisements that are presented by software must:
Include an obvious way for users to close the advertisement. The act of closing the advertisement must not
open another advertisement.
Include the name of the software that presented the advertisement.
The software that presents these advertisements must:
Provide a standard uninstall method for the software using the same name as shown in the advertisement it
presents.
Advertisements shown to you must:
Be distinguishable from website content.
Not mislead, deceive, or confuse.
Not contain malicious code.
Not invoke a file download.
Consumer opinion
Microsoft maintains a worldwide network of analysts and intelligence systems where you can submit software for
analysis. Your participation helps Microsoft identify new malware quickly. After analysis, Microsoft creates
Security intelligence for software that meets the described criteria. This Security intelligence identifies the
software as malware and are available to all users through Windows Defender Antivirus and other Microsoft
antimalware solutions.

Potentially unwanted application (PUA)

Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This
protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on
how to enable PUA protection in Chromium-based Microsoft Edge and Windows Defender Antivirus, see Detect
and block potentially unwanted applications.
PUAs are not considered malware.
Microsoft uses specific categories and the category definitions to classify software as a PUA.
Advertising software: Software that displays advertisements or promotions, or prompts you to complete
surveys for other products or services in software other than itself. This includes software that inserts
advertisements to webpages.
Torrent software: Software that is used to create or download torrents or other files specifically used with
peer-to-peer file-sharing technologies.
Cryptomining software: Software that uses your device resources to mine cryptocurrencies.
Bundling software: Software that offers to install other software that is not digitally signed by the same
entity. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined
in this document.
Marketing software: Software that monitors and transmits the activities of users to applications or
services other than itself for marketing research.
Evasion software: Software that actively tries to evade detection by security products, including software
that behaves differently in the presence of security products.
Poor industry reputation: Software that trusted security providers detect with their security products.
The security industry is dedicated to protecting customers and improving their experiences. Microsoft and
other organizations in the security industry continuously exchange knowledge about files we have analyzed
to provide users with the best possible protection.
 Submit files for analysis
12/4/2019 • 3 minutes to read • Edit Online

If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for
analysis. This page has answers to some common questions about submitting a file for analysis.

How do I send a malware file to Microsoft?

You can send us files that you think might be malware or files that have been incorrectly detected through the
sample submission portal.
We receive a large number of samples from many sources. Our analysis is prioritized by the number of file
detections and the type of submission. You can help us complete a quick analysis by providing detailed
information about the product you were using and what you were doing when you found the file.
If you sign in before you submit a sample, you will be able to track your submissions.

Can I send a sample by email?

No, we only accept submissions through our sample submission portal.

Can I submit a sample without signing in?

Yes, you many submit a file as an anonymous home customer. You will get a link to a webpage where you can view
the status of the submission.
If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you
are currently experiencing a virus outbreak or security-related incident, you should contact your designated
Microsoft support professional or go to Microsoft Support for immediate assistance.

What is the Software Assurance ID (SAID)?

The Software Assurance ID (SAID ) is for enterprise customers to track support entitlements. The submission
portal accepts and retains SAID information and allows customers with valid SAIDs to make higher priority
submissions.
How do I dispute the detection of my program?
Submit the file in question as a software developer. Wait until your submission has a final determination.
If you’re not satisfied with our determination of the submission, use the developer contact form provided with the
submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted
software.

How do I track or view past sample submissions?

You can track your submissions through the submission history page. Your submission will only appear on this
page if you were signed in when you submitted it.
If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if
you want to come back and check on the status of your submission.
What does the submission status mean?
Each submission is shown to be in one of the following status types:
Submitted—the file has been received
In progress—an analyst has started checking the file
Closed—a final determination has been given by an analyst
If you are signed in, you can see the status of any files you submit to us on the submission history page.

How does Microsoft prioritize submissions

Processing submissions take dedicated analyst resource. Because we regularly receive a large number of
submissions, we handle them based on a priority. The following factors affect how we prioritize submissions:
Prevalent files with the potential to impact large numbers of computers are prioritized.
Authenticated customers, especially enterprise customers with valid Software Assurance IDs (SAIDs), are
given priority.
Submissions flagged as high priority by SAID holders are given immediate attention.
Your submission is immediately scanned by our systems to give you the latest determination even before an
analyst starts handling your case. Note that the same file may have already been processed by an analyst. To check
for updates to the determination, select rescan on the submission details page.
 Microsoft Safety Scanner
11/8/2019 • 2 minutes to read • Edit Online

Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply
download it and run a scan to find malware and try to reverse changes made by identified threats.
Download Microsoft Safety Scanner (32-bit)
Download Microsoft Safety Scanner (64-bit)

NOTE
Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2
in order to run Safety Scanner. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Important information
The security intelligence update version of the Microsoft Safety Scanner matches the version described in
this web page.
Safety Scanner only scans when manually triggered and is available for use 10 days after being
downloaded. We recommend that you always download the latest version of this tool before each scan.
Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on
the desktop. Note where you saved this download.
This tool does not replace your antimalware product. For real-time protection with automatic updates, use
Windows Defender Antivirus on Windows 10 and Windows 8 or Microsoft Security Essentials on Windows
7. These antimalware products also provide powerful malware removal capabilities. If you are having
difficulties removing malware with these products, you can refer to our help on removing difficult threats.

System requirements
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech
Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows
Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the
Microsoft Lifecycle Policy.

How to run a scan

1. Download this tool and open it.
2. Select the type of scan you want run and start the scan.
3. Review the scan results displayed on screen. For detailed detection results, view the log at
%SYSTEMROOT%\debug\msert.log.
To remove this tool, delete the executable file (msert.exe by default).
For more information about the Safety Scanner, see the support article on how to troubleshoot problems using
Safety Scanner.

Related resources
Troubleshooting Safety Scanner
Windows Defender Antivirus
Microsoft Security Essentials
Removing difficult threats
Submit file for malware analysis
Microsoft antimalware and threat protection solutions
 Top scoring in industry tests
12/12/2019 • 5 minutes to read • Edit Online

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP ) technologies consistently achieve high
scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft
aims to be transparent about these test scores. This page summarizes the results and provides analysis.

Next generation protection

Windows Defender Antivirus consistently performs highly in independent tests, displaying how it is a top choice in
the antivirus market. Keep in mind, these tests only provide results for antivirus and do not test for additional
security protections.
Windows Defender Antivirus is the next generation protection capability in the Microsoft Defender ATP Windows
10 security stack that addresses the latest and most sophisticated threats today. In some cases, customers might
not even know they were protected because a cyberattack is stopped milliseconds after a campaign starts. That's
because Windows Defender Antivirus and other endpoint protection platform (EPP ) capabilities in Microsoft
Defender ATP detect and stops malware at first sight with machine learning, artificial intelligence, behavioral
analysis, and other advanced technologies.

Download the latest transparency report: Examining industry test results, November 2019
AV -TEST: Protection score of 6.0/6.0 in the latest test
The AV -TEST Product Review and Certification Report tests on three categories: protection, performance, and
usability. The following scores are for the Protection category which has two scores: Real-World Testing and the
AV -TEST reference set (known as "Prevalent Malware").
July — August 2019 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis Latest
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 13,889
malware samples used. This industry-leading antivirus solution has consistently achieved a perfect
Protection score in all AV -TEST cycles in the past 14 months.
May — June 2019 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
March — April 2019 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
January — February 2019 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
November — December 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
September — October 2018 AV -TEST Business User test: Protection score 6.0/6.0 | Analysis
AV -Comparatives: Protection rating of 99.9% in the latest test
Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware
attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example
by USB ), and the Performance Test that looks at the impact on the system’s performance.
Business Security Test 2019 (August — September): Real-World Protection Rate 99.9% | Analysis Latest
Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year,
with 99.9% in the latest test.
Business Security Test 2019 (March — June): Real-World Protection Rate 99.9% | Analysis
Business Security Test 2018 (August — November): Real-World Protection Rate 99.6%
Business Security Test 2018 (March — June): Real-World Protection Rate 98.7%
SE Labs: AAA award in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including
endpoint software, network appliances, and cloud services.
Enterprise Endpoint Protection July — September 2019: AAA award pdf | Analysis
Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all
but one public threat.
Enterprise Endpoint Protection April — June 2019: AAA award pdf | Analysis
Enterprise Endpoint Protection January — March 2019: AAA award pdf | Analysis
Enterprise Endpoint Protection October — December 2018: AAA award pdf | Analysis

Endpoint detection & response

Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are
near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a
breach, and take response actions to remediate threats.

Read our analysis: MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender
ATP
MITRE: Industry-leading optics and detection capabilities
MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also
known as Boron or UPS ). To isolate detection capabilities, all protection and prevention features were turned off.
Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK
framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques
and tactics.
ATT&CK-based evaluation: Leading optics and detection capabilities | Analysis
Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack
chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced,
automatic detection through machine learning, heuristics, and behavior monitoring.

To what extent are tests representative of protection in the real world?

Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner.
However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested
in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify
over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a
million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely
difficult to evaluate the quality of protection against real world threats.
The capabilities within Microsoft Defender ATP provide additional layers of protection that are not factored into
industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of
Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For
example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from
getting onto devices in the first place. We have proven that Microsoft Defender ATP components catch samples
that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively
Microsoft's security suite protects customers in the real world.
With independent tests, customers can view one aspect of their security suite but can't assess the complete
protection of all the security features. Microsoft is highly engaged in working with several independent testers to
evolve security testing to focus on the end-to-end security stack.
Learn more about Microsoft Defender ATP and evaluate it in your own network by signing up for a 90-day trial of
Microsoft Defender ATP, or enabling Preview features on existing tenants.
 Industry collaboration programs
8/9/2019 • 2 minutes to read • Edit Online

Microsoft has several industry-wide collaboration programs with different objectives and requirements. Enrolling
in the right program can help you protect your customers, gain more insight into the current threat landscape, or
assist in disrupting the malware ecosystem.

Virus Information Alliance (VIA)

The VIA program gives members access to information that will help improve protection for Microsoft customers.
Malware telemetry and samples can be provided to security teams to help identify gaps in their protection,
prioritize new threat coverage, or better respond to threats.
You must be a member of VIA if you want to apply for membership to the other programs.
Go to the VIA program page for more information.

Microsoft Virus Initiative (MVI)

MVI is open to organizations who build and own a Real Time Protection (RTP ) antimalware product of their own
design, or one developed using a third-party antivirus SDK.
Members get access to Microsoft client APIs for the Microsoft Defender Security Center, IOAV, AMSI, and Cloud
Files, along with health data and other telemetry to help their customers stay protected. Antimalware products are
submitted to Microsoft for performance testing on a regular basis.
Go to the MVI program page for more information.

Coordinated Malware Eradication (CME)

CME is open to organizations who are involved in cybersecurity and antimalware or interested in fighting
cybercrime.
The program aims to bring organizations in cybersecurity and other industries together to pool tools, information
and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-
lasting results for better protection of our collective communities, customers, and businesses.
Go to the CME program page for more information.
 Virus Information Alliance
1/3/2020 • 2 minutes to read • Edit Online

The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software
providers, security service providers, antimalware testing organizations, and other organizations involved in
fighting cybercrime.
Members of the VIA program collaborate by exchanging technical information on malicious software with
Microsoft, with the goal of improving protection for Microsoft customers.

Better protection for customers against malware

The VIA program gives members access to information that will help improve protection for Microsoft customers.
For example, the program provides malware telemetry and samples to security product teams to identify gaps in
their protection and prioritize new threat coverage.
Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting
scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage
our data to help assess the impact of policy changes or to help shut down malicious activity.
Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By
sharing malware-related information, Microsoft enables members of this community to work towards better
protection for customers.

Becoming a member of VIA

Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of
the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security
software providers, security service providers, antimalware testing organizations, and other organizations involved
in the fight against cybercrime to protect a broad range of customers.
Members will receive information to facilitate effective malware detection, deterrence, and eradication. This
includes technical information on malware as well as metadata on malicious activity. Information shared through
VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
VIA has an open enrollment for potential members.
Initial selection criteria
To be eligible for VIA your organization must:
1. Be willing to sign a non-disclosure agreement with Microsoft.
2. Fit into one of the following categories:
Your organization develops antimalware technology that can run on Windows and your organization’s
product is commercially available.
Your organization provides security services to Microsoft customers or for Microsoft products.
Your organization publishes antimalware testing reports on a regular basis.
Your organization has a research or response team dedicated to fighting malware to protect your
organization, your customers, or the general public.
3. Be willing to sign and adhere to the VIA membership agreement.
If your organization meets these criteria and is interested in joining, apply for membership now. If you have
questions, contact us for more information.
 Microsoft Virus Initiative
12/23/2019 • 2 minutes to read • Edit Online

The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with
Windows.
MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files.
Members also get malware telemetry and samples and invitations to security related events and conferences.

Become a member
A request for membership is made by an individual as a representative of an organization that develops and
produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements
to qualify for the MVI program:
1. Offer an antimalware or antivirus product that is one of the following:
Your organization's own creation.
Developed by using an SDK (engine and other components) from another MVI Partner company and
your organization adds a custom UI and/or other functionality.
2. Have your own malware research team unless you build a product based on an SDK.
3. Be active and have a positive reputation in the antimalware industry.
Activity can include participation in industry conferences or being reviewed in an industry standard
report such as AV Comparatives, OPSWAT or Gartner.
4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
5. Be willing to sign a program license agreement.
6. Be willing to adhere to program requirements for antimalware apps. These requirements define the
behavior of antimalware apps necessary to ensure proper interaction with Windows.
7. Submit your app to Microsoft for periodic performance testing.
8. Certified through independent testing by at least one industry standard organization.

TEST PROVIDER LAB TEST TYPE MINIMUM LEVEL / SCORE

AV-Comparatives Real-World Protection Test “Approved” rating from AV

https://www.av- Comparatives
comparatives.org/testmethod/real-
world-protection-tests/

AV-Test Must pass tests for Windows. Achieve "AV-TEST Certified" (for home
Certifications for Mac and Linux are not users) or "AV-TEST Approved” (for
accepted corporate users)
https://www.av-test.org/en/about-the-
institute/certification/

ICSA Labs Endpoint Anti-Malware Detection PASS/Certified

https://www.icsalabs.com/technology-
program/anti-virus/criteria
 TEST PROVIDER LAB TEST TYPE MINIMUM LEVEL / SCORE

NSS Labs Advanced Endpoint Protection AEP 3.0, “Neutral” rating from NSS
which covers automatic threat
prevention and threat event reporting
capabilities
https://www.nsslabs.com/tested-
technologies/advanced-endpoint-
protection/

SKD Labs Certification Requirements Product: SKD Labs Star Check Certification
Anti-virus or Antimalware Requirements Pass >= 98.5 % with On
http://www.skdlabs.com/html/english/ Demand, On Access and Total Detection
http://www.skdlabs.com/cert/ tests

SE Labs Protection A rating or Small Business EP Home or Enterprise “A” rating

A rating or Enterprise EP Protection A
rating
https://selabs.uk/en/reports/consumers

VB 100 VB100 Certification Test V1.1 VB100 Certification

https://www.virusbulletin.com/testing/v
b100/vb100-methodology/vb100-
methodology-ver1-1/

West Coast Labs Checkmark Certified “A” Rating on Product Security

http://www.checkmarkcertified.com/sme Performance
/

Apply now
If your organization meets these criteria and is interested in joining, apply for membership now. If you have
questions, contact us for more information.
 Coordinated Malware Eradication
9/4/2019 • 2 minutes to read • Edit Online

Coordinated Malware Eradication (CME ) aims to bring organizations in cybersecurity and in other industries
together to change the game against malware. While the cybersecurity industry today is effective at disrupting
malware families through individual efforts, those disruptions rarely lead to eradication since malware authors
quickly adapt their tactics to survive.
CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against
malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective
communities, customers, and businesses.

Combining our tools, information, and actions

Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication
campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency
response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry,
online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and
computing horsepower with the necessary big data analysis tools built-in to these campaigns.

Coordinated campaigns for lasting results

Organizations participating in the CME effort work together to help eradicate selected malware families by
contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a
campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a
campaign and invite others to join it. The members then have the option to accept or decline the invitations they
receive.

Join the effort

Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can
participate in CME campaigns by enrolling in the Virus Information Alliance (VIA) program. It ensures that
everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the
eradication of malware).
If your organization meets these criteria and is interested in joining, apply for membership now. If you have
questions, contact us for more information.
 Information for developers
8/9/2019 • 2 minutes to read • Edit Online

Learn about the common questions we receive from software developers and get other developer resources such
as detection criteria and file submissions.

In this section
TOPIC DESCRIPTION

Software developer FAQ Provides answers to common questions we receive from

software developers.

Developer resources Provides information about how to submit files, detection

criteria, and how to check your software against the latest
security intelligence and cloud protection from Microsoft.
 Software developer FAQ
8/9/2019 • 2 minutes to read • Edit Online

This page provides answers to common questions we receive from software developers. For general guidance
about submitting malware or incorrectly detected files, read the submission guide.

Does Microsoft accept files for a known list or false-positive prevention

program?
No. We do not accept these requests from software developers. Signing your program's files in a consistent
manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the
source of a program and apply previously gained knowledge. In some cases, this might result in your program
being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted
publishers.

How do I dispute the detection of my program?

Submit the file in question as a software developer. Wait until your submission has a final determination.
If you're not satisfied with our determination of the submission, use the developer contact form provided with the
submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted
software.

Why is Microsoft asking for a copy of my program?

This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS ) may
occasionally receive these requests. The requests will stop once our systems have received and processed the file.

Why does Microsoft classify my installer as a software bundler?

It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to
check applications for behaviors that are considered unwanted.

Why is the Windows Firewall blocking my program?

This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about
Windows Firewall from the Microsoft Developer Network.

Why does the Windows Defender SmartScreen say my program is not

commonly downloaded?
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from
the SmartScreen website.
 Software developer resources
9/4/2019 • 2 minutes to read • Edit Online

Concerned about the detection of your software? If you believe that your application or program has been
incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
Submit files
View your submissions

Additional resources
Detection criteria
To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating
malicious or potentially harmful code.
Developer questions
Find more guidance about the file submission and detection dispute process in our FAQ for software developers.
Scan your software
Use Windows Defender Antivirus to check your software against the latest Security intelligence and cloud
protection from Microsoft.
 FIPS 140-2 Validation
12/24/2019 • 160 minutes to read • Edit Online

FIPS 140-2 standard overview

The Federal Information Processing Standard (FIPS ) Publication 140-2 is a U.S. government standard that defines
minimum security requirements for cryptographic modules in information technology products, as defined in
Section 5131 of the Information Technology Management Reform Act of 1996.
The Cryptographic Module Validation Program (CMVP ), a joint effort of the U.S. National Institute of Standards
and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS ), validates cryptographic modules
against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography
standards. The FIPS 140-2 security requirements cover eleven areas related to the design and implementation of a
cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the
FIPS approved cryptographic algorithms in the module.

Microsoft’s approach to FIPS 140-2 validation

Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having
validated cryptographic modules against it since the inception of the standard in 2001. Microsoft validates its
cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including
Windows 10, Windows Server, and many cloud services, use these cryptographic modules.

Using Windows in a FIPS 140-2 approved mode of operation

Windows 10 and Windows server may be configured to run in a FIPS 140-2 approved mode of operation. This is
commonly referred to as “FIPS mode.” Achieving this mode of operation requires administrators to complete all
four steps outlined below.
Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed
Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. This is
accomplished by cross-checking the version number of the cryptographic module with the table of validated
modules at the end of this topic, organized by operating system release.
Step 2: Ensure all security policies for all cryptographic modules are followed
Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its
FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy
Document (SPD ). The SPDs for each module may be found by following the links in the table of validated modules
at the end of this topic. Click on the module version number to view the published SPD for the module.
Step 3: Enable the FIPS security policy
Windows provides the security policy setting, “System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing,” which is used by some Microsoft products to determine whether to operate in a
FIPS 140-2 approved mode. When this policy is enabled, the validated cryptographic modules in Windows will
also operate in FIPS approved mode. The policy may be set using Local Security Policy, as part of Group Policy, or
through a Modern Device Management (MDM ) solution. For more information on the policy, see System
cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
Step 4: Ensure only FIPS validated cryptographic algorithms are used
Neither the operating system nor the cryptographic modules can enforce a FIPS approved mode of operation,
regardless of the FIPS security policy setting. To run in a FIPS approved mode, an application or service must
check for the policy flag and enforce the security policies of the validated modules. If an application or service uses
a non-approved cryptographic algorithm or does not follow the security policies of the validated modules, it is not
operating in a FIPS approved mode.

Frequently asked questions

How long does it take to certify cryptographic modules?
Microsoft begins certification of cryptographic modules after each major feature release of Windows 10 and
Windows Server. The duration of each evaluation varies, depending on many factors.
When does Microsoft undertake a FIPS 140 validation?
The cadence for starting module validation aligns with the feature updates of Windows 10 and Windows Server.
As the software industry evolves, operating systems release more frequently. Microsoft completes validation work
on major releases but, in between releases, seeks to minimize the changes to the cryptographic modules.
What is the difference between “FIPS 140 validated” and “FIPS 140 compliant”?
“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been
validated (“certified”) by the CMVP as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry
term for IT products that rely on FIPS 140 validated products for cryptographic functionality.
I need to know if a Windows service or application is FIPS 140-2 validated.
The cryptographic modules leveraged in Windows are validated through the CMVP, not individual services,
applications, hardware peripherals, or other solutions. For a solution to be considered compliant, it must call a FIPS
140-2 validated cryptographic module in the underlying OS and the OS must be configured to run in FIPS mode.
Contact the vendor of the service, application, or product for information on whether it calls a validated
cryptographic module.
What does "When operated in FIPS mode" mean on a certificate?
This caveat identifies required configuration and security rules that must be followed to use the cryptographic
module in a way that is consistent with its FIPS 140-2 security policy. Each module has its own security policy—a
precise specification of the security rules under which it will operate—and employs approved cryptographic
algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the
Security Policy Document (SPD ) for each module.
What is the relationship between FIPS 140-2 and Common Criteria?
These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed
specifically for validating software and hardware cryptographic modules, while Common Criteria is designed to
evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS
140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
How does FIPS 140 relate to Suite B?
Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its
Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both
unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the
FIPS Approved cryptographic algorithms as allowed by the FIPS 140-2 standard.

Microsoft FIPS 140-2 validated cryptographic modules

The following tables identify the cryptographic modules used in an operating system, organized by release.

Modules used by Windows

W i n d o w s 1 0 Sp r i n g 2 0 1 8 U p d a t e (Ve r si o n 1 8 0 3 )
Validated Editions: Home, Pro, Enterprise, Education

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Cryptographic Primitives 10.0.17134 #3197 See Security Policy and

Library Certificate page for
algorithm information

Kernel Mode Cryptographic 10.0.17134 #3196 See Security Policy and

Primitives Library Certificate page for
algorithm information

Code Integrity 10.0.17134 #3195 See Security Policy and

Certificate page for
algorithm information

Windows OS Loader 10.0.17134 #3480 See Security Policy and

Certificate page for
algorithm information

Secure Kernel Code Integrity 10.0.17134 #3096 See Security Policy and
Certificate page for
algorithm information

BitLocker Dump Filter 10.0.17134 #3092 See Security Policy and

Certificate page for
algorithm information

Boot Manager 10.0.17134 #3089 See Security Policy and

Certificate page for
algorithm information

W i n d o w s 1 0 F a l l C r e a t o r s U p d a t e (Ve r si o n 1 70 9 )

Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Cryptographic Primitives 10.0.16299 #3197 See Security Policy and

Library Certificate page for
algorithm information

Kernel Mode Cryptographic 10.0.16299 #3196 See Security Policy and

Primitives Library Certificate page for
algorithm information

Code Integrity 10.0.16299 #3195 See Security Policy and

Certificate page for
algorithm information

Windows OS Loader 10.0.16299 #3194 See Security Policy and

Certificate page for
algorithm information
 Secure Kernel Code Integrity 10.0.16299 #3096 See Security Policy and
Certificate page for
algorithm information

BitLocker Dump Filter 10.0.16299 #3092 See Security Policy and

Certificate page for
algorithm information

Windows Resume 10.0.16299 #3091 See Security Policy and

Certificate page for
algorithm information

Boot Manager 10.0.16299 #3089 See Security Policy and

Certificate page for
algorithm information

W i n d o w s 1 0 C r e a t o r s U p d a t e (Ve r si o n 1 70 3 )

Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Cryptographic Primitives 10.0.15063 #3095 FIPS Approved
Library (bcryptprimitives.dll algorithms: AES (Cert.
and ncryptsslp.dll) #4624); CKG (vendor
affirmed); CVL (Certs.
#1278 and #1281);
DRBG (Cert. #1555);
DSA (Cert. #1223);
ECDSA (Cert. #1133);
HMAC (Cert. #3061);
KAS (Cert. #127); KBKDF
(Cert. #140); KTS (AES
Cert. #4626; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2521 and
#2522); SHS (Cert.
#3790); Triple-DES (Cert.
#2459)

Other algorithms:
HMAC-MD5; MD5; DES;
Legacy CAPI KDF; MD2;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #1133); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #2521);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#1281); SP800-135 -
Section 4.1.1, IKEv1
Section 4.1.2, IKEv2
Section 4.2, TLS (Cert.
#1278)
Kernel Mode 10.0.15063 #3094 #3094
Cryptographic Primitives
Library (cng.sys) FIPS Approved
algorithms: AES (Certs.
#4624 and #4626); CKG
(vendor affirmed); CVL
(Certs. #1278 and
#1281); DRBG (Cert.
#1555); DSA (Cert.
#1223); ECDSA (Cert.
#1133); HMAC (Cert.
#3061); KAS (Cert.
#127); KBKDF (Cert.
#140); KTS (AES Cert.
#4626; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2521 and
#2523); SHS (Cert.
#3790); Triple-DES (Cert.
#2459)

Other algorithms:
HMAC-MD5; MD5;
NDRNG; DES; Legacy
CAPI KDF; MD2; MD4;
RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert.#1133); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert.#2521);
FIPS186-4 RSA; RSADP -
RSADP Primitive
(Cert.#1281)

Boot Manager 10.0.15063 #3089 FIPS Approved

algorithms: AES (Certs.
#4624 and #4625); CKG
(vendor affirmed);
HMAC (Cert. #3061);
PBKDF (vendor
affirmed); RSA (Cert.
#2523); SHS (Cert.
#3790)
Other algorithms:
PBKDF (vendor
affirmed); VMK KDF
(vendor affirmed)
 Windows OS Loader 10.0.15063 #3090 FIPS Approved
algorithms: AES (Certs.
#4624 and #4625); RSA
(Cert. #2523); SHS (Cert.
#3790)
Other algorithms:
NDRNG

Windows Resume[1] 10.0.15063 #3091 FIPS Approved algorithms:

AES (Certs. #4624 and
#4625); RSA (Cert. #2523);
SHS (Cert. #3790)

BitLocker® Dump Filter[2] 10.0.15063 #3092 FIPS Approved algorithms:

AES (Certs. #4624 and
#4625); RSA (Cert. #2522);
SHS (Cert. #3790)

Code Integrity (ci.dll) 10.0.15063 #3093 FIPS Approved

algorithms: AES (Cert.
#4624); RSA (Certs.
#2522 and #2523); SHS
(Cert. #3790)
Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v1.5 - RSASP1 Signature
Primitive (Cert. #1282)

Secure Kernel Code Integrity 10.0.15063 #3096 FIPS Approved

(skci.dll)[3] algorithms: AES (Cert.
#4624); RSA (Certs.
#2522 and #2523); SHS
(Cert. #3790)
Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v1.5 - RSASP1 Signature
Primitive (Cert. #1282)

[1] Applies only to Home, Pro, Enterprise, Education and S

[2] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub
[3] Applies only to Pro, Enterprise Education and S
W i n d o w s 1 0 A n n i v e r sa r y U p d a t e (Ve r si o n 1 6 0 7 )

Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Cryptographic Primitives 10.0.14393 #2937 FIPS Approved
Library (bcryptprimitives.dll algorithms: AES (Cert.
and ncryptsslp.dll) #4064); DRBG (Cert.
#1217); DSA (Cert.
#1098); ECDSA (Cert.
#911); HMAC (Cert.
#2651); KAS (Cert. #92);
KBKDF (Cert. #101); KTS
(AES Cert. #4062; key
wrapping; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2192, #2193
and #2195); SHS (Cert.
#3347); Triple-DES (Cert.
#2227)

Other algorithms:
HMAC-MD5; MD5; DES;
Legacy CAPI KDF; MD2;
MD4; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #922); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #888);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#887); SP800-135 -
Section 4.1.1, IKEv1
Section 4.1.2, IKEv2
Section 4.2, TLS (Cert.
#886)
Kernel Mode 10.0.14393 #2936 FIPS Approved
Cryptographic Primitives algorithms: AES (Cert.
Library (cng.sys) #4064); DRBG (Cert.
#1217); DSA (Cert.
#1098); ECDSA (Cert.
#911); HMAC (Cert.
#2651); KAS (Cert. #92);
KBKDF (Cert. #101); KTS
(AES Cert. #4062; key
wrapping; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #2192, #2193
and #2195); SHS (Cert.
#3347); Triple-DES (Cert.
#2227)

Other algorithms:
HMAC-MD5; MD5;
NDRNG; DES; Legacy
CAPI KDF; MD2; MD4;
RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #922); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #888);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#887)

Boot Manager 10.0.14393 #2931 FIPS Approved

algorithms: AES (Certs.
#4061 and #4064);
HMAC (Cert. #2651);
PBKDF (vendor
affirmed); RSA (Cert.
#2193); SHS (Cert.
#3347)
Other algorithms: MD5;
PBKDF (non-compliant);
VMK KDF

BitLocker® Windows OS 10.0.14393 #2932 FIPS Approved algorithms:

Loader (winload) AES (Certs. #4061 and
#4064); RSA (Cert. #2193);
SHS (Cert. #3347)

Other algorithms: NDRNG;

MD5
 BitLocker® Windows 10.0.14393 #2933 FIPS Approved algorithms:
Resume (winresume)[1] AES (Certs. #4061 and
#4064); RSA (Cert. #2193);
SHS (Cert. #3347)

Other algorithms: MD5

BitLocker® Dump Filter 10.0.14393 #2934 FIPS Approved algorithms:

(dumpfve.sys)[2] AES (Certs. #4061 and
#4064)

Code Integrity (ci.dll) 10.0.14393 #2935 FIPS Approved

algorithms: RSA (Cert.
#2193); SHS (Cert.
#3347)

Other algorithms: AES

(non-compliant); MD5
Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v2.1 - RSASP1 Signature
Primitive (Cert. #888)

Secure Kernel Code Integrity 10.0.14393 #2938 FIPS Approved

(skci.dll)[3] algorithms: RSA (Certs.
#2193); SHS (Certs.
#3347)

Other algorithms: MD5

Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v2.1 - RSASP1 Signature
Primitive (Cert. #888)

[1] Applies only to Home, Pro, Enterprise and Enterprise LTSB

[2] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile
[3] Applies only to Pro, Enterprise and Enterprise LTSB
W i n d o w s 1 0 N o v e m b e r 2 0 1 5 U p d a t e (Ve r si o n 1 5 1 1 )

Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Cryptographic Primitives 10.0.10586 #2606 FIPS Approved
Library (bcryptprimitives.dll algorithms: AES (Certs.
and ncryptsslp.dll) #3629); DRBG (Certs.
#955); DSA (Certs.
#1024); ECDSA (Certs.
#760); HMAC (Certs.
#2381); KAS (Certs. #72;
key agreement; key
establishment
methodology provides
between 112 and 256
bits of encryption
strength); KBKDF (Certs.
#72); KTS (AES Certs.
#3653; key wrapping;
key establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #1887, #1888
and #1889); SHS (Certs.
#3047); Triple-DES
(Certs. #2024)

Other algorithms: DES;

HMAC-MD5; Legacy
CAPI KDF; MD2; MD4;
MD5; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #666); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #665);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#663); SP800-135 -
Section 4.1.1, IKEv1
Section 4.1.2, IKEv2
Section 4.2, TLS (Cert.
#664)
Kernel Mode 10.0.10586 #2605 FIPS Approved
Cryptographic Primitives algorithms: AES (Certs.
Library (cng.sys) #3629); DRBG (Certs.
#955); DSA (Certs.
#1024); ECDSA (Certs.
#760); HMAC (Certs.
#2381); KAS (Certs. #72;
key agreement; key
establishment
methodology provides
between 112 and 256
bits of encryption
strength); KBKDF (Certs.
#72); KTS (AES Certs.
#3653; key wrapping;
key establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #1887, #1888
and #1889); SHS (Certs.
#3047); Triple-DES
(Certs. #2024)

Other algorithms: DES;

HMAC-MD5; Legacy
CAPI KDF; MD2; MD4;
MD5; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #666); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #665);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#663)

Boot Manager[4] 10.0.10586 #2700 FIPS Approved algorithms:

AES (Certs. #3653); HMAC
(Cert. #2381); PBKDF
(vendor affirmed); RSA (Cert.
#1871); SHS (Certs. #3047
and #3048)

Other algorithms: MD5;

KDF (non-compliant); PBKDF
(non-compliant)
 BitLocker® Windows OS 10.0.10586 #2701 FIPS Approved algorithms:
Loader (winload)[5] AES (Certs. #3629 and
#3653); RSA (Cert. #1871);
SHS (Cert. #3048)

Other algorithms: MD5;

NDRNG

BitLocker® Windows 10.0.10586 #2702 FIPS Approved algorithms:

Resume (winresume)[6] AES (Certs. #3653); RSA
(Cert. #1871); SHS (Cert.
#3048)

Other algorithms: MD5

BitLocker® Dump Filter 10.0.10586 #2703 FIPS Approved algorithms:

(dumpfve.sys)[7] AES (Certs. #3653)

Code Integrity (ci.dll) 10.0.10586 #2604 FIPS Approved

algorithms: RSA (Certs.
#1871); SHS (Certs.
#3048)

Other algorithms: AES

(non-compliant); MD5
Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v2.1 - RSASP1 Signature
Primitive (Cert. #665)

Secure Kernel Code Integrity 10.0.10586 #2607 FIPS Approved

(skci.dll)[8] algorithms: RSA (Certs.
#1871); SHS (Certs.
#3048)

Other algorithms: MD5

Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v2.1 - RSASP1 Signature
Primitive (Cert. #665)

[4] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
[5] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
[6] Applies only to Home, Pro and Enterprise
[7] Applies only to Pro, Enterprise, Mobile and Surface Hub
[8] Applies only to Enterprise and Enterprise LTSB
W i n d o w s 1 0 (Ve r si o n 1 5 0 7)

Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Cryptographic Primitives 10.0.10240 #2606 FIPS Approved
Library (bcryptprimitives.dll algorithms: AES (Certs.
and ncryptsslp.dll) #3497); DRBG (Certs.
#868); DSA (Certs.
#983); ECDSA (Certs.
#706); HMAC (Certs.
#2233); KAS (Certs. #64;
key agreement; key
establishment
methodology provides
between 112 and 256
bits of encryption
strength); KBKDF (Certs.
#66); KTS (AES Certs.
#3507; key wrapping;
key establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #1783, #1798,
and #1802); SHS (Certs.
#2886); Triple-DES
(Certs. #1969)

Other algorithms: DES;

HMAC-MD5; Legacy
CAPI KDF; MD2; MD4;
MD5; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v2.1 - RSASP1 Signature
Primitive (Cert. #572);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#576); SP800-135 -
Section 4.1.1, IKEv1
Section 4.1.2, IKEv2
Section 4.2, TLS (Cert.
#575)
Kernel Mode 10.0.10240 #2605 FIPS Approved
Cryptographic Primitives algorithms: AES (Certs.
Library (cng.sys) #3497); DRBG (Certs.
#868); DSA (Certs.
#983); ECDSA (Certs.
#706); HMAC (Certs.
#2233); KAS (Certs. #64;
key agreement; key
establishment
methodology provides
between 112 and 256
bits of encryption
strength); KBKDF (Certs.
#66); KTS (AES Certs.
#3507; key wrapping;
key establishment
methodology provides
between 128 and 256
bits of encryption
strength); PBKDF
(vendor affirmed); RSA
(Certs. #1783, #1798,
and #1802); SHS (Certs.
#2886); Triple-DES
(Certs. #1969)

Other algorithms: DES;

HMAC-MD5; Legacy
CAPI KDF; MD2; MD4;
MD5; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v2.1 - RSASP1 Signature
Primitive (Cert. #572);
FIPS186-4 RSA; RSADP -
RSADP Primitive (Cert.
#576)

Boot Manager[9] 10.0.10240 #2600 FIPS Approved algorithms:

AES (Cert. #3497); HMAC
(Cert. #2233); KTS (AES Cert.
#3498); PBKDF (vendor
affirmed); RSA (Cert. #1784);
SHS (Certs. #2871 and
#2886)

Other algorithms: MD5;

KDF (non-compliant); PBKDF
(non-compliant)

BitLocker® Windows OS 10.0.10240 #2601 FIPS Approved algorithms:

Loader (winload)[10] AES (Certs. #3497 and
#3498); RSA (Cert. #1784);
SHS (Cert. #2871)

Other algorithms: MD5;

NDRNG
 BitLocker® Windows 10.0.10240 #2602 FIPS Approved algorithms:
Resume (winresume)[11] AES (Certs. #3497 and
#3498); RSA (Cert. #1784);
SHS (Cert. #2871)

Other algorithms: MD5

BitLocker® Dump Filter 10.0.10240 #2603 FIPS Approved algorithms:

(dumpfve.sys)[12] AES (Certs. #3497 and
#3498)

Code Integrity (ci.dll) 10.0.10240 #2604 FIPS Approved

algorithms: RSA (Certs.
#1784); SHS (Certs.
#2871)

Other algorithms: AES

(non-compliant); MD5
Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v2.1 - RSASP1 Signature
Primitive (Cert. #572)

Secure Kernel Code Integrity 10.0.10240 #2607 FIPS Approved

(skci.dll)[13] algorithms: RSA (Certs.
#1784); SHS (Certs.
#2871)

Other algorithms: MD5

Validated Component
Implementations:
FIPS186-4 RSA; PKCS#1
v2.1 - RSASP1 Signature
Primitive (Cert. #572)

[9] Applies only to Home, Pro, Enterprise and Enterprise LTSB

[10] Applies only to Home, Pro, Enterprise and Enterprise LTSB
[11] Applies only to Home, Pro, Enterprise and Enterprise LTSB
[12] Applies only to Pro, Enterprise and Enterprise LTSB
[13] Applies only to Enterprise and Enterprise LTSB
W i n d o w s 8 .1

Validated Editions: RT, Pro, Enterprise, Phone, Embedded

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Cryptographic Primitives 6.3.9600 6.3.9600.17031 #2357 FIPS Approved
Library (bcryptprimitives.dll algorithms: AES (Cert.
and ncryptsslp.dll) #2832); DRBG (Certs.
#489); DSA (Cert. #855);
ECDSA (Cert. #505);
HMAC (Cert. #1773);
KAS (Cert. #47); KBKDF
(Cert. #30); PBKDF
(vendor affirmed); RSA
(Certs. #1487, #1493
and #1519); SHS (Cert.
#2373); Triple-DES (Cert.
#1692)

Other algorithms: AES

(Cert. #2832, key
wrapping; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); AES-GCM
encryption (non-
compliant); DES; HMAC
MD5; Legacy CAPI KDF;
MD2; MD4; MD5;
NDRNG; RC2; RC4; RSA
(encrypt/decrypt)#2832,
key wrapping; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); AES-GCM
encryption (non-
compliant); DES; HMAC
MD5; Legacy CAPI KDF;
MD2; MD4; MD5;
NDRNG; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #288); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #289);
SP800-135 - Section
4.1.1, IKEv1 Section
4.1.2, IKEv2 Section 4.2,
TLS (Cert. #323)
Kernel Mode 6.3.9600 6.3.9600.17042 #2356 FIPS Approved
Cryptographic Primitives algorithms: AES (Cert.
Library (cng.sys) #2832); DRBG (Certs.
#489); ECDSA (Cert.
#505); HMAC (Cert.
#1773); KAS (Cert. #47);
KBKDF (Cert. #30);
PBKDF (vendor
affirmed); RSA (Certs.
#1487, #1493 and
#1519); SHS (Cert. #
2373); Triple-DES (Cert.
#1692)

Other algorithms: AES

(Cert. #2832, key
wrapping; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); AES-GCM
encryption (non-
compliant); DES; HMAC
MD5; Legacy CAPI KDF;
MD2; MD4; MD5;
NDRNG; RC2; RC4; RSA
(encrypt/decrypt)
Validated Component
Implementations:
FIPS186-4 ECDSA -
Signature Generation of
hash sized messages
(Cert. #288); FIPS186-4
RSA; PKCS#1 v2.1 -
RSASP1 Signature
Primitive (Cert. #289)

Boot Manager 6.3.9600 6.3.9600.17031 #2351 FIPS Approved algorithms:

AES (Cert. #2832); HMAC
(Cert. #1773); PBKDF
(vendor affirmed); RSA (Cert.
#1494); SHS (Certs. # 2373
and #2396)

Other algorithms: MD5;

KDF (non-compliant); PBKDF
(non-compliant)

BitLocker® Windows OS 6.3.9600 6.3.9600.17031 #2352 FIPS Approved algorithms:

Loader (winload) AES (Cert. #2832); RSA (Cert.
#1494); SHS (Cert. #2396)

Other algorithms: MD5;

NDRNG
 BitLocker® Windows 6.3.9600 6.3.9600.17031 #2353 FIPS Approved algorithms:
Resume (winresume)[14] AES (Cert. #2832); RSA (Cert.
#1494); SHS (Certs. # 2373
and #2396)

Other algorithms: MD5

BitLocker® Dump Filter 6.3.9600 6.3.9600.17031 #2354 FIPS Approved algorithms:

(dumpfve.sys) AES (Cert. #2832)

Other algorithms: N/A

Code Integrity (ci.dll) 6.3.9600 6.3.9600.17031 #2355#2355 FIPS Approved

algorithms: RSA (Cert.
#1494); SHS (Cert. #
2373)

Other algorithms: MD5

Validated Component
Implementations:
PKCS#1 v2.1 - RSASP1
Signature Primitive (Cert.
#289)

[14] Applies only to Pro, Enterprise, and Embedded 8.

W indow s 8

Validated Editions: RT, Home, Pro, Enterprise, Phone

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Cryptographic Primitives 6.2.9200 #1892 FIPS Approved algorithms:

Library AES (Certs. #2197 and
(BCRYPTPRIMITIVES.DLL) #2216); DRBG (Certs. #258);
DSA (Cert. #687); ECDSA
(Cert. #341); HMAC (Cert.
#1345); KAS (Cert. #36);
KBKDF (Cert. #3); PBKDF
(vendor affirmed); RSA
(Certs. #1133 and #1134);
SHS (Cert. #1903); Triple-DES
(Cert. #1387)

Other algorithms: AES (Cert.

#2197, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Legacy CAPI
KDF; MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RSA
(encrypt/decrypt)#258); DSA
(Cert. ); ECDSA (Cert. );
HMAC (Cert. ); KAS (Cert. );
KBKDF (Cert. ); PBKDF
(vendor affirmed); RSA
(Certs. and ); SHS (Cert. );
Triple-DES (Cert. )
Kernel Mode 6.2.9200 #1891 FIPS Approved algorithms:
Cryptographic Primitives AES (Certs. #2197 and
Library (cng.sys) #2216); DRBG (Certs. #258
and #259); ECDSA (Cert.
#341); HMAC (Cert. #1345);
KAS (Cert. #36); KBKDF (Cert.
#3); PBKDF (vendor
affirmed); RNG (Cert. #1110);
RSA (Certs. #1133 and
#1134); SHS (Cert. #1903);
Triple-DES (Cert. #1387)

Other algorithms: AES (Cert.

#2197, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Legacy CAPI
KDF; MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RSA
(encrypt/decrypt)#258 and );
ECDSA (Cert. ); HMAC (Cert.
); KAS (Cert. ); KBKDF (Cert. );
PBKDF (vendor affirmed);
RNG (Cert. ); RSA (Certs. and
); SHS (Cert. ); Triple-DES
(Cert. )

Other algorithms: AES (Cert.

, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Legacy CAPI
KDF; MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RSA
(encrypt/decrypt)

Boot Manager 6.2.9200 #1895 FIPS Approved algorithms:

AES (Certs. #2196 and
#2198); HMAC (Cert.
#1347); RSA (Cert. #1132);
SHS (Cert. #1903)

Other algorithms: MD5

BitLocker® Windows OS 6.2.9200 #1896 FIPS Approved algorithms:

Loader (WINLOAD) AES (Certs. #2196 and
#2198); RSA (Cert. #1132);
SHS (Cert. #1903)

Other algorithms: AES (Cert.

#2197; non-compliant);
MD5; Non-Approved RNG

BitLocker® Windows 6.2.9200 #1898 FIPS Approved algorithms:

Resume (WINRESUME)[15] AES (Certs. #2196 and
#2198); RSA (Cert. #1132);
SHS (Cert. #1903)

Other algorithms: MD5

BitLocker® Dump Filter 6.2.9200 #1899 FIPS Approved algorithms:
(DUMPFVE.SYS) AES (Certs. #2196 and
#2198)

Other algorithms: N/A

Code Integrity (CI.DLL) 6.2.9200 #1897 FIPS Approved algorithms:

RSA (Cert. #1132); SHS (Cert.
#1903)

Other algorithms: MD5

Enhanced DSS and Diffie- 6.2.9200 #1893 FIPS Approved algorithms:

Hellman Cryptographic DSA (Cert. #686); SHS (Cert.
Provider (DSSENH.DLL) #1902); Triple-DES (Cert.
#1386); Triple-DES MAC
(Triple-DES Cert. #1386,
vendor affirmed)

Other algorithms: DES; DES

MAC; DES40; DES40 MAC;
Diffie-Hellman; MD5; RC2;
RC2 MAC; RC4; Triple-DES
(Cert. #1386, key wrapping;
key establishment
methodology provides 112
bits of encryption strength;
non-compliant less than 112
bits of encryption
strength)#1902); Triple-DES
(Cert. ); Triple-DES MAC
(Triple-DES Cert. , vendor
affirmed)

Other algorithms: DES; DES

MAC; DES40; DES40 MAC;
Diffie-Hellman; MD5; RC2;
RC2 MAC; RC4; Triple-DES
(Cert. , key wrapping; key
establishment methodology
provides 112 bits of
encryption strength; non-
compliant less than 112 bits
of encryption strength)
 Enhanced Cryptographic 6.2.9200 #1894 FIPS Approved algorithms:
Provider (RSAENH.DLL) AES (Cert. #2196); HMAC
(Cert. #1346); RSA (Cert.
#1132); SHS (Cert. #1902);
Triple-DES (Cert. #1386)

Other algorithms: AES (Cert.

#2196, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; MD2; MD4;
MD5; RC2; RC4; RSA (key
wrapping; key establishment
methodology provides
between 112 and 150 bits of
encryption strength; non-
compliant less than 112 bits
of encryption strength);
Triple-DES (Cert. #1386, key
wrapping; key establishment
methodology provides 112
bits of encryption strength;
non-compliant less than 112
bits of encryption strength)

[15] Applies only to Home and Pro

Windows 7
Validated Editions: Windows 7, Windows 7 SP1

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Cryptographic Primitives 6.1.7600.16385 1329 FIPS Approved algorithms:
Library AES (Certs. #1168 and
(BCRYPTPRIMITIVES.DLL) 6.1.7601.17514 #1178); AES GCM (Cert.
#1168, vendor-affirmed);
AES GMAC (Cert. #1168,
vendor-affirmed); DRBG
(Certs. #23 and #24); DSA
(Cert. #386); ECDSA (Cert.
#141); HMAC (Cert. #677);
KAS (SP 800-56A, vendor
affirmed, key agreement; key
establishment methodology
provides 80 to 256 bits of
encryption strength); RNG
(Cert. #649); RSA (Certs.
#559 and #560); SHS (Cert.
#1081); Triple-DES (Cert.
#846)

Other algorithms: AES (Cert.

#1168, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Diffie-
Hellman (key agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); MD2; MD4; MD5;
HMAC MD5; RC2; RC4#559
and ); SHS (Cert. ); Triple-DES
(Cert. )

Other algorithms: AES (Cert.

, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Diffie-
Hellman (key agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); MD2; MD4; MD5;
HMAC MD5; RC2; RC4
Kernel Mode Cryptographic 6.1.7600.16385 1328 FIPS Approved algorithms:
Primitives Library (cng.sys) AES (Certs. #1168 and
6.1.7600.16915 #1178); AES GCM (Cert.
6.1.7600.21092 #1168, vendor-affirmed);
AES GMAC (Cert. #1168,
6.1.7601.17514 vendor-affirmed); DRBG
(Certs. #23 and #24); ECDSA
6.1.7601.17725 (Cert. #141); HMAC (Cert.
6.1.7601.17919 #677); KAS (SP 800-56A,
vendor affirmed, key
6.1.7601.21861 agreement; key
6.1.7601.22076 establishment methodology
provides 80 to 256 bits of
encryption strength); RNG
(Cert. #649); RSA (Certs.
#559 and #560); SHS (Cert.
#1081); Triple-DES (Cert.
#846)

Other algorithms: AES (Cert.

#1168, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Diffie-
Hellman (key agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); MD2; MD4; MD5;
HMAC MD5; RC2; RC4

Boot Manager 6.1.7600.16385 1319 FIPS Approved algorithms:

AES (Certs. #1168 and
6.1.7601.17514 #1177); HMAC (Cert. #675);
RSA (Cert. #557); SHS (Cert.
#1081)

Other algorithms:
MD5#1168 and ); HMAC
(Cert. ); RSA (Cert. ); SHS
(Cert. )

Other algorithms: MD5

Winload OS Loader 6.1.7600.16385 1326 FIPS Approved algorithms:

(winload.exe) AES (Certs. #1168 and
6.1.7600.16757 #1177); RSA (Cert. #557);
6.1.7600.20897 SHS (Cert. #1081)

6.1.7600.20916 Other algorithms: MD5

6.1.7601.17514
6.1.7601.17556
6.1.7601.21655
6.1.7601.21675
 BitLocker™ Drive Encryption 6.1.7600.16385 1332 FIPS Approved algorithms:
AES (Certs. #1168 and
6.1.7600.16429 #1177); HMAC (Cert. #675);
6.1.7600.16757 SHS (Cert. #1081)

6.1.7600.20536 Other algorithms: Elephant

Diffuser
6.1.7600.20873
6.1.7600.20897
6.1.7600.20916
6.1.7601.17514
6.1.7601.17556
6.1.7601.21634
6.1.7601.21655
6.1.7601.21675

Code Integrity (CI.DLL) 6.1.7600.16385 1327 FIPS Approved algorithms:

RSA (Cert. #557); SHS (Cert.
6.1.7600.17122 #1081)
6.1.7600.21320
Other algorithms: MD5
6.1.7601.17514
6.1.7601.17950
6.1.7601.22108

Enhanced DSS and Diffie- 6.1.7600.16385 1331 FIPS Approved algorithms:

Hellman Cryptographic (no change in SP1) DSA (Cert. #385); RNG (Cert.
Provider (DSSENH.DLL) #649); SHS (Cert. #1081);
Triple-DES (Cert. #846);
Triple-DES MAC (Triple-DES
Cert. #846, vendor affirmed)

Other algorithms: DES; DES

MAC; DES40; DES40 MAC;
Diffie-Hellman; MD5; RC2;
RC2 MAC; RC4

Enhanced Cryptographic 6.1.7600.16385 1330 FIPS Approved algorithms:

Provider (RSAENH.DLL) (no change in SP1) AES (Cert. #1168); DRBG
(Cert. #23); HMAC (Cert.
#673); SHS (Cert. #1081);
RSA (Certs. #557 and #559);
Triple-DES (Cert. #846)

Other algorithms: DES;

MD2; MD4; MD5; RC2; RC4;
RSA (key wrapping; key
establishment methodology
provides between 112 and
256-bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength)

W i n d o w s Vi st a SP 1

Validated Editions: Ultimate Edition

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms
Policy)

Boot Manager (bootmgr) 6.0.6001.18000 and 978 FIPS Approved algorithms:

6.0.6002.18005 AES (Certs. #739 and #760);
HMAC (Cert. #415); RSA
(Cert. #354); SHS (Cert.
#753)

Winload OS Loader 6.0.6001.18000, 979 FIPS Approved algorithms:

(winload.exe) 6.0.6001.18027, AES (Certs. #739 and #760);
6.0.6001.18606, RSA (Cert. #354); SHS (Cert.
6.0.6001.22125, #753)
6.0.6001.22861,
6.0.6002.18005, Other algorithms: MD5
6.0.6002.18411 and
6.0.6002.22596

Code Integrity (ci.dll) 6.0.6001.18000, 980 FIPS Approved algorithms:

6.0.6001.18023, RSA (Cert. #354); SHS (Cert.
6.0.6001.22120, and #753)
6.0.6002.18005
Other algorithms: MD5
Kernel Mode Security 6.0.6001.18709, 1000 FIPS Approved
Support Provider Interface 6.0.6001.18272, algorithms: AES (Certs.
(ksecdd.sys) 6.0.6001.18796, #739 and #756); ECDSA
6.0.6001.22202, (Cert. #82); HMAC (Cert.
6.0.6001.22450, #412); RNG (Cert. #435
6.0.6001.22987, and SP 800-90 AES-CTR,
6.0.6001.23069, vendor-affirmed); RSA
6.0.6002.18005, (Certs. #353 and #357);
6.0.6002.18051, SHS (Cert. #753); Triple-
6.0.6002.18541, DES (Cert. #656)#739
6.0.6002.18643, and ); ECDSA (Cert. );
6.0.6002.22152, HMAC (Cert. ); RNG
6.0.6002.22742, and (Cert. and SP 800-90
6.0.6002.228696.0.6001.187 AES-CTR, vendor-
09, 6.0.6001.18272, affirmed); RSA (Certs.
6.0.6001.18796, and ); SHS (Cert. ); Triple-
6.0.6001.22202, DES (Cert. )
6.0.6001.22450,
6.0.6001.22987, Other algorithms: AES
6.0.6001.23069, (GCM and GMAC; non-
6.0.6002.18005, compliant); DES; Diffie-
6.0.6002.18051, Hellman (key agreement;
6.0.6002.18541, key establishment
6.0.6002.18643, methodology provides
6.0.6002.22152, between 112 and 150
6.0.6002.22742, and bits of encryption
6.0.6002.22869 strength; non-compliant
less than 112 bits of
encryption strength); EC
Diffie-Hellman (key
agreement; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); MD2; MD4;
MD5; HMAC MD5; RC2;
RC4; RNG (SP 800-90
Dual-EC; non-
compliant); RSA (key
wrapping; key
establishment
methodology provides
between 112 and 150
bits of encryption
strength; non-compliant
less than 112 bits of
encryption strength)
Cryptographic Primitives 6.0.6001.22202, 1001 FIPS Approved
Library (bcrypt.dll) 6.0.6002.18005, and algorithms: AES (Certs.
6.0.6002.228726.0.6001.222 #739 and #756); DSA
02, 6.0.6002.18005, and (Cert. #283); ECDSA
6.0.6002.22872 (Cert. #82); HMAC (Cert.
#412); RNG (Cert. #435
and SP 800-90, vendor
affirmed); RSA (Certs.
#353 and #357); SHS
(Cert. #753); Triple-DES
(Cert. #656)
Other algorithms: AES
(GCM and GMAC; non-
compliant); DES; Diffie-
Hellman (key agreement;
key establishment
methodology provides
between 112 and 150
bits of encryption
strength; non-compliant
less than 112 bits of
encryption strength); EC
Diffie-Hellman (key
agreement; key
establishment
methodology provides
between 128 and 256
bits of encryption
strength); MD2; MD4;
MD5; RC2; RC4; RNG
(SP 800-90 Dual-EC;
non-compliant); RSA
(key wrapping; key
establishment
methodology provides
between 112 and 150
bits of encryption
strength; non-compliant
provides less than 112
bits of encryption
strength)

Enhanced Cryptographic 6.0.6001.22202 and 1002 FIPS Approved

Provider (RSAENH) 6.0.6002.180056.0.6001.222 algorithms: AES (Cert.
02 and 6.0.6002.18005 #739); HMAC (Cert.
#407); RNG (SP 800-90,
vendor affirmed); RSA
(Certs. #353 and #354);
SHS (Cert. #753); Triple-
DES (Cert. #656)
Other algorithms: DES;
MD2; MD4; MD5; RC2;
RC4; RSA (key wrapping;
key establishment
methodology provides
between 112 and 150
bits of encryption
strength; non-compliant
less than 112 bits of
encryption strength)
 Enhanced DSS and Diffie- 6.0.6001.18000 and 1003 FIPS Approved
Hellman Cryptographic 6.0.6002.180056.0.6001.180 algorithms: DSA (Cert.
Provider (DSSENH) 00 and 6.0.6002.18005 #281); RNG (Cert. #435);
SHS (Cert. #753); Triple-
DES (Cert. #656); Triple-
DES MAC (Triple-DES
Cert. #656, vendor
affirmed)
Other algorithms: DES;
DES MAC; DES40;
DES40 MAC; Diffie-
Hellman (key agreement;
key establishment
methodology provides
between 112 and 150
bits of encryption
strength; non-compliant
less than 112 bits of
encryption strength);
MD5; RC2; RC2 MAC;
RC4

W i n d o w s Vi st a

Validated Editions: Ultimate Edition

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Enhanced Cryptographic 6.0.6000.16386 893 FIPS Approved algorithms:

Provider (RSAENH) AES (Cert. #553); HMAC
(Cert. #297); RNG (Cert.
#321); RSA (Certs. #255 and
#258); SHS (Cert. #618);
Triple-DES (Cert. #549)

Other algorithms: DES;

MD2; MD4; MD5; RC2; RC4;
RSA (key wrapping; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength)
 Enhanced DSS and Diffie- 6.0.6000.16386 894 FIPS Approved algorithms:
Hellman Cryptographic DSA (Cert. #226); RNG (Cert.
Provider (DSSENH) #321); SHS (Cert. #618);
Triple-DES (Cert. #549);
Triple-DES MAC (Triple-DES
Cert. #549, vendor affirmed)

Other algorithms: DES; DES

MAC; DES40; DES40 MAC;
Diffie-Hellman (key
agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); MD5; RC2; RC2
MAC; RC4

BitLocker™ Drive Encryption 6.0.6000.16386 947 FIPS Approved algorithms:

AES (Cert. #715); HMAC
(Cert. #386); SHS (Cert.
#737)

Other algorithms: Elephant

Diffuser

Kernel Mode Security 6.0.6000.16386, 891 FIPS Approved algorithms:

Support Provider Interface 6.0.6000.16870 and AES (Cert. #553); ECDSA
(ksecdd.sys) 6.0.6000.21067 (Cert. #60); HMAC (Cert.
#298); RNG (Cert. #321);
RSA (Certs. #257 and #258);
SHS (Cert. #618); Triple-DES
(Cert. #549)

Other algorithms: DES;

Diffie-Hellman (key
agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); EC Diffie-Hellman
(key agreement; key
establishment methodology
provides 128 to 256 bits of
encryption strength); MD2;
MD4; MD5; RC2; RC4;
HMAC MD5

W i n d o w s X P SP 3

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
 Kernel Mode Cryptographic 5.1.2600.5512 997 FIPS Approved
Module (FIPS.SYS) algorithms: HMAC
(Cert. #429); RNG (Cert.
#449); SHS (Cert. #785);
Triple-DES (Cert. #677);
Triple-DES MAC (Triple-
DES Cert. #677, vendor
affirmed)
Other algorithms: DES;
MD5; HMAC MD5

Enhanced DSS and Diffie- 5.1.2600.5507 990 FIPS Approved

Hellman Cryptographic algorithms: DSA (Cert.
Provider (DSSENH) #292); RNG (Cert. #448);
SHS (Cert. #784); Triple-
DES (Cert. #676); Triple-
DES MAC (Triple-DES
Cert. #676, vendor
affirmed)
Other algorithms: DES;
DES40; Diffie-Hellman
(key agreement; key
establishment
methodology provides
between 112 and 150
bits of encryption
strength; non-compliant
less than 112 bits);
MD5; RC2; RC4

Enhanced Cryptographic 5.1.2600.5507 989 FIPS Approved

Provider (RSAENH) algorithms: AES (Cert.
#781); HMAC (Cert.
#428); RNG (Cert. #447);
RSA (Cert. #371); SHS
(Cert. #783); Triple-DES
(Cert. #675); Triple-DES
MAC (Triple-DES Cert.
#675, vendor affirmed)
Other algorithms: DES;
MD2; MD4; MD5;
HMAC MD5; RC2; RC4;
RSA (key wrapping; key
establishment
methodology provides
between 112 and 150
bits of encryption
strength; non-compliant
less than 112 bits)

W i n d o w s X P SP 2

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
 DSS/Diffie-Hellman 5.1.2600.2133 240 FIPS Approved
Enhanced Cryptographic algorithms: Triple-DES
Provider (Cert. #16); DSA/SHA-1
(Cert. #29)
Other algorithms: DES
(Cert. #66); RC2; RC4;
MD5; DES40; Diffie-
Hellman (key
agreement)

Microsoft Enhanced 5.1.2600.2161 238 FIPS Approved

Cryptographic Provider algorithms: Triple-DES
(Cert. #81); AES (Cert.
#33); SHA-1 (Cert. #83);
RSA (PKCS#1, vendor
affirmed); HMAC-SHA-1
(Cert. #83, vendor
affirmed)
Other algorithms: DES
(Cert. #156); RC2; RC4;
MD5

W i n d o w s X P SP 1

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Microsoft Enhanced 5.1.2600.1029 238 FIPS Approved

Cryptographic Provider algorithms: Triple-DES
(Cert. #81); AES (Cert.
#33); SHA-1 (Cert. #83);
RSA (PKCS#1, vendor
affirmed); HMAC-SHA-1
(Cert. #83, vendor
affirmed)
Other algorithms: DES
(Cert. #156); RC2; RC4;
MD5

W indow s XP

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Kernel Mode Cryptographic 5.1.2600.0 241 FIPS Approved

Module algorithms: Triple-DES
(Cert. #16); DSA/SHA-1
(Cert. #35); HMAC-SHA-
1 (Cert. #35, vendor
affirmed)
Other algorithms: DES
(Cert. #89)

W i n d o w s 2 0 0 0 SP 3
 Cryptographic Module Version (link to Security FIPS Certificate # Algorithms
Policy)

Kernel Mode Cryptographic 5.0.2195.1569 106 FIPS Approved

Module (FIPS.SYS) algorithms: Triple-DES
(Cert. #16); SHA-1
(Certs. #35)
Other algorithms: DES
(Certs. #89)

Base DSS Cryptographic (Base DSS: 103 FIPS Approved

Provider, Base Cryptographic 5.0.2195.3665 [SP3]) algorithms: Triple-DES
Provider, DSS/Diffie-Hellman (Cert. #16); DSA/SHA-1
Enhanced Cryptographic (Base: 5.0.2195.3839 (Certs. #28 and #29);
Provider, and Enhanced [SP3]) RSA (vendor affirmed)
Cryptographic Provider (DSS/DH Enh: Other algorithms: DES
5.0.2195.3665 [SP3]) (Certs. #65, 66, 67 and
(Enh: 5.0.2195.3839 68); Diffie-Hellman (key
[SP3] agreement); RC2; RC4;
MD2; MD4; MD5

W i n d o w s 2 0 0 0 SP 2

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Kernel Mode Cryptographic 5.0.2195.1569 106 FIPS Approved

Module (FIPS.SYS) algorithms: Triple-DES
(Cert. #16); SHA-1
(Certs. #35)
Other algorithms: DES
(Certs. #89)

Base DSS Cryptographic (Base DSS: 103 FIPS Approved

Provider, Base Cryptographic algorithms: Triple-DES
Provider, DSS/Diffie-Hellman 5.0.2195.2228 [SP2]) (Cert. #16); DSA/SHA-1
Enhanced Cryptographic (Base: (Certs. #28 and #29);
Provider, and Enhanced RSA (vendor affirmed)
Cryptographic Provider 5.0.2195.2228 [SP2])
Other algorithms: DES
(DSS/DH Enh: (Certs. #65, 66, 67 and
5.0.2195.2228 [SP2]) 68); Diffie-Hellman (key
agreement); RC2; RC4;
(Enh: MD2; MD4; MD5
5.0.2195.2228 [SP2])

W i n d o w s 2 0 0 0 SP 1

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
 Base DSS Cryptographic (Base DSS: 103 FIPS Approved
Provider, Base Cryptographic 5.0.2150.1391 [SP1]) algorithms: Triple-DES
Provider, DSS/Diffie-Hellman (Cert. #16); DSA/SHA-1
Enhanced Cryptographic (Base: 5.0.2150.1391 (Certs. #28 and #29);
Provider, and Enhanced [SP1]) RSA (vendor affirmed)
Cryptographic Provider (DSS/DH Enh: Other algorithms: DES
5.0.2150.1391 [SP1]) (Certs. #65, 66, 67 and
(Enh: 5.0.2150.1391 68); Diffie-Hellman (key
[SP1]) agreement); RC2; RC4;
MD2; MD4; MD5

W indow s 2000

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Base DSS Cryptographic 5.0.2150.1 76 FIPS Approved

Provider, Base Cryptographic algorithms: Triple-DES
Provider, DSS/Diffie-Hellman (vendor affirmed);
Enhanced Cryptographic DSA/SHA-1 (Certs. #28
Provider, and Enhanced and 29); RSA (vendor
Cryptographic Provider affirmed)
Other algorithms: DES
(Certs. #65, 66, 67 and
68); RC2; RC4; MD2;
MD4; MD5; Diffie-
Hellman (key
agreement)

W in dow s 9 5 an d W in dow s 9 8

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Base DSS Cryptographic 5.0.1877.6 and 5.0.1877.7 75 FIPS Approved

Provider, Base Cryptographic algorithms: Triple-DES
Provider, DSS/Diffie-Hellman (vendor affirmed); SHA-1
Enhanced Cryptographic (Certs. #20 and 21);
Provider, and Enhanced DSA/SHA-1 (Certs. #25
Cryptographic Provider and 26); RSA (vendor-
affirmed)
Other algorithms: DES
(Certs. #61, 62, 63 and
64); RC2; RC4; MD2;
MD4; MD5; Diffie-
Hellman (key
agreement)

W i n d o w s N T 4 .0

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
 Base Cryptographic Provider 5.0.1877.6 and 5.0.1877.7 68 FIPS Approved algorithms:
SHA-1 (Certs. #20 and 21);
DSA/SHA- 1 (Certs. #25 and
26); RSA (vendor affirmed)

Other algorithms: DES

(Certs. #61, 62, 63 and 64);
Triple-DES (allowed for US
and Canadian Government
use); RC2; RC4; MD2; MD4;
MD5; Diffie-Hellman (key
agreement)

Modules used by Windows Server

W i n d o w s Se r v e r (Ve r si o n 1 8 0 3 )

Validated Editions: Standard, Datacenter

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Cryptographic Primitives 10.0.17134 #3197 See Security Policy and

Library Certificate page for
algorithm information

Kernel Mode Cryptographic 10.0.17134 #3196 See Security Policy and

Primitives Library Certificate page for
algorithm information

Code Integrity 10.0.17134 #3195 See Security Policy and

Certificate page for
algorithm information

Windows OS Loader 10.0.17134 #3480 See Security Policy and

Certificate page for
algorithm information

Secure Kernel Code Integrity 10.0.17134 #3096 See Security Policy and
Certificate page for
algorithm information

BitLocker Dump Filter 10.0.17134 #3092 See Security Policy and

Certificate page for
algorithm information

Boot Manager 10.0.17134 #3089 See Security Policy and

Certificate page for
algorithm information

W i n d o w s Se r v e r (Ve r si o n 1 70 9 )

Validated Editions: Standard, Datacenter

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
 Cryptographic Primitives 10.0.16299 #3197 See Security Policy and
Library Certificate page for
algorithm information

Kernel Mode Cryptographic 10.0.16299 #3196 See Security Policy and

Primitives Library Certificate page for
algorithm information

Code Integrity 10.0.16299 #3195 See Security Policy and

Certificate page for
algorithm information

Windows OS Loader 10.0.16299 #3194 See Security Policy and

Certificate page for
algorithm information

Secure Kernel Code Integrity 10.0.16299 #3096 See Security Policy and
Certificate page for
algorithm information

BitLocker Dump Filter 10.0.16299 #3092 See Security Policy and

Certificate page for
algorithm information

Windows Resume 10.0.16299 #3091 See Security Policy and

Certificate page for
algorithm information

Boot Manager 10.0.16299 #3089 See Security Policy and

Certificate page for
algorithm information

W i n d o w s Se r v e r 2 0 1 6

Validated Editions: Standard, Datacenter, Storage Server

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Cryptographic Primitives 10.0.14393 2937 FIPS Approved algorithms:

Library (bcryptprimitives.dll AES (Cert. #4064); DRBG
and ncryptsslp.dll) (Cert. #1217); DSA (Cert.
#1098); ECDSA (Cert. #911);
HMAC (Cert. #2651); KAS
(Cert. #92); KBKDF (Cert.
#101); KTS (AES Cert. #4062;
key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); PBKDF (vendor
affirmed); RSA (Certs. #2192,
#2193 and #2195); SHS
(Cert. #3347); Triple-DES
(Cert. #2227)

Other algorithms: HMAC-

MD5; MD5; DES; Legacy
CAPI KDF; MD2; MD4; RC2;
RC4; RSA (encrypt/decrypt)
Kernel Mode 10.0.14393 2936 FIPS Approved algorithms:
Cryptographic Primitives AES (Cert. #4064); DRBG
Library (cng.sys) (Cert. #1217); DSA (Cert.
#1098); ECDSA (Cert. #911);
HMAC (Cert. #2651); KAS
(Cert. #92); KBKDF (Cert.
#101); KTS (AES Cert. #4062;
key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); PBKDF (vendor
affirmed); RSA (Certs. #2192,
#2193 and #2195); SHS
(Cert. #3347); Triple-DES
(Cert. #2227)

Other algorithms: HMAC-

MD5; MD5; NDRNG; DES;
Legacy CAPI KDF; MD2;
MD4; RC2; RC4; RSA
(encrypt/decrypt)

Boot Manager 10.0.14393 2931 FIPS Approved

algorithms: AES (Certs.
#4061 and #4064);
HMAC (Cert. #2651);
PBKDF (vendor
affirmed); RSA (Cert.
#2193); SHS (Cert.
#3347)
Other algorithms: MD5;
PBKDF (non-compliant);
VMK KDF

BitLocker® Windows OS 10.0.14393 2932 FIPS Approved algorithms:

Loader (winload) AES (Certs. #4061 and
#4064); RSA (Cert. #2193);
SHS (Cert. #3347)

Other algorithms: NDRNG;

MD5

BitLocker® Windows 10.0.14393 2933 FIPS Approved algorithms:

Resume (winresume) AES (Certs. #4061 and
#4064); RSA (Cert. #2193);
SHS (Cert. #3347)

Other algorithms: MD5

BitLocker® Dump Filter 10.0.14393 2934 FIPS Approved algorithms:

(dumpfve.sys) AES (Certs. #4061 and
#4064)

Code Integrity (ci.dll) 10.0.14393 2935 FIPS Approved algorithms:

RSA (Cert. #2193); SHS (Cert.
#3347)

Other algorithms: AES (non-

compliant); MD5
 Secure Kernel Code Integrity 10.0.14393 2938 FIPS Approved algorithms:
(skci.dll) RSA (Certs. #2193); SHS
(Certs. #3347)

Other algorithms: MD5

W i n d o w s Se r v e r 2 0 1 2 R 2

Validated Editions: Server, Storage Server,

StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Cryptographic Primitives 6.3.9600 6.3.9600.17031 2357 FIPS Approved algorithms:

Library (bcryptprimitives.dll AES (Cert. #2832); DRBG
and ncryptsslp.dll) (Certs. #489); DSA (Cert.
#855); ECDSA (Cert. #505);
HMAC (Cert. #1773); KAS
(Cert. #47); KBKDF (Cert.
#30); PBKDF (vendor
affirmed); RSA (Certs. #1487,
#1493 and #1519); SHS
(Cert. #2373); Triple-DES
(Cert. #1692)

Other algorithms: AES (Cert.

#2832, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); AES-GCM
encryption (non-compliant);
DES; HMAC MD5; Legacy
CAPI KDF; MD2; MD4; MD5;
NDRNG; RC2; RC4; RSA
(encrypt/decrypt)

Kernel Mode 6.3.9600 6.3.9600.17042 2356 FIPS Approved algorithms:

Cryptographic Primitives AES (Cert. #2832); DRBG
Library (cng.sys) (Certs. #489); ECDSA (Cert.
#505); HMAC (Cert. #1773);
KAS (Cert. #47); KBKDF (Cert.
#30); PBKDF (vendor
affirmed); RSA (Certs. #1487,
#1493 and #1519); SHS
(Cert. # 2373); Triple-DES
(Cert. #1692)

Other algorithms: AES (Cert.

#2832, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); AES-GCM
encryption (non-compliant);
DES; HMAC MD5; Legacy
CAPI KDF; MD2; MD4; MD5;
NDRNG; RC2; RC4; RSA
(encrypt/decrypt)
 Boot Manager 6.3.9600 6.3.9600.17031 2351 FIPS Approved algorithms:
AES (Cert. #2832); HMAC
(Cert. #1773); PBKDF
(vendor affirmed); RSA (Cert.
#1494); SHS (Certs. # 2373
and #2396)

Other algorithms: MD5; KDF

(non-compliant); PBKDF
(non-compliant)

BitLocker® Windows OS 6.3.9600 6.3.9600.17031 2352 FIPS Approved algorithms:

Loader (winload) AES (Cert. #2832); RSA (Cert.
#1494); SHS (Cert. #2396)

Other algorithms: MD5;

NDRNG

BitLocker® Windows 6.3.9600 6.3.9600.17031 2353 FIPS Approved algorithms:

Resume (winresume)[16] AES (Cert. #2832); RSA (Cert.
#1494); SHS (Certs. # 2373
and #2396)

Other algorithms: MD5

BitLocker® Dump Filter 6.3.9600 6.3.9600.17031 2354 FIPS Approved algorithms:

(dumpfve.sys)[17] AES (Cert. #2832)

Other algorithms: N/A

Code Integrity (ci.dll) 6.3.9600 6.3.9600.17031 2355 FIPS Approved algorithms:

RSA (Cert. #1494); SHS (Cert.
# 2373)

Other algorithms: MD5

[16] Does not apply to Azure StorSimple Virtual Array Windows Server 2012 R2
[17] Does not apply to Azure StorSimple Virtual Array Windows Server 2012 R2
Windows Server 2012
Validated Editions: Server, Storage Server

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Cryptographic Primitives 6.2.9200 1892 FIPS Approved algorithms:
Library AES (Certs. #2197 and
(BCRYPTPRIMITIVES.DLL) #2216); DRBG (Certs. #258);
DSA (Cert. #687); ECDSA
(Cert. #341); HMAC (Cert.
#1345); KAS (Cert. #36);
KBKDF (Cert. #3); PBKDF
(vendor affirmed); RSA
(Certs. #1133 and #1134);
SHS (Cert. #1903); Triple-DES
(Cert. #1387)

Other algorithms: AES (Cert.

#2197, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Legacy CAPI
KDF; MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RSA
(encrypt/decrypt)#687);
ECDSA (Cert. ); HMAC (Cert.
#); KAS (Cert. ); KBKDF (Cert.
); PBKDF (vendor affirmed);
RSA (Certs. and ); SHS (Cert.
); Triple-DES (Cert. )

Other algorithms: AES (Cert.

, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Legacy CAPI
KDF; MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RSA
(encrypt/decrypt)
Kernel Mode 6.2.9200 1891 FIPS Approved algorithms:
Cryptographic Primitives AES (Certs. #2197 and
Library (cng.sys) #2216); DRBG (Certs. #258
and #259); ECDSA (Cert.
#341); HMAC (Cert. #1345);
KAS (Cert. #36); KBKDF (Cert.
#3); PBKDF (vendor
affirmed); RNG (Cert. #1110);
RSA (Certs. #1133 and
#1134); SHS (Cert. #1903);
Triple-DES (Cert. #1387)

Other algorithms: AES (Cert.

#2197, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Legacy CAPI
KDF; MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RSA
(encrypt/decrypt)#1110);
RSA (Certs. and ); SHS (Cert.
); Triple-DES (Cert. )

Other algorithms: AES (Cert.

, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; Legacy CAPI
KDF; MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RSA
(encrypt/decrypt)

Boot Manager 6.2.9200 1895 FIPS Approved algorithms:

AES (Certs. #2196 and
#2198); HMAC (Cert.
#1347); RSA (Cert. #1132);
SHS (Cert. #1903)

Other algorithms: MD5

BitLocker® Windows OS 6.2.9200 1896 FIPS Approved algorithms:

Loader (WINLOAD) AES (Certs. #2196 and
#2198); RSA (Cert. #1132);
SHS (Cert. #1903)

Other algorithms: AES (Cert.

#2197; non-compliant);
MD5; Non-Approved RNG

BitLocker® Windows 6.2.9200 1898 FIPS Approved algorithms:

Resume (WINRESUME) AES (Certs. #2196 and
#2198); RSA (Cert. #1132);
SHS (Cert. #1903)

Other algorithms: MD5

 BitLocker® Dump Filter 6.2.9200 1899 FIPS Approved algorithms:
(DUMPFVE.SYS) AES (Certs. #2196 and
#2198)

Other algorithms: N/A

Code Integrity (CI.DLL) 6.2.9200 1897 FIPS Approved algorithms:

RSA (Cert. #1132); SHS (Cert.
#1903)

Other algorithms: MD5

Enhanced DSS and Diffie- 6.2.9200 1893 FIPS Approved algorithms:

Hellman Cryptographic DSA (Cert. #686); SHS (Cert.
Provider (DSSENH.DLL) #1902); Triple-DES (Cert.
#1386); Triple-DES MAC
(Triple-DES Cert. #1386,
vendor affirmed)

Other algorithms: DES; DES

MAC; DES40; DES40 MAC;
Diffie-Hellman; MD5; RC2;
RC2 MAC; RC4; Triple-DES
(Cert. #1386, key wrapping;
key establishment
methodology provides 112
bits of encryption strength;
non-compliant less than 112
bits of encryption strength)

Enhanced Cryptographic 6.2.9200 1894 FIPS Approved algorithms:

Provider (RSAENH.DLL) AES (Cert. #2196); HMAC
(Cert. #1346); RSA (Cert.
#1132); SHS (Cert. #1902);
Triple-DES (Cert. #1386)

Other algorithms: AES (Cert.

#2196, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; MD2; MD4;
MD5; RC2; RC4; RSA (key
wrapping; key establishment
methodology provides
between 112 and 150 bits of
encryption strength; non-
compliant less than 112 bits
of encryption strength);
Triple-DES (Cert. #1386, key
wrapping; key establishment
methodology provides 112
bits of encryption strength;
non-compliant less than 112
bits of encryption strength)

W i n d o w s Se r v e r 2 0 0 8 R 2

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Boot Manager (bootmgr) 6.1.7600.16385 or 1321 FIPS Approved algorithms:
6.1.7601.175146.1.7600.16 AES (Certs. #1168 and
385 or 6.1.7601.17514 #1177); HMAC (Cert. #675);
RSA (Cert. #568); SHS (Cert.
#1081)

Other algorithms: MD5

Winload OS Loader 6.1.7600.16385, 1333 FIPS Approved algorithms:

(winload.exe) 6.1.7600.16757, AES (Certs. #1168 and
6.1.7600.20897, #1177); RSA (Cert. #568);
6.1.7600.20916, SHS (Cert. #1081)
6.1.7601.17514,
6.1.7601.17556, Other algorithms: MD5
6.1.7601.21655 and
6.1.7601.216756.1.7600.16
385, 6.1.7600.16757,
6.1.7600.20897,
6.1.7600.20916,
6.1.7601.17514,
6.1.7601.17556,
6.1.7601.21655 and
6.1.7601.21675

Code Integrity (ci.dll) 6.1.7600.16385, 1334 FIPS Approved algorithms:

6.1.7600.17122, RSA (Cert. #568); SHS (Cert.
6.1.7600.21320, #1081)
6.1.7601.17514,
6.1.7601.17950 and Other algorithms: MD5
6.1.7601.221086.1.7600.16
385, 6.1.7600.17122,
6.1.7600.21320,
6.1.7601.17514,
6.1.7601.17950 and
6.1.7601.22108
Kernel Mode Cryptographic 6.1.7600.16385, 1335 FIPS Approved algorithms:
Primitives Library (cng.sys) 6.1.7600.16915, AES (Certs. #1168 and
6.1.7600.21092, #1177); AES GCM (Cert.
6.1.7601.17514, #1168, vendor-affirmed);
6.1.7601.17919, AES GMAC (Cert. #1168,
6.1.7601.17725, vendor-affirmed); DRBG
6.1.7601.21861 and (Certs. #23 and #27); ECDSA
6.1.7601.220766.1.7600.16 (Cert. #142); HMAC (Cert.
385, 6.1.7600.16915, #686); KAS (SP 800-56A,
6.1.7600.21092, vendor affirmed, key
6.1.7601.17514, agreement; key
6.1.7601.17919, establishment methodology
6.1.7601.17725, provides between 80 and
6.1.7601.21861 and 256 bits of encryption
6.1.7601.22076 strength); RNG (Cert. #649);
RSA (Certs. #559 and #567);
SHS (Cert. #1081); Triple-DES
(Cert. #846)

-Other algorithms: AES

(Cert. #1168, key wrapping;
key establishment
methodology provides
between 128 and 256 bits of
encryption strength); DES;
Diffie-Hellman (key
agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); MD2; MD4; MD5;
HMAC MD5; RC2; RC4

Cryptographic Primitives 66.1.7600.16385 or 1336 FIPS Approved algorithms:

Library (bcryptprimitives.dll) 6.1.7601.1751466.1.7600.1 AES (Certs. #1168 and
6385 or 6.1.7601.17514 #1177); AES GCM (Cert.
#1168, vendor-affirmed);
AES GMAC (Cert. #1168,
vendor-affirmed); DRBG
(Certs. #23 and #27); DSA
(Cert. #391); ECDSA (Cert.
#142); HMAC (Cert. #686);
KAS (SP 800-56A, vendor
affirmed, key agreement; key
establishment methodology
provides between 80 and
256 bits of encryption
strength); RNG (Cert. #649);
RSA (Certs. #559 and #567);
SHS (Cert. #1081); Triple-DES
(Cert. #846)

Other algorithms: AES (Cert.

#1168, key wrapping; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); DES; HMAC MD5;
MD2; MD4; MD5; RC2; RC4
 Enhanced Cryptographic 6.1.7600.16385 1337 FIPS Approved algorithms:
Provider (RSAENH) AES (Cert. #1168); DRBG
(Cert. #23); HMAC (Cert.
#687); SHS (Cert. #1081);
RSA (Certs. #559 and #568);
Triple-DES (Cert. #846)

Other algorithms: DES;

MD2; MD4; MD5; RC2; RC4;
RSA (key wrapping; key
establishment methodology
provides between 112 and
256 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength)

Enhanced DSS and Diffie- 6.1.7600.16385 1338 FIPS Approved algorithms:

Hellman Cryptographic DSA (Cert. #390); RNG (Cert.
Provider (DSSENH) #649); SHS (Cert. #1081);
Triple-DES (Cert. #846);
Triple-DES MAC (Triple-DES
Cert. #846, vendor affirmed)

Other algorithms: DES; DES

MAC; DES40; DES40 MAC;
Diffie-Hellman; MD5; RC2;
RC2 MAC; RC4

BitLocker™ Drive Encryption 6.1.7600.16385, 1339 FIPS Approved algorithms:

6.1.7600.16429, AES (Certs. #1168 and
6.1.7600.16757, #1177); HMAC (Cert. #675);
6.1.7600.20536, SHS (Cert. #1081)
6.1.7600.20873,
6.1.7600.20897, Other algorithms: Elephant
6.1.7600.20916, Diffuser
6.1.7601.17514,
6.1.7601.17556,
6.1.7601.21634,
6.1.7601.21655 or
6.1.7601.216756.1.7600.16
385, 6.1.7600.16429,
6.1.7600.16757,
6.1.7600.20536,
6.1.7600.20873,
6.1.7600.20897,
6.1.7600.20916,
6.1.7601.17514,
6.1.7601.17556,
6.1.7601.21634,
6.1.7601.21655 or
6.1.7601.21675

W i n d o w s Se r v e r 2 0 0 8

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
Boot Manager (bootmgr) 6.0.6001.18000, 1004 FIPS Approved algorithms:
6.0.6002.18005 and AES (Certs. #739 and #760);
6.0.6002.224976.0.6001.18 HMAC (Cert. #415); RSA
000, 6.0.6002.18005 and (Cert. #355); SHS (Cert.
6.0.6002.22497 #753)

Other algorithms: N/A

Winload OS Loader 6.0.6001.18000, 1005 FIPS Approved algorithms:

(winload.exe) 6.0.6001.18606, AES (Certs. #739 and #760);
6.0.6001.22861, RSA (Cert. #355); SHS (Cert.
6.0.6002.18005, #753)
6.0.6002.18411,
6.0.6002.22497 and Other algorithms: MD5
6.0.6002.225966.0.6001.18
000, 6.0.6001.18606,
6.0.6001.22861,
6.0.6002.18005,
6.0.6002.18411,
6.0.6002.22497 and
6.0.6002.22596

Code Integrity (ci.dll) 6.0.6001.18000 and 1006 FIPS Approved algorithms:

6.0.6002.180056.0.6001.18 RSA (Cert. #355); SHS (Cert.
000 and 6.0.6002.18005 #753)

Other algorithms: MD5

Kernel Mode Security 6.0.6001.18709, 1007 FIPS Approved algorithms:

Support Provider Interface 6.0.6001.18272, AES (Certs. #739 and #757);
(ksecdd.sys) 6.0.6001.18796, ECDSA (Cert. #83); HMAC
6.0.6001.22202, (Cert. #413); RNG (Cert.
6.0.6001.22450, #435 and SP800-90 AES-
6.0.6001.22987, CTR, vendor affirmed); RSA
6.0.6001.23069, (Certs. #353 and #358); SHS
6.0.6002.18005, (Cert. #753); Triple-DES
6.0.6002.18051, (Cert. #656)
6.0.6002.18541,
6.0.6002.18643, Other algorithms: AES (GCM
6.0.6002.22152, and GMAC; non-compliant);
6.0.6002.22742 and DES; Diffie-Hellman (key
6.0.6002.228696.0.6001.18 agreement; key
709, 6.0.6001.18272, establishment methodology
6.0.6001.18796, provides between 112 and
6.0.6001.22202, 150 bits of encryption
6.0.6001.22450, strength; non-compliant less
6.0.6001.22987, than 112 bits of encryption
6.0.6001.23069, strength); EC Diffie-Hellman
6.0.6002.18005, (key agreement; key
6.0.6002.18051, establishment methodology
6.0.6002.18541, provides between 128 and
6.0.6002.18643, 256 bits of encryption
6.0.6002.22152, strength); MD2; MD4; MD5;
6.0.6002.22742 and HMAC MD5; RC2; RC4; RNG
6.0.6002.22869 (SP 800-90 Dual-EC; non-
compliant); RSA (key
wrapping: key establishment
methodology provides
between 112 and 150 bits of
encryption strength; non-
compliant less than 112 bits
of encryption strength)#83);
HMAC (Cert. ); RNG (Cert.
 and SP800-90 AES-CTR,
vendor affirmed); RSA
(Certs. and ); SHS (Cert. );
Triple-DES (Cert. )

Other algorithms: AES (GCM

and GMAC; non-compliant);
DES; Diffie-Hellman (key
agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); EC Diffie-Hellman
(key agreement; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); MD2; MD4; MD5;
HMAC MD5; RC2; RC4; RNG
(SP 800-90 Dual-EC; non-
compliant); RSA (key
wrapping: key establishment
methodology provides
between 112 and 150 bits of
encryption strength; non-
compliant less than 112 bits
of encryption strength)

Cryptographic Primitives 6.0.6001.22202, 1008 FIPS Approved algorithms:

Library (bcrypt.dll) 6.0.6002.18005 and AES (Certs. #739 and #757);
6.0.6002.228726.0.6001.22 DSA (Cert. #284); ECDSA
202, 6.0.6002.18005 and (Cert. #83); HMAC (Cert.
6.0.6002.22872 #413); RNG (Cert. #435 and
SP800-90, vendor affirmed);
RSA (Certs. #353 and #358);
SHS (Cert. #753); Triple-DES
(Cert. #656)

Other algorithms: AES (GCM

and GMAC; non-compliant);
DES; Diffie-Hellman (key
agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); EC Diffie-Hellman
(key agreement; key
establishment methodology
provides between 128 and
256 bits of encryption
strength); MD2; MD4; MD5;
RC2; RC4; RNG (SP 800-90
Dual-EC; non-compliant);
RSA (key wrapping; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant
provides less than 112 bits
of encryption strength)
 Enhanced DSS and Diffie- 6.0.6001.18000 and 1009 FIPS Approved algorithms:
Hellman Cryptographic 6.0.6002.180056.0.6001.18 DSA (Cert. #282); RNG (Cert.
Provider (DSSENH) 000 and 6.0.6002.18005 #435); SHS (Cert. #753);
Triple-DES (Cert. #656);
Triple-DES MAC (Triple-DES
Cert. #656, vendor affirmed)

-Other algorithms: DES; DES

MAC; DES40; DES40 MAC;
Diffie-Hellman (key
agreement; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength); MD5; RC2; RC2
MAC; RC4

Enhanced Cryptographic 6.0.6001.22202 and 1010 FIPS Approved algorithms:

Provider (RSAENH) 6.0.6002.180056.0.6001.22 AES (Cert. #739); HMAC
202 and 6.0.6002.18005 (Cert. #408); RNG (SP 800-
90, vendor affirmed); RSA
(Certs. #353 and #355); SHS
(Cert. #753); Triple-DES
(Cert. #656)

Other algorithms: DES;

MD2; MD4; MD5; RC2; RC4;
RSA (key wrapping; key
establishment methodology
provides between 112 and
150 bits of encryption
strength; non-compliant less
than 112 bits of encryption
strength)

W i n d o w s Se r v e r 2 0 0 3 SP 2

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Enhanced DSS and Diffie- 5.2.3790.3959 875 FIPS Approved

Hellman Cryptographic algorithms: DSA (Cert.
Provider (DSSENH) #221); RNG (Cert. #314);
RSA (Cert. #245); SHS
(Cert. #611); Triple-DES
(Cert. #543)
Other algorithms: DES;
DES40; Diffie-Hellman
(key agreement; key
establishment
methodology provides
between 112 and 150
bits of encryption
strength; non-compliant
less than 112 bits of
encryption strength);
MD5; RC2; RC4
 Kernel Mode Cryptographic 5.2.3790.3959 869 FIPS Approved
Module (FIPS.SYS) algorithms: HMAC
(Cert. #287); RNG (Cert.
#313); SHS (Cert. #610);
Triple-DES (Cert. #542)
Other algorithms: DES;
HMAC-MD5

Enhanced Cryptographic 5.2.3790.3959 868 FIPS Approved

Provider (RSAENH) algorithms: AES (Cert.
#548); HMAC (Cert.
#289); RNG (Cert. #316);
RSA (Cert. #245); SHS
(Cert. #613); Triple-DES
(Cert. #544)
Other algorithms: DES;
RC2; RC4; MD2; MD4;
MD5; RSA (key
wrapping; key
establishment
methodology provides
between 112 and 256
bits of encryption
strength; non-compliant
less than 112 bits of
encryption strength)

W i n d o w s Se r v e r 2 0 0 3 SP 1

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Kernel Mode Cryptographic 5.2.3790.1830 [SP1] 405 FIPS Approved

Module (FIPS.SYS) algorithms: Triple-DES
(Certs. #201[1] and
#370[1]); SHS (Certs.
#177[1] and #371[2])
Other algorithms: DES
(Cert. #230[1]); HMAC-
MD5; HMAC-SHA-1
(non-compliant)
[1] x86
[2] SP1 x86, x64, IA64
 Enhanced Cryptographic 5.2.3790.1830 [Service Pack 382 FIPS Approved
Provider (RSAENH) 1]) algorithms: Triple-DES
(Cert. #192[1] and
#365[2]); AES (Certs.
#80[1] and #290[2]);
SHS (Cert. #176[1] and
#364[2]); HMAC (Cert.
#176, vendor affirmed[1]
and #99[2]); RSA
(PKCS#1, vendor
affirmed[1] and #81[2])
Other algorithms: DES
(Cert. #226[1]); SHA-
256[1]; SHA-384[1];
SHA-512[1]; RC2; RC4;
MD2; MD4; MD5
[1] x86
[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie- 5.2.3790.1830 [Service Pack 381 FIPS Approved
Hellman Cryptographic 1] algorithms: Triple-DES
Provider (DSSENH) (Certs. #199[1] and
#381[2]); SHA-1 (Certs.
#181[1] and #385[2]);
DSA (Certs. #95[1] and
#146[2]); RSA (Cert. #81)
Other algorithms: DES
(Cert. #229[1]); Diffie-
Hellman (key
agreement); RC2; RC4;
MD5; DES 40
[1] x86
[2] SP1 x86, x64, IA64

W i n d o w s Se r v e r 2 0 0 3

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Kernel Mode Cryptographic 5.2.3790.0 405 FIPS Approved

Module (FIPS.SYS) algorithms: Triple-DES
(Certs. #201[1] and
#370[1]); SHS (Certs.
#177[1] and #371[2])
Other algorithms: DES
(Cert. #230[1]); HMAC-
MD5; HMAC-SHA-1
(non-compliant)
[1] x86
[2] SP1 x86, x64, IA64
 Enhanced Cryptographic 5.2.3790.0 382 FIPS Approved
Provider (RSAENH) algorithms: Triple-DES
(Cert. #192[1] and
#365[2]); AES (Certs.
#80[1] and #290[2]);
SHS (Cert. #176[1] and
#364[2]); HMAC (Cert.
#176, vendor affirmed[1]
and #99[2]); RSA
(PKCS#1, vendor
affirmed[1] and #81[2])
Other algorithms: DES
(Cert. #226[1]); SHA-
256[1]; SHA-384[1];
SHA-512[1]; RC2; RC4;
MD2; MD4; MD5
[1] x86
[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie- 5.2.3790.0 381 FIPS Approved

Hellman Cryptographic algorithms: Triple-DES
Provider (DSSENH) (Certs. #199[1] and
#381[2]); SHA-1 (Certs.
#181[1] and #385[2]);
DSA (Certs. #95[1] and
#146[2]); RSA (Cert. #81)
Other algorithms: DES
(Cert. #229[1]); Diffie-
Hellman (key
agreement); RC2; RC4;
MD5; DES 40
[1] x86
[2] SP1 x86, x64, IA64

Other Products
W i n d o w s Em b e d d e d C o m p a c t 7 a n d W i n d o w s Em b e d d e d C o m p a c t 8

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Enhanced Cryptographic 7.00.2872 [1] and 8.00.6246 2957 FIPS Approved

Provider [2] algorithms: AES
(Certs.#4433and#4434);
CKG (vendor affirmed);
DRBG
(Certs.#1432and#1433);
HMAC
(Certs.#2946and#2945);
RSA
(Certs.#2414and#2415);
SHS
(Certs.#3651and#3652);
Triple-DES
(Certs.#2383and#2384)
Allowed algorithms:
HMAC-MD5; MD5;
NDRNG
 Cryptographic Primitives 7.00.2872 [1] and 8.00.6246 2956 FIPS Approved
Library (bcrypt.dll) [2] algorithms: AES
(Certs.#4430and#4431);
CKG (vendor affirmed);
CVL
(Certs.#1139and#1140);
DRBG
(Certs.#1429and#1430);
DSA
(Certs.#1187and#1188);
ECDSA
(Certs.#1072and#1073);
HMAC
(Certs.#2942and#2943);
KAS
(Certs.#114and#115);
RSA
(Certs.#2411and#2412);
SHS
(Certs.#3648and#3649);
Triple-DES
(Certs.#2381and#2382)
Allowed algorithms:
MD5; NDRNG; RSA (key
wrapping; key
establishment
methodology provides
between 112 and 150
bits of encryption
strength

W i n d o w s C E 6 .0 a n d W i n d o w s Em b e d d e d C o m p a c t 7

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)

Enhanced Cryptographic 6.00.1937 [1] and 7.00.1687 825 FIPS Approved

Provider [2] algorithms: AES (Certs.
#516 [1] and #2024 [2]);
HMAC (Certs. #267 [1]
and #1227 [2]); RNG
(Certs. #292 [1] and
#1060 [2]); RSA (Cert.
#230 [1] and #1052 [2]);
SHS (Certs. #589 [1] and
#1774 [2]); Triple-DES
(Certs. #526 [1] and
#1308 [2])
Other algorithms: MD5;
HMAC-MD5; RC2; RC4;
DES

O u t l o o k Cr ypt o gr aph i c Pr o vi der

Cryptographic Module Version (link to Security FIPS Certificate # Algorithms

Policy)
 Outlook Cryptographic SR-1A (3821)SR-1A (3821) 110 FIPS Approved
Provider (EXCHCSP) algorithms: Triple-DES
(Cert. #18); SHA-1
(Certs. #32); RSA
(vendor affirmed)
Other algorithms: DES
(Certs. #91); DES MAC;
RC2; MD2; MD5

Cryptographic Algorithms
The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each
algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation
Program (CAVP ) issued certificate.
Advanced Encryption Standard (AES )

Modes / States / Key Sizes Algorithm Implementation and Certificate #

AES-CBC: Microsoft Surface Hub Virtual TPM Implementations

Modes: Decrypt, Encrypt #4904
Key Lengths: 128, 192, 256 (bits)
Version 10.0.15063.674
AES-CFB128:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-CTR:
Counter Source: Internal
Key Lengths: 128, 192, 256 (bits)
AES-OFB:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)

AES-CBC: Windows 10 Home, Pro, Enterprise, Education, Windows

Modes: Decrypt, Encrypt 10 S Fall Creators Update and Windows Server, Windows
Key Lengths: 128, 192, 256 (bits) Server Datacenter (version 1709); Virtual TPM
AES-CFB128: Implementations #4903
Modes: Decrypt, Encrypt Version 10.0.16299
Key Lengths: 128, 192, 256 (bits)
AES-CTR:
Counter Source: Internal
Key Lengths: 128, 192, 256 (bits)
AES-OFB:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)

AES-CBC: Microsoft Surface Hub SymCrypt Cryptographic

Modes: Decrypt, Encrypt Implementations #4902
Key Lengths: 128, 192, 256 (bits)
Version 10.0.15063.674
AES-CCM:
Key Lengths: 128, 192, 256 (bits)
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
Plain Text Length: 0-32
AAD Length: 0-65536
AES-CFB128:
 Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-CFB8:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-CMAC:
Generation:
AES-128:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-192:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-256:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
Verification:
AES-128:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-192:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-256:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-CTR:
Counter Source: Internal
Key Lengths: 128, 192, 256 (bits)
AES-ECB:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-GCM:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
Tag Lengths: 96, 104, 112, 120, 128 (bits)
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
AAD Lengths: 0, 8, 1016, 1024 (bits)
96 bit IV supported
AES-XTS:
Key Size: 128:
Modes: Decrypt, Encrypt
Block Sizes: Full
Key Size: 256:
Modes: Decrypt, Encrypt
Block Sizes: Full

AES-CBC: Windows 10 Mobile (version 1709) SymCrypt

Modes: Decrypt, Encrypt Cryptographic Implementations #4901
Key Lengths: 128, 192, 256 (bits)
Version 10.0.15254
AES-CCM:
Key Lengths: 128, 192, 256 (bits)
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
 IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
Plain Text Length: 0-32
AAD Length: 0-65536
AES-CFB128:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-CFB8:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-CMAC:
Generation:
AES-128:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-192:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-256:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
Verification:
AES-128:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-192:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-256:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-CTR:
Counter Source: Internal
Key Lengths: 128, 192, 256 (bits)
AES-ECB:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-GCM:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
Tag Lengths: 96, 104, 112, 120, 128 (bits)
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
AAD Lengths: 0, 8, 1016, 1024 (bits)
96 bit IV supported
AES-XTS:
Key Size: 128:
Modes: Decrypt, Encrypt
Block Sizes: Full
Key Size: 256:
Modes: Decrypt, Encrypt
Block Sizes: Full

AES-CBC: Windows 10 Home, Pro, Enterprise, Education, Windows

 Modes: Decrypt, Encrypt 10 S Fall Creators Update and Windows Server, Windows
Key Lengths: 128, 192, 256 (bits) Server Datacenter (version 1709); SymCrypt
AES-CCM: Cryptographic Implementations #4897
Key Lengths: 128, 192, 256 (bits) Version 10.0.16299
Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
Plain Text Length: 0-32
AAD Length: 0-65536
AES-CFB128:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-CFB8:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-CMAC:
Generation:
AES-128:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-192:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-256:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
Verification:
AES-128:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-192:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-256:
Block Sizes: Full, Partial
Message Length: 0-65536
Tag Length: 16-16
AES-CTR:
Counter Source: Internal
Key Lengths: 128, 192, 256 (bits)
AES-ECB:
Modes: Decrypt, Encrypt
Key Lengths: 128, 192, 256 (bits)
AES-GCM:
Modes: Decrypt, Encrypt
IV Generation: External
Key Lengths: 128, 192, 256 (bits)
Tag Lengths: 96, 104, 112, 120, 128 (bits)
Plain Text Lengths: 0, 8, 1016, 1024 (bits)
AAD Lengths: 0, 8, 1016, 1024 (bits)
96 bit IV supported
AES-XTS:
Key Size: 128:
Modes: Decrypt, Encrypt
Block Sizes: Full
 Key Size: 256:
Modes: Decrypt, Encrypt
Block Sizes: Full

AES-KW: Microsoft Surface Hub Cryptography Next Generation

(CNG) Implementations #4900
Modes: Decrypt, Encrypt
CIPHK transformation direction: Forward Version 10.0.15063.674
Key Lengths: 128, 192, 256 (bits)
Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
AES Val#4902

AES-KW: Windows 10 Mobile (version 1709) Cryptography Next

Generation (CNG) Implementations #4899
Modes: Decrypt, Encrypt
CIPHK transformation direction: Forward Version 10.0.15254
Key Lengths: 128, 192, 256 (bits)
Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
AES Val#4901

AES-KW: Windows 10 Home, Pro, Enterprise, Education, Windows

10 S Fall Creators Update and Windows Server, Windows
Modes: Decrypt, Encrypt Server Datacenter (version 1709); Cryptography Next
CIPHK transformation direction: Forward Generation (CNG) Implementations #4898
Key Lengths: 128, 192, 256 (bits)
Plain Text Lengths: 128, 192, 256, 320, 2048 (bits) Version 10.0.16299

AES Val#4897

AES-CCM: Microsoft Surface Hub BitLocker(R) Cryptographic

Implementations #4896
Key Lengths: 256 (bits)
Tag Lengths: 128 (bits) Version 10.0.15063.674
IV Lengths: 96 (bits)
Plain Text Length: 0-32
AAD Length: 0-65536
AES Val#4902

AES-CCM: Windows 10 Mobile (version 1709) BitLocker(R)

Cryptographic Implementations #4895
Key Lengths: 256 (bits)
Tag Lengths: 128 (bits) Version 10.0.15254
IV Lengths: 96 (bits)
Plain Text Length: 0-32
AAD Length: 0-65536
AES Val#4901
AES-CCM: Windows 10 Home, Pro, Enterprise, Education, Windows
10 S Fall Creators Update and Windows Server, Windows
Key Lengths: 256 (bits) Server Datacenter (version 1709); BitLocker(R)
Tag Lengths: 128 (bits) Cryptographic Implementations #4894
IV Lengths: 96 (bits)
Plain Text Length: 0-32 Version 10.0.16299
AAD Length: 0-65536
AES Val#4897

CBC ( e/d; 128 , 192 , 256 ); Windows 10 Creators Update (version 1703) Pro,
Enterprise, Education Virtual TPM Implementations #4627
CFB128 ( e/d; 128 , 192 , 256 );
Version 10.0.15063
OFB ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )

KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , Windows 10 Creators Update (version 1703) Home, Pro,
256 , 192 , 320 , 2048 ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
Cryptography Next Generation (CNG) Implementations
AES Val#4624 #4626
Version 10.0.15063

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Windows 10 Creators Update (version 1703) Home, Pro,
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Enterprise, Education, Windows 10 S, Windows 10 Mobile
Length(s): 16 ) BitLocker(R) Cryptographic Implementations #4625
AES Val#4624 Version 10.0.15063
ECB ( e/d; 128 , 192 , 256 ); Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
CBC ( e/d; 128 , 192 , 256 ); SymCrypt Cryptographic Implementations #4624
CFB8 ( e/d; 128 , 192 , 256 ); Version 10.0.15063
CFB128 ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 ,
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
CMAC (Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s)
Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ;
Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16
) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0
Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 ,
8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ;
96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #4434
CBC ( e/d; 128 , 192 , 256 );
Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Enhanced Cryptographic
Provider (RSAENH) #4433
CBC ( e/d; 128 , 192 , 256 );
Version 8.00.6246

ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #4431
CBC ( e/d; 128 , 192 , 256 );
Version 7.00.2872
CTR ( int only; 128 , 192 , 256 )

ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #4430
CBC ( e/d; 128 , 192 , 256 );
Version 8.00.6246
CTR ( int only; 128 , 192 , 256 )
CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
CFB128 ( e/d; 128 , 192 , 256 ); Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
OFB ( e/d; 128 , 192 , 256 ); 10 Anniversary Update Virtual TPM Implementations
#4074
CTR ( int only; 128 , 192 , 256 )
Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , Server 2016, Windows Storage Server 2016; Microsoft
256 ); CTR ( int only; 128 , 192 , 256 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , and Lumia 650 w/ Windows 10 Mobile Anniversary
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): Update SymCrypt Cryptographic Implementations #4064
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
Version 10.0.14393
CMAC (Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s)
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 ,
1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 ,
1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 Anniversary Update, Windows Server
2016, Windows Storage Server 2016; Microsoft Surface Book,
CBC ( e/d; 128 , 192 , 256 ); Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10
CFB8 ( e/d; 128 , 192 , 256 ); Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/
Windows 10 Mobile Anniversary Update RSA32 Algorithm
Implementations #4063
Version 10.0.14393

KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 Microsoft Windows 10 Anniversary Update, Windows
, 192 , 256 , 320 , 2048 ) Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
AES Val#4064 w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Implementations #4062
Version 10.0.14393

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10 Anniversary Update, Windows
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Server 2016, Windows Storage Server 2016; Microsoft
Length(s): 16 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
AES Val#4064 and Lumia 650 w/ Windows 10 Mobile Anniversary
Update BitLocker® Cryptographic Implementations
#4061
Version 10.0.14393
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 Microsoft Windows 10 November 2015 Update; Microsoft
, 256 , 192 , 320 , 2048 ) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
AES Val#3629 2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” Cryptography Next
Generation (CNG) Implementations #3652
Version 10.0.10586

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10 November 2015 Update; Microsoft
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Length(s): 16 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
AES Val#3629 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” BitLocker®
Cryptographic Implementations #3653
Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 November 2015 Update; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
CBC ( e/d; 128 , 192 , 256 ); Pro 2, and Surface Pro w/ Windows 10 November 2015
CFB8 ( e/d; 128 , 192 , 256 ); Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
84” and Surface Hub 55” RSA32 Algorithm Implementations
#3630
Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10 November 2015 Update; Microsoft
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
256 ); CTR ( int only; 128 , 192 , 256 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 950 and Microsoft Lumia 635; Windows 10 for Microsoft
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): Surface Hub 84” and Surface Hub 55” SymCrypt
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Cryptographic Implementations #3629
CMAC (Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Version 10.0.10586
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 ,
1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 ,
1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )
KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 Microsoft Windows 10 Anniversary Update, Windows
, 256 , 192 , 320 , 2048 ) Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
AES Val#3497 w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Implementations #3507
Version 10.0.10240

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 10, Microsoft Surface Pro 3 with
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Windows 10, Microsoft Surface 3 with Windows 10,
Length(s): 16 ) Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 BitLocker® Cryptographic
AES Val#3497 Implementations #3498
Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
256 ); CTR ( int only; 128 , 192 , 256 ) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
10 SymCrypt Cryptographic Implementations #3497
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , Version 10.0.10240
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
CMAC(Generation/Verification ) (KS: 128; Block Size(s):
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s)
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 ,
1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 ,
1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
GMAC_Supported
XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
10, Microsoft Surface 3 with Windows 10, Microsoft Surface
CBC ( e/d; 128 , 192 , 256 ); Pro 2 with Windows 10, Microsoft Surface Pro with Windows
CFB8 ( e/d; 128 , 192 , 256 ); 10 RSA32 Algorithm Implementations #3476
Version 10.0.10240
ECB ( e/d; 128 , 192 , 256 ); Microsoft Windows 8.1, Microsoft Windows Server 2012
R2, Microsoft Windows Storage Server 2012 R2, Microsoft
CBC ( e/d; 128 , 192 , 256 ); Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
CFB8 ( e/d; 128 , 192 , 256 ); Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry RSA32 Algorithm
Implementations #2853
Version 6.3.9600

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Microsoft Windows 8.1, Microsoft Windows Server 2012
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Length(s): 16 ) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Microsoft Surface Pro with Windows 8.1, Microsoft Surface
AES Val#2832 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry and Microsoft StorSimple 8100
BitLocker� Cryptographic Implementations #2848
Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 Windows Storage Server 2012 R2, Microsoft Windows RT
, 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
CMAC (Generation/Verification ) (KS: 128; Block Size(s): Windows Phone 8.1, Microsoft Windows Embedded 8.1
Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Industry and Microsoft StorSimple 8100 SymCrypt
Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Cryptographic Implementations #2832
Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS:
256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: Version 6.3.9600
2^16 ; Tag Len(s) Min: 0 Max: 16 )
GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128
, 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 ,
8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ;
96BitIV_Supported ;
OtherIVLen_Supported
GMAC_Supported
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - Windows 8, Windows RT, Windows Server 2012, Surface
0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 Cryptography Next Generation (CNG) Implementations #2216
14 16 )
AES Val#2197
CMAC (Generation/Verification ) (KS: 128; Block Size(s): ;
Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max:
16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max:
2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block
Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min:
16 Max: 16 )
AES Val#2197
GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104
96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104
96 )
(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128
, 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024
, 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ;
96BitIV_Supported
GMAC_Supported

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) Windows 8, Windows RT, Windows Server 2012, Surface
(Payload Length Range: 0 - 32 ( Nonce Length(s): 12 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
(Tag Length(s): 16 ) BitLocker® Cryptographic Implementations #2198
AES Val#2196

ECB ( e/d; 128 , 192 , 256 ); Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
CBC ( e/d; 128 , 192 , 256 ); Next Generation Symmetric Cryptographic Algorithms
CFB8 ( e/d; 128 , 192 , 256 ); Implementations (SYMCRYPT) #2197

CFB128 ( e/d; 128 , 192 , 256 );

CTR ( int only; 128 , 192 , 256 )

ECB ( e/d; 128 , 192 , 256 ); Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
CBC ( e/d; 128 , 192 , 256 ); Symmetric Algorithm Implementations (RSA32) #2196
CFB8 ( e/d; 128 , 192 , 256 );

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , Windows Server 2008 R2 and SP1 CNG algorithms #1187
2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Windows 7 Ultimate and SP1 CNG algorithms #1178
AES Val#1168

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows 7 Ultimate and SP1 and Windows Server 2008 R2
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 and SP1 BitLocker Algorithm Implementations #1177
13 (Tag Length(s): 4 6 8 14 16 )
AES Val#1168
ECB ( e/d; 128 , 192 , 256 ); Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #1168
CBC ( e/d; 128 , 192 , 256 );
CFB8 ( e/d; 128 , 192 , 256 );

GCM Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #1168 , vendor-
GMAC affirmed

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows Vista Ultimate SP1 and Windows Server 2008
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 BitLocker Algorithm Implementations #760
13 (Tag Length(s): 4 6 8 14 16 )

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , Windows Server 2008 CNG algorithms #757
2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s):
7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) Windows Vista Ultimate SP1 CNG algorithms #756

CBC ( e/d; 128 , 256 ); Windows Vista Ultimate BitLocker Drive Encryption #715
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) Windows Vista Ultimate BitLocker Drive Encryption #424
(Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8
12 13 (Tag Length(s): 4 6 8 14 16 )

ECB ( e/d; 128 , 192 , 256 ); Windows Vista Ultimate SP1 and Windows Server 2008
Symmetric Algorithm Implementation #739
CBC ( e/d; 128 , 192 , 256 );
Windows Vista Symmetric Algorithm Implementation
CFB8 ( e/d; 128 , 192 , 256 ); #553

ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact 7 Cryptographic Primitives
Library (bcrypt.dll) #2023
CBC ( e/d; 128 , 192 , 256 );
CTR ( int only; 128 , 192 , 256 )
 ECB ( e/d; 128 , 192 , 256 ); Windows Embedded Compact 7 Enhanced Cryptographic
Provider (RSAENH) #2024
CBC ( e/d; 128 , 192 , 256 );
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #818
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #781
Windows 2003 SP2 Enhanced Cryptographic Provider
(RSAENH) #548
Windows CE 6.0 and Windows CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH) #516
Windows CE and Windows Mobile 6, 6.1, and 6.5
Enhanced Cryptographic Provider (RSAENH) #507
Windows Server 2003 SP1 Enhanced Cryptographic
Provider (RSAENH) #290
Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider
(RSAENH) #224
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #80
Windows XP, SP1, and SP2 Enhanced Cryptographic
Provider (RSAENH) #33

Deterministic Random Bit Generator (DRBG )

Modes / States / Key Sizes Algorithm Implementation and Certificate #

Counter: Microsoft Surface Hub Virtual TPM Implementations

Modes: AES-256 #1734
Derivation Function States: Derivation Function
Version 10.0.15063.674
not used
Prediction Resistance Modes: Not Enabled
Prerequisite: AES #4904

Counter: Windows 10 Home, Pro, Enterprise, Education, Windows

Modes: AES-256 10 S Fall Creators Update and Windows Server, Windows
Derivation Function States: Derivation Function Server Datacenter (version 1709); Virtual TPM
not used Implementations #1733
Prediction Resistance Modes: Not Enabled Version 10.0.16299
Prerequisite: AES #4903

Counter: Microsoft Surface Hub SymCrypt Cryptographic

Modes: AES-256 Implementations #1732
Derivation Function States: Derivation Function
Version 10.0.15063.674
used
Prediction Resistance Modes: Not Enabled
Prerequisite: AES #4902
 Counter: Windows 10 Mobile (version 1709) SymCrypt
Modes: AES-256 Cryptographic Implementations #1731
Derivation Function States: Derivation Function
Version 10.0.15254
used
Prediction Resistance Modes: Not Enabled
Prerequisite: AES #4901

Counter: Windows 10 Home, Pro, Enterprise, Education, Windows

Modes: AES-256 10 S Fall Creators Update and Windows Server, Windows
Derivation Function States: Derivation Function Server Datacenter (version 1709); SymCrypt
used Cryptographic Implementations #1730
Prediction Resistance Modes: Not Enabled Version 10.0.16299
Prerequisite: AES #4897

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Pro,
BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] Enterprise, Education Virtual TPM Implementations #1556
Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 10 Creators Update (version 1703) Home, Pro,
BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #1555
Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] Provider (RSAENH) #1433
Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Enhanced Cryptographic
BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] Provider (RSAENH) #1432
Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] Library (bcrypt.dll) #1430
Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] Library (bcrypt.dll) #1429
Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows
BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
10 Anniversary Update Virtual TPM Implementations
#1222
Version 10.0.14393
 CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 Anniversary Update, Windows
BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update SymCrypt Cryptographic Implementations #1217
Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10 November 2015 Update; Microsoft
BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub and Surface Hub SymCrypt Cryptographic
Implementations #955
Version 10.0.10586

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Microsoft Windows 10, Microsoft Surface Pro 3 with
BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 SymCrypt Cryptographic
Implementations #868
Version 10.0.10240

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Storage Server 2012 R2, Microsoft Windows RT
BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry and Microsoft StorSimple 8100 SymCrypt
Cryptographic Implementations #489
Version 6.3.9600

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 8, Windows RT, Windows Server 2012, Surface
BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Next Generation Symmetric Cryptographic Algorithms
Implementations (SYMCRYPT) #258

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows Embedded Compact 7 Cryptographic Primitives
BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] Library (bcrypt.dll) #193

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; Windows 7 Ultimate and SP1 and Windows Server 2008 R2
BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] and SP1 RNG Library #23

DRBG (SP 800–90) Windows Vista Ultimate SP1, vendor-affirmed

Digital Signature Algorithm (DSA)

Modes / States / Key Sizes Algorithm Implementation and Certificate #

 DSA: Microsoft Surface Hub SymCrypt Cryptographic
186-4: Implementations #1303
PQGGen:
Version 10.0.15063.674
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
PQGVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigGen:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
KeyPair:
L = 2048, N = 256
L = 3072, N = 256
Prerequisite: SHS #4011, DRBG #1732

DSA: Windows 10 Mobile (version 1709) SymCrypt

186-4: Cryptographic Implementations #1302
PQGGen:
Version 10.0.15254
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
PQGVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigGen:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
KeyPair:

L = 2048, N = 256
L = 3072, N = 256
Prerequisite: SHS #4010, DRBG #1731
 DSA: Windows 10 Home, Pro, Enterprise, Education, Windows
186-4: 10 S Fall Creators Update and Windows Server, Windows
PQGGen: Server Datacenter (version 1709); SymCrypt
L = 2048, N = 256 SHA: SHA- Cryptographic Implementations #1301
256 Version 10.0.16299
L = 3072, N = 256 SHA: SHA-
256
PQGVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigGen:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
SigVer:
L = 2048, N = 256 SHA: SHA-
256
L = 3072, N = 256 SHA: SHA-
256
KeyPair:
L = 2048, N = 256
L = 3072, N = 256
Prerequisite: SHS #4009, DRBG #1730

FIPS186-4: Windows 10 Creators Update (version 1703) Home, Pro,

Enterprise, Education, Windows 10 S, Windows 10 Mobile
PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); SymCrypt Cryptographic Implementations #1223
(3072,256) SHA( 256 ) ]
Version 10.0.15063
PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ]
KeyPairGen: [ (2048,256) ; (3072,256) ]
SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ); ]
SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ]
SHS: Val#3790
DRBG: Val# 1555

FIPS186-4: Windows Embedded Compact Cryptographic Primitives

PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ] Library (bcrypt.dll) #1188
SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
SHS: Val# 3649 Version 7.00.2872

FIPS186-4: Windows Embedded Compact Cryptographic Primitives

PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ] Library (bcrypt.dll) #1187
SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
SHS: Val#3648 Version 8.00.6246
FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows
PQG(gen)PARMS TESTED: [ Server 2016, Windows Storage Server 2016; Microsoft
(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); w/ Windows 10 Anniversary Update; Microsoft Lumia 950
(3072,256) SHA( 256 ) ] and Lumia 650 w/ Windows 10 Mobile Anniversary
KeyPairGen: [ (2048,256) ; (3072,256) ] Update MsBignum Cryptographic Implementations #1098
SIG(gen)PARMS TESTED: [ (2048,256)
SHA( 256 ); (3072,256) SHA( 256 ); ] Version 10.0.14393
SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ]
SHS: Val# 3347
DRBG: Val# 1217

FIPS186-4: Microsoft Windows 10 November 2015 Update; Microsoft

PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
(3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ Surface Pro 2, and Surface Pro w/ Windows 10 November
(2048,256) SHA( 256 ); (3072,256) SHA( 256 )] 2015 Update; Windows 10 Mobile for Microsoft Lumia
KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS 950 and Microsoft Lumia 635; Windows 10 for Microsoft
TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); Surface Hub 84” and Surface Hub 55” MsBignum
] Cryptographic Implementations #1024
SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ] Version 10.0.10586

SHS: Val# 3047

DRBG: Val# 955

FIPS186-4: Microsoft Windows 10, Microsoft Surface Pro 3 with

PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); Windows 10, Microsoft Surface 3 with Windows 10,
(3072,256) SHA( 256 ) ] Microsoft Surface Pro 2 with Windows 10, Microsoft
PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); Surface Pro with Windows 10 MsBignum Cryptographic
(3072,256) SHA( 256 ) ] Implementations #983
KeyPairGen: [ (2048,256) ; (3072,256) ]
SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); Version 10.0.10240
(3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [
(2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
SHS: Val# 2886
DRBG: Val# 868

FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012

PQG(gen)PARMS TESTED: [ R2, Microsoft Windows Storage Server 2012 R2, Microsoft
(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
PQG(ver)PARMS TESTED: [ (2048,256) Microsoft Surface Pro with Windows 8.1, Microsoft Surface
SHA( 256 ); (3072,256) SHA( 256 ) ] 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
KeyPairGen: [ (2048,256) ; (3072,256) ] Microsoft Windows Phone 8.1, Microsoft Windows
SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); Embedded 8.1 Industry and Microsoft StorSimple 8100
(3072,256) SHA( 256 ); ] MsBignum Cryptographic Implementations #855
SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ] Version 6.3.9600

SHS: Val# 2373

DRBG: Val# 489
FIPS186-2: Windows 8, Windows RT, Windows Server 2012, Surface
PQG(ver) MOD(1024); Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SIG(ver) MOD(1024); Cryptography Next Generation (CNG) Implementations #687
SHS: #1903
DRBG: #258
FIPS186-4:
PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 );
(3072,256) SHA( 256 ) ]
PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ]
SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ); ]
SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 );
(3072,256) SHA( 256 ) ]
SHS: #1903
DRBG: #258
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
DSA List Val#687.

FIPS186-2: Windows 8, Windows RT, Windows Server 2012, Surface

PQG(ver) MOD(1024); Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SIG(ver) MOD(1024); DSS and Diffie-Hellman Enhanced Cryptographic Provider
SHS: #1902 (DSSENH) #686
DRBG: #258
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#686.

FIPS186-2: Windows Embedded Compact 7 Cryptographic Primitives

SIG(ver) MOD(1024); Library (bcrypt.dll) #645
SHS: Val# 1773
DRBG: Val# 193
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#645.

FIPS186-2: Windows Server 2008 R2 and SP1 CNG algorithms #391

SIG(ver) MOD(1024);
SHS: Val# 1081 Windows 7 Ultimate and SP1 CNG algorithms #386
DRBG: Val# 23
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#391. See Historical DSA List Val#386.

FIPS186-2: Windows Server 2008 R2 and SP1 Enhanced DSS

SIG(ver) MOD(1024); (DSSENH) #390
SHS: Val# 1081
RNG: Val# 649 Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH)
Some of the previously validated components for this #385
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#390. See Historical DSA List Val#385.
FIPS186-2: Windows Server 2008 CNG algorithms #284
SIG(ver) MOD(1024);
SHS: Val# 753 Windows Vista Ultimate SP1 CNG algorithms #283
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#284. See Historical DSA List Val#283.

FIPS186-2: Windows Server 2008 Enhanced DSS (DSSENH) #282

SIG(ver) MOD(1024);
SHS: Val# 753 Windows Vista Ultimate SP1 Enhanced DSS (DSSENH)
RNG: Val# 435 #281
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#282. See Historical DSA List Val#281.

FIPS186-2: Windows Vista CNG algorithms #227

SIG(ver) MOD(1024);
SHS: Val# 618 Windows Vista Enhanced DSS (DSSENH) #226
RNG: Val# 321
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#227. See Historical DSA List Val#226.

FIPS186-2: Windows XP Professional SP3 Enhanced DSS and Diffie-

SIG(ver) MOD(1024); Hellman Cryptographic Provider (DSSENH) #292
SHS: Val# 784
RNG: Val# 448
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#292.

FIPS186-2: Windows XP Professional SP3 Enhanced Cryptographic

SIG(ver) MOD(1024); Provider (RSAENH) #291
SHS: Val# 783
RNG: Val# 447
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical DSA
List Val#291.

FIPS186-2: Windows 2003 SP2 Enhanced DSS and Diffie-Hellman

PQG(gen) MOD(1024); Cryptographic Provider #221
PQG(ver) MOD(1024);
KEYGEN(Y) MOD(1024);
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
SHS: Val# 611
RNG: Val# 314

FIPS186-2: Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman

PQG(gen) MOD(1024); Cryptographic Provider (DSSENH) #146
PQG(ver) MOD(1024);
KEYGEN(Y) MOD(1024);
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
SHS: Val# 385
 FIPS186-2: Windows Server 2003 Enhanced DSS and Diffie-Hellman
PQG(ver) MOD(1024); Cryptographic Provider (DSSENH) #95
KEYGEN(Y) MOD(1024);
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
SHS: Val# 181

FIPS186-2: Windows 2000 DSSENH.DLL #29

PQG(gen) MOD(1024);
PQG(ver) MOD(1024); Windows 2000 DSSBASE.DLL #28
KEYGEN(Y) MOD(1024); Windows NT 4 SP6 DSSENH.DLL #26
SIG(gen) MOD(1024);
SHS: SHA-1 (BYTE) Windows NT 4 SP6 DSSBASE.DLL #25
SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE)

FIPS186-2: PRIME; Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-
FIPS186-2: Hellman Cryptographic Provider #17
KEYGEN(Y):
SHS: SHA-1 (BYTE)
SIG(gen):
SIG(ver) MOD(1024);
SHS: SHA-1 (BYTE)

Elliptic Curve Digital Signature Algorithm (ECDSA)

Modes / States / Key Sizes Algorithm Implementation and Certificate #

ECDSA: Microsoft Windows 8.1, Microsoft Windows Server 2012

186-4: R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Key Pair Generation: Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Curves: P-256, P-384, P-521 Microsoft Surface Pro with Windows 8.1, Microsoft Surface
Generation Methods: Extra 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Random Bits Microsoft Windows Phone 8.1, Microsoft Windows
Public Key Validation: Embedded 8.1 Industry and Microsoft StorSimple 8100
MsBignum Cryptographic Implementations #1263
Curves: P-256, P-384, P-521
Signature Generation: Version 6.3.9600
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Signature Verification:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Prerequisite: SHS #2373, DRBG #489

ECDSA: Microsoft Surface Hub Virtual TPM Implementations

186-4: #1253
Key Pair Generation:
Version 10.0.15063.674
Curves: P-256, P-384
Generation Methods: Testing
Candidates
Prerequisite: SHS #4011, DRBG #1734
 ECDSA: Windows 10 Home, Pro, Enterprise, Education, Windows
186-4: 10 S Fall Creators Update and Windows Server, Windows
Key Pair Generation: Server Datacenter (version 1709); Virtual TPM
Curves: P-256, P-384 Implementations #1252
Generation Methods: Testing Version 10.0.16299
Candidates
Prerequisite: SHS #4009, DRBG #1733

ECDSA: Microsoft Surface Hub MsBignum Cryptographic

186-4: Implementations #1251
Key Pair Generation:
Version 10.0.15063.674
Curves: P-256, P-384, P-521
Generation Methods: Extra
Random Bits
Public Key Validation:
Curves: P-256, P-384, P-521
Signature Generation:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Signature Verification:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Prerequisite: SHS #4011, DRBG #1732

ECDSA: Microsoft Surface Hub SymCrypt Cryptographic

186-4: Implementations #1250
Key Pair Generation:
Version 10.0.15063.674
Curves: P-256, P-384, P-521
Generation Methods: Extra
Random Bits
Public Key Validation:
Curves: P-256, P-384, P-521
Signature Generation:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Signature Verification:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Prerequisite: SHS #4011, DRBG #1732
 ECDSA: Windows 10 Mobile (version 1709) SymCrypt
186-4: Cryptographic Implementations #1249
Key Pair Generation:
Version 10.0.15254
Curves: P-256, P-384, P-521
Generation Methods: Extra
Random Bits
Public Key Validation:
Curves: P-256, P-384, P-521
Signature Generation:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Signature Verification:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Prerequisite: SHS #4010, DRBG #1731

ECDSA: Windows 10 Mobile (version 1709) MsBignum

186-4: Cryptographic Implementations #1248
Key Pair Generation:
Version 10.0.15254
Curves: P-256, P-384, P-521
Generation Methods: Extra
Random Bits
Public Key Validation:
Curves: P-256, P-384, P-521
Signature Generation:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Signature Verification:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Prerequisite: SHS #4010, DRBG #1731

ECDSA: Windows 10 Home, Pro, Enterprise, Education, Windows

186-4: 10 S Fall Creators Update and Windows Server, Windows
Key Pair Generation: Server Datacenter (version 1709); MsBignum
Curves: P-256, P-384, P-521 Cryptographic Implementations #1247
Generation Methods: Extra Version 10.0.16299
Random Bits
Public Key Validation:
Curves: P-256, P-384, P-521
Signature Generation:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Signature Verification:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Prerequisite: SHS #4009, DRBG #1730
 ECDSA: Windows 10 Home, Pro, Enterprise, Education, Windows
186-4: 10 S Fall Creators Update and Windows Server, Windows
Key Pair Generation: Server Datacenter (version 1709); SymCrypt
Curves: P-256, P-384, P-521 Cryptographic Implementations #1246
Generation Methods: Extra Version 10.0.16299
Random Bits
Public Key Validation:
Curves: P-256, P-384, P-521
Signature Generation:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Signature Verification:
P-256 SHA: SHA-256
P-384 SHA: SHA-384
P-521 SHA: SHA-512
Prerequisite: SHS #4009, DRBG #1730

FIPS186-4: Windows 10 Creators Update (version 1703) Pro,

PKG: CURVES( P-256 P-384 TestingCandidates ) Enterprise, Education Virtual TPM Implementations #1136
SHS: Val#3790
DRBG: Val# 1555 Version 10.0.15063

FIPS186-4: Windows 10 Creators Update (version 1703) Home, Pro,

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
PKV: CURVES( P-256 P-384 P-521 ) MsBignum Cryptographic Implementations #1135
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521:
(SHA-512) Version 10.0.15063
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521:
(SHA-512) )
SHS: Val#3790
DRBG: Val# 1555

FIPS186-4: Windows 10 Creators Update (version 1703) Home, Pro,

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
PKV: CURVES( P-256 P-384 P-521 ) SymCrypt Cryptographic Implementations #1133
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521:
(SHA-512) Version 10.0.15063
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521:
(SHA-512) )
SHS: Val#3790
DRBG: Val# 1555

FIPS186-4: Windows Embedded Compact Cryptographic Primitives

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Library (bcrypt.dll) #1073
PKV: CURVES( P-256 P-384 P-521 )
SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) Version 7.00.2872
P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use
with protocols only.
SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-
521: (SHA-1, 512) )
SHS:Val# 3649
DRBG:Val# 1430
FIPS186-4: Windows Embedded Compact Cryptographic Primitives
PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Library (bcrypt.dll) #1072
PKV: CURVES( P-256 P-384 P-521 )
SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) Version 8.00.6246
P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use
with protocols only.
SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-
521: (SHA-1, 512) )
SHS:Val#3648
DRBG:Val# 1429

FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows

PKG: CURVES( P-256 P-384 TestingCandidates ) Server 2016, Windows Storage Server 2016; Microsoft
PKV: CURVES( P-256 P-384 ) Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 10 Anniversary Update Virtual TPM Implementations
256, 384) SIG(gen) with SHA-1 affirmed for use with #920
protocols only.
SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, Version 10.0.14393
256, 384) )
SHS: Val# 3347
DRBG: Val# 1222

FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Server 2016, Windows Storage Server 2016; Microsoft
PKV: CURVES( P-256 P-384 P-521 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- w/ Windows 10 Anniversary Update; Microsoft Lumia 950
521: (SHA-512) and Lumia 650 w/ Windows 10 Mobile Anniversary
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Update MsBignum Cryptographic Implementations #911
521: (SHA-512) )
Version 10.0.14393
SHS: Val# 3347
DRBG: Val# 1217

FIPS186-4: Microsoft Windows 10 November 2015 Update; Microsoft

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Surface Pro 2, and Surface Pro w/ Windows 10 November
521: (SHA-512) 2015 Update; Windows 10 Mobile for Microsoft Lumia
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- 950 and Microsoft Lumia 635; Windows 10 for Microsoft
521: (SHA-512) ) Surface Hub 84” and Surface Hub 55” MsBignum
Cryptographic Implementations #760
SHS: Val# 3047
DRBG: Val# 955 Version 10.0.10586

FIPS186-4: Microsoft Windows 10, Microsoft Surface Pro 3 with

PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) Windows 10, Microsoft Surface 3 with Windows 10,
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Microsoft Surface Pro 2 with Windows 10, Microsoft
521: (SHA-512) Surface Pro with Windows 10 MsBignum Cryptographic
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Implementations #706
521: (SHA-512) )
Version 10.0.10240
SHS: Val# 2886
DRBG: Val# 868
FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012
PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits ) R2, Microsoft Windows Storage Server 2012 R2, Microsoft
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
521: (SHA-512) Microsoft Surface Pro with Windows 8.1, Microsoft Surface
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P- 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
521: (SHA-512) ) Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry and Microsoft StorSimple 8100
SHS: Val#2373 MsBignum Cryptographic Implementations #505
DRBG: Val# 489
Version 6.3.9600

FIPS186-2: Windows 8, Windows RT, Windows Server 2012, Surface

PKG: CURVES( P-256 P-384 P-521 ) Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SHS: #1903 Cryptography Next Generation (CNG) Implementations #341
DRBG: #258
SIG(ver):CURVES( P-256 P-384 P-521 )
SHS: #1903
DRBG: #258
FIPS186-4:
PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-
521: (SHA-512)
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-
521: (SHA-512) )
SHS: #1903
DRBG: #258
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
ECDSA List Val#341.

FIPS186-2: Windows Embedded Compact 7 Cryptographic Primitives

PKG: CURVES( P-256 P-384 P-521 ) Library (bcrypt.dll) #295
SHS: Val#1773
DRBG: Val# 193
SIG(ver): CURVES( P-256 P-384 P-521 )
SHS: Val#1773
DRBG: Val# 193
FIPS186-4:
PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-
521: (SHA-512)
SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-
521: (SHA-512) )
SHS: Val#1773
DRBG: Val# 193
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
ECDSA List Val#295.
 FIPS186-2: Windows Server 2008 R2 and SP1 CNG algorithms #142
PKG: CURVES( P-256 P-384 P-521 )
SHS: Val#1081 Windows 7 Ultimate and SP1 CNG algorithms #141
DRBG: Val# 23
SIG(ver): CURVES( P-256 P-384 P-521 )
SHS: Val#1081
DRBG: Val# 23
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
ECDSA List Val#142. See Historical ECDSA List Val#141.

FIPS186-2: Windows Server 2008 CNG algorithms #83

PKG: CURVES( P-256 P-384 P-521 )
SHS: Val#753 Windows Vista Ultimate SP1 CNG algorithms #82
SIG(ver): CURVES( P-256 P-384 P-521 )
SHS: Val#753
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
ECDSA List Val#83. See Historical ECDSA List Val#82.

FIPS186-2: Windows Vista CNG algorithms #60

PKG: CURVES( P-256 P-384 P-521 )
SHS: Val#618
RNG: Val# 321
SIG(ver): CURVES( P-256 P-384 P-521 )
SHS: Val#618
RNG: Val# 321
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
ECDSA List Val#60.

Keyed-Hash Message Authentication Code (HMAC)

Modes / States / Key Sizes Algorithm Implementation and Certificate #

HMAC-SHA-1: Microsoft Surface Hub Virtual TPM Implementations

Key Sizes &lt; Block Size #3271
Key Sizes &gt; Block Size
Version 10.0.15063.674
Key Sizes = Block Size
HMAC-SHA2-256:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
HMAC-SHA2-384:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
Prerequisite: SHS #4011
 HMAC-SHA-1: Windows 10 Home, Pro, Enterprise, Education, Windows
Key Sizes &lt; Block Size 10 S Fall Creators Update and Windows Server, Windows
Key Sizes &gt; Block Size Server Datacenter (version 1709); Virtual TPM
Key Sizes = Block Size Implementations #3270
HMAC-SHA2-256: Version 10.0.16299
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
HMAC-SHA2-384:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
Prerequisite: SHS #4009

HMAC-SHA-1: Microsoft Surface Hub SymCrypt Cryptographic

Key Sizes &lt; Block Size Implementations #3269
Key Sizes &gt; Block Size
Version 10.0.15063.674
Key Sizes = Block Size
HMAC-SHA2-256:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
HMAC-SHA2-384:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
HMAC-SHA2-512:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
Prerequisite: SHS #4011

HMAC-SHA-1: Windows 10 Mobile (version 1709) SymCrypt

Key Sizes &lt; Block Size Cryptographic Implementations #3268
Key Sizes &gt; Block Size
Version 10.0.15254
Key Sizes = Block Size
HMAC-SHA2-256:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
HMAC-SHA2-384:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
HMAC-SHA2-512:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
Prerequisite: SHS #4010
 HMAC-SHA-1: Windows 10 Home, Pro, Enterprise, Education, Windows
Key Sizes &lt; Block Size 10 S Fall Creators Update and Windows Server, Windows
Key Sizes &gt; Block Size Server Datacenter (version 1709); SymCrypt
Key Sizes = Block Size Cryptographic Implementations #3267
HMAC-SHA2-256: Version 10.0.16299
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
HMAC-SHA2-384:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
HMAC-SHA2-512:
Key Sizes &lt; Block Size
Key Sizes &gt; Block Size
Key Sizes = Block Size
Prerequisite: SHS #4009

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows 10 Creators Update (version 1703) Pro,
Val#3790 Enterprise, Education Virtual TPM Implementations #3062
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 10.0.15063
Val#3790
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790

HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Windows 10 Creators Update (version 1703) Home, Pro,
Val#3790 Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #3061
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790 Version 10.0.15063
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS
Val#3790

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Enhanced Cryptographic
Val#3652 Provider (RSAENH) #2946
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 7.00.2872
Val#3652
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3652
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3652
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Enhanced Cryptographic
Val#3651 Provider (RSAENH) #2945
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 8.00.6246
Val#3651
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3651
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3651

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Cryptographic Primitives
Val# 3649 Library (bcrypt.dll) #2943
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 7.00.2872
Val# 3649
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val# 3649
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal# 3649

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows Embedded Compact Cryptographic Primitives
Val#3648 Library (bcrypt.dll) #2942
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Version 8.00.6246
Val#3648
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#3648
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#3648

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10 Anniversary Update, Windows
SHS Val# 3347 Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) 10 Anniversary Update Virtual TPM Implementations
SHS Val# 3347 #2661
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Version 10.0.14393
SHS Val# 3347

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# Microsoft Windows 10 Anniversary Update, Windows
3347 Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# w/ Windows 10 Anniversary Update; Microsoft Lumia 950
3347 and Lumia 650 w/ Windows 10 Mobile Anniversary
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# Update SymCrypt Cryptographic Implementations #2651
3347 Version 10.0.14393
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#
3347
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10 November 2015 Update; Microsoft
SHS Val# 3047 Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) 2015 Update; Windows 10 Mobile for Microsoft Lumia
SHS Val# 3047 950 and Microsoft Lumia 635; Windows 10 for Microsoft
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Surface Hub 84” and Surface Hub 55” SymCrypt
SHS Val# 3047 Cryptographic Implementations #2381
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) Version 10.0.10586
SHS Val# 3047

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Microsoft Windows 10, Microsoft Surface Pro 3 with
SHSVal# 2886 Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Surface Pro with Windows 10 SymCrypt Cryptographic
SHSVal# 2886 Implementations #2233
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Version 10.0.10240
SHSVal# 2886
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal# 2886

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Storage Server 2012 R2, Microsoft Windows RT
SHS Val#2373 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
Surface Pro with Windows 8.1, Microsoft Surface 2,
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
SHS Val#2373 Windows Phone 8.1, Microsoft Windows Embedded 8.1
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Industry and Microsoft StorSimple 8100 SymCrypt
SHS Val#2373 Cryptographic Implementations #1773
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) Version 6.3.9600
SHS Val#2373

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Windows CE and Windows Mobile, and Windows
Val#2764 Embedded Handheld Enhanced Cryptographic Provider
(RSAENH) #2122
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764 Version 5.2.29344
HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764
HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS
Val#2764

HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902 Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 BitLocker® Cryptographic Implementations #1347

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows 8, Windows RT, Windows Server 2012, Surface
SHS#1902 Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Enhanced Cryptographic Provider (RSAENH) #1346
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS#1902
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
SHS#1903 Next Generation Symmetric Cryptographic Algorithms
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Implementations (SYMCRYPT) #1345

SHS#1903
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHS#1903
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHS#1903

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Embedded Compact 7 Cryptographic Primitives
SHSVal#1773 Library (bcrypt.dll) #1364
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1773
Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS
) SHSVal#1773
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1773

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Embedded Compact 7 Enhanced Cryptographic
SHSVal#1774 Provider (RSAENH) #1227
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1774
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#1774
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1774

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 R2 and SP1 CNG algorithms #686
SHSVal#1081
Windows 7 and SP1 CNG algorithms #677
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#1081 Windows Server 2008 R2 Enhanced Cryptographic
Provider (RSAENH) #687
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#1081 Windows 7 Enhanced Cryptographic Provider (RSAENH)
#673
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#1081

HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081 Windows 7 and SP1 and Windows Server 2008 R2 and SP1
BitLocker Algorithm Implementations #675
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHSVal#816 (RSAENH) #452
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#816
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#816
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#816

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753 Windows Vista Ultimate SP1 and Windows Server 2008
BitLocker Algorithm Implementations #415
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 Enhanced Cryptographic Provider
SHSVal#753 (RSAENH) #408
HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) Windows Vista Enhanced Cryptographic Provider
SHSVal#753 (RSAENH) #407
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS
Val#753

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS Windows Vista Enhanced Cryptographic Provider (RSAENH)
)SHSVal#618 #297
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#618

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows XP Professional SP3 Kernel Mode Cryptographic
SHSVal#785 Module (fips.sys) #429
Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows XP Professional SP3 Enhanced Cryptographic
SHSVal#783 Provider (RSAENH) #428
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#783
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Enhanced Cryptographic Provider
SHSVal#613 (RSAENH) #289
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#613
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#613
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#613

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP2 Kernel Mode Cryptographic
SHSVal#610 Module (fips.sys) #287

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2008 CNG algorithms #413
SHSVal#753
Windows Vista Ultimate SP1 CNG algorithms #412
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#753
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#753

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737 Windows Vista Ultimate BitLocker Drive Encryption #386
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows Vista CNG algorithms #298
SHSVal#618
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#618
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#618

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile
SHSVal#589 Enhanced Cryptographic Provider (RSAENH) #267
HMAC-SHA256 ( Key Size Ranges Tested: KSBS
)SHSVal#589
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#589
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#589
 HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5
SHSVal#578 Enhanced Cryptographic Provider (RSAENH) #260
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#578
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#578
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#578

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495 Windows Vista BitLocker Drive Encryption #199
HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows Server 2003 SP1 Enhanced Cryptographic
SHSVal#364 Provider (RSAENH) #99
Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) Windows CE 5.00 and Windows CE 5.01 Enhanced
SHSVal#305 Cryptographic Provider (RSAENH) #31
HMAC-SHA256 ( Key Size Ranges Tested: KSBS )
SHSVal#305
HMAC-SHA384 ( Key Size Ranges Tested: KSBS )
SHSVal#305
HMAC-SHA512 ( Key Size Ranges Tested: KSBS )
SHSVal#305

Key Agreement Scheme (KAS)

Modes / States / Key Sizes Algorithm Implementation and Certificate #

KAS ECC: Microsoft Surface Hub Virtual TPM Implementations #150

Functions: Domain Parameter Generation,
Domain Parameter Validation, Full Public Key Version 10.0.15063.674
Validation, Key Pair Generation, Public Key
Regeneration
Schemes:
Full Unified:
Key Agreement Roles: Initiator,
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734
 KAS ECC: Windows 10 Home, Pro, Enterprise, Education, Windows
Functions: Domain Parameter Generation, 10 S Fall Creators Update and Windows Server, Windows
Domain Parameter Validation, Full Public Key Server Datacenter (version 1709); Virtual TPM
Validation, Key Pair Generation, Public Key Implementations #149
Regeneration
Version 10.0.16299
Schemes:
Full Unified:
Key Agreement Roles: Initiator,
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

KAS ECC: Microsoft Surface Hub SymCrypt Cryptographic

Functions: Domain Parameter Generation, Implementations #148
Domain Parameter Validation, Key Pair
Generation, Partial Public Key Validation, Public Version 10.0.15063.674
Key Regeneration
Schemes:
Ephemeral Unified:
Key Agreement Roles: Initiator,
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
One Pass DH:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
 SHA: SHA-512
MAC: HMAC
Static Unified:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732
KAS FFC:
Functions: Domain Parameter Generation,
Domain Parameter Validation, Key Pair
Generation, Partial Public Key Validation
Schemes:
dhEphem:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhOneFlow:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhStatic:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
Prerequisite: SHS #4011, DSA #1303, DRBG #1732

KAS ECC: Windows 10 Mobile (version 1709) SymCrypt

 Functions: Domain Parameter Generation, Cryptographic Implementations #147
Domain Parameter Validation, Key Pair
Generation, Partial Public Key Validation, Public Version 10.0.15254
Key Regeneration
Schemes:
Ephemeral Unified:
Key Agreement Roles: Initiator,
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
One Pass DH:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
Static Unified:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731
KAS FFC:
Functions: Domain Parameter Generation,
Domain Parameter Validation, Key Pair
Generation, Partial Public Key Validation
 Schemes:
dhEphem:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhOneFlow:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhStatic:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
Prerequisite: SHS #4010, DSA #1302, DRBG #1731

KAS ECC: Windows 10 Home, Pro, Enterprise, Education, Windows

Functions: Domain Parameter Generation, 10 S Fall Creators Update and Windows Server, Windows
Domain Parameter Validation, Key Pair Server Datacenter (version 1709); SymCrypt
Generation, Partial Public Key Validation, Public Cryptographic Implementations #146
Key Regeneration
Version 10.0.16299
Schemes:
Ephemeral Unified:
Key Agreement Roles: Initiator,
Responder
KDFs: Concatenation
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
One Pass DH:
Key Agreement Roles: Initiator,
Responder
 Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
Static Unified:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
EC:
Curve: P-256
SHA: SHA-256
MAC: HMAC
ED:
Curve: P-384
SHA: SHA-384
MAC: HMAC
EE:
Curve: P-521
SHA: SHA-512
MAC: HMAC
Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730
KAS FFC:
Functions: Domain Parameter Generation,
Domain Parameter Validation, Key Pair
Generation, Partial Public Key Validation
Schemes:
dhEphem:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhOneFlow:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
dhStatic:
Key Agreement Roles: Initiator,
Responder
Parameter Sets:
 FB:
SHA: SHA-256
MAC: HMAC
FC:
SHA: SHA-256
MAC: HMAC
Prerequisite: SHS #4009, DSA #1301, DRBG #1730

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Pro,
DPV KPG Full Validation Key Regeneration ) Enterprise, Education Virtual TPM Implementations #128
SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) (
ED: P-384 SHA384 HMAC ) ] Version 10.0.15063

SHS Val#3790
DSA Val#1135
DRBG Val#1556

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 10 Creators Update (version 1703) Home, Pro,
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Enterprise, Education, Windows 10 S, Windows 10 Mobile
KARole(s): Initiator / Responder ) SymCrypt Cryptographic Implementations #127
( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( Version 10.0.15063
No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:
SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val#3790
DSA Val#1223
DRBG Val#1555
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation ) SCHEMES [
EphemeralUnified ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]

SHS Val#3790
ECDSA Val#1133
DRBG Val#1555
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Library (bcrypt.dll) #115
KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ] Version 7.00.2872
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt;
KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC
) ( FC: SHA256 HMAC ) ]
SHS Val# 3649
DSA Val#1188
DRBG Val#1430
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s):
Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC )
( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows Embedded Compact Cryptographic Primitives
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Library (bcrypt.dll) #114
KARole(s): Initiator / Responder )
( FB: SHA256 ) ( FC: SHA256 ) ] Version 8.00.6246
[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256
HMAC ) ]
[ dhStatic ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256
HMAC ) ]
SHS Val#3648
DSA Val#1187
DRBG Val#1429
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256
SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-
521 HMAC (SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]

SHS Val#3648
ECDSA Val#1072
DRBG Val#1429
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: Microsoft Windows 10 Anniversary Update, Windows
DPG DPV KPG Full Validation Key Regeneration ) Server 2016, Windows Storage Server 2016; Microsoft
SCHEMES [ FullUnified ( No_KC &lt; KARole(s): Initiator Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
/ Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC: P-256 10 Anniversary Update Virtual TPM Implementations #93
SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
Version 10.0.14393
SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: Microsoft Windows 10 Anniversary Update, Windows

DPG DPV KPG Partial Validation ) Server 2016, Windows Storage Server 2016; Microsoft
SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
( FB: SHA256 ) ( FC: SHA256 ) ] w/ Windows 10 Anniversary Update; Microsoft Lumia 950
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: and Lumia 650 w/ Windows 10 Mobile Anniversary
SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC &lt; Update Cryptography Next Generation (CNG)
KARole(s): Initiator / Responder &gt; ) ( FB: SHA256 Implementations #92
HMAC ) ( FC: SHA256 HMAC ) ]
Version 10.0.14393
SHS Val# 3347 DSA Val#1098 DRBG Val#1217
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s):
Initiator / Responder &gt; ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC &lt; KARole(s): Initiator /
Responder &gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC &lt; KARole(s): Initiator /
Responder &gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG
Val#1217 HMAC Val#2651
FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: Microsoft Windows 10 November 2015 Update; Microsoft
DPG DPV KPG Partial Validation ) SCHEMES [ Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
dhEphem ( KARole(s): Initiator / Responder ) Surface Pro 2, and Surface Pro w/ Windows 10 November
( FB: SHA256 ) ( FC: SHA256 ) ] 2015 Update; Windows 10 Mobile for Microsoft Lumia
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: 950 and Microsoft Lumia 635; Windows 10 for Microsoft
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; Surface Hub and Surface Hub Cryptography Next
KARole(s): Initiator / Responder &gt; ) ( FB: SHA256 Generation (CNG) Implementations #72
HMAC ) ( FC: SHA256 HMAC ) ]
Version 10.0.10586
SHS Val# 3047 DSA Val#1024 DRBG Val#955
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s):
Initiator / Responder &gt; ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC &lt; KARole(s): Initiator /
Responder &gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC &lt; KARole(s): Initiator /
Responder &gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val# 3047 ECDSA Val#760 DRBG Val#955

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: Microsoft Windows 10, Microsoft Surface Pro 3 with
DPG DPV KPG Partial Validation ) SCHEMES [ Windows 10, Microsoft Surface 3 with Windows 10,
dhEphem ( KARole(s): Initiator / Responder ) Microsoft Surface Pro 2 with Windows 10, Microsoft
( FB: SHA256 ) ( FC: SHA256 ) ] Surface Pro with Windows 10 Cryptography Next
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: Generation (CNG) Implementations #64
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt;
KARole(s): Initiator / Responder &gt; ) ( FB: SHA256 Version 10.0.10240
HMAC ) ( FC: SHA256 HMAC ) ]
SHS Val# 2886 DSA Val#983 DRBG Val#868
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s):
Initiator / Responder &gt; ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC &lt; KARole(s): Initiator /
Responder &gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC &lt; KARole(s): Initiator /
Responder &gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val# 2886 ECDSA Val#706 DRBG Val#868
 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: Windows Storage Server 2012 R2, Microsoft Windows RT
DPG DPV KPG Partial Validation ) SCHEMES [ 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
dhEphem ( KARole(s): Initiator / Responder ) Surface Pro with Windows 8.1, Microsoft Surface 2,
( FB: SHA256 ) ( FC: SHA256 ) ] Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: Windows Phone 8.1, Microsoft Windows Embedded 8.1
SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; Industry and Microsoft StorSimple 8100 Cryptography
KARole(s): Initiator / Responder &gt; ) ( FB: SHA256 Next Generation Cryptographic Implementations #47
HMAC ) ( FC: SHA256 HMAC ) ]
Version 6.3.9600
SHS Val#2373 DSA Val#855 DRBG Val#489
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION:
DPG DPV KPG Partial Validation Key Regeneration )
SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s):
Initiator / Responder &gt; ) ( EC: P-256 SHA256 HMAC
) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC
(SHA512, HMAC_SHA512) ) ) ]
[ OnePassDH ( No_KC &lt; KARole(s): Initiator /
Responder &gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
[ StaticUnified ( No_KC &lt; KARole(s): Initiator /
Responder &gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-
384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]
SHS Val#2373 ECDSA Val#505 DRBG Val#489

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG Windows 8, Windows RT, Windows Server 2012, Surface
DPV KPG Partial Validation ) SCHEMES [ dhEphem ( Windows RT, Surface Windows 8 Pro, and Windows Phone 8
KARole(s): Initiator / Responder ) Cryptography Next Generation (CNG) Implementations #36
( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA:
SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
[ dhStatic ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256
HMAC ) ( FC: SHA256 HMAC ) ]
SHS #1903 DSA Val#687 DRBG #258
ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG
DPV KPG Partial Validation Key Regeneration ) SCHEMES [
EphemeralUnified ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ) ]
[ OnePassDH( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384
SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
[ StaticUnified ( No_KC &lt; KARole(s): Initiator /
Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384
SHA384 HMAC ) ( EE: P-521 HMAC (SHA512,
HMAC_SHA512) ) ]

SHS #1903 ECDSA Val#341 DRBG #258

KAS (SP 800–56A) Windows 7 and SP1, vendor-affirmed

key agreement Windows Server 2008 R2 and SP1, vendor-affirmed
key establishment methodology provides 80 to 256 bits
of encryption strength

SP 800-108 Key-Based Key Derivation Functions (KBKDF )

Modes / States / Key Sizes Algorithm Implementation and Certificate #

Counter: Microsoft Surface Hub Virtual TPM Implementations #161

MACs: HMAC-SHA-1, HMAC-SHA-256,
HMAC-SHA-384 Version 10.0.15063.674

MAC prerequisite: HMAC #3271

Counter Location: Before Fixed Data
R Length: 32 (bits)
SPs used to generate K: SP 800-56A, SP 800-90A
K prerequisite: DRBG #1734, KAS #150

Counter: Windows 10 Home, Pro, Enterprise, Education, Windows

MACs: HMAC-SHA-1, HMAC-SHA-256, 10 S Fall Creators Update and Windows Server, Windows
HMAC-SHA-384 Server Datacenter (version 1709); Virtual TPM
Implementations #160
MAC prerequisite: HMAC #3270
Version 10.0.16299
Counter Location: Before Fixed Data
R Length: 32 (bits)
SPs used to generate K: SP 800-56A, SP 800-90A
K prerequisite: DRBG #1733, KAS #149

Counter: Microsoft Surface Hub Cryptography Next Generation

MACs: CMAC-AES-128, CMAC-AES-192, (CNG) Implementations #159
CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-
256, HMAC-SHA-384, HMAC-SHA-512 Version 10.0.15063.674

MAC prerequisite: AES #4902, HMAC #3269

Counter Location: Before Fixed Data
R Length: 32 (bits)
SPs used to generate K: SP 800-56A, SP 800-90A
K prerequisite: KAS #148

Counter: Windows 10 Mobile (version 1709) Cryptography Next

MACs: CMAC-AES-128, CMAC-AES-192, Generation (CNG) Implementations #158
CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-
256, HMAC-SHA-384, HMAC-SHA-512 Version 10.0.15254

MAC prerequisite: AES #4901, HMAC #3268

Counter Location: Before Fixed Data
R Length: 32 (bits)
SPs used to generate K: SP 800-56A, SP 800-90A
K prerequisite: KAS #147
 Counter: Windows 10 Home, Pro, Enterprise, Education, Windows
MACs: CMAC-AES-128, CMAC-AES-192, 10 S Fall Creators Update and Windows Server, Windows
CMAC-AES-256, HMAC-SHA-1, HMAC-SHA- Server Datacenter (version 1709); Cryptography Next
256, HMAC-SHA-384, HMAC-SHA-512 Generation (CNG) Implementations #157
MAC prerequisite: AES #4897, HMAC #3267 Version 10.0.16299
Counter Location: Before Fixed Data
R Length: 32 (bits)
SPs used to generate K: SP 800-56A, SP 800-90A
K prerequisite: KAS #146

CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( Windows 10 Creators Update (version 1703) Pro,
[HMACSHA1] [HMACSHA256] [HMACSHA384] ) Enterprise, Education Virtual TPM Implementations #141
LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
Version 10.0.15063
KAS Val#128
DRBG Val#1556
MAC Val#3062

CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Windows 10 Creators Update (version 1703) Home, Pro,
[CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] Enterprise, Education, Windows 10 S, Windows 10 Mobile
[HMACSHA256] [HMACSHA384] [HMACSHA512] ) Cryptography Next Generation (CNG) Implementations
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) #140
KAS Val#127 Version 10.0.15063
AES Val#4624
DRBG Val#1555
MAC Val#3061

CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 Anniversary Update, Windows
[HMACSHA1] [HMACSHA256] [HMACSHA384] ) Server 2016, Windows Storage Server 2016; Microsoft
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
10 Anniversary Update Virtual TPM Implementations
KAS Val#93 DRBG Val#1222 MAC Val#2661 #102
Version 10.0.14393

CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 Anniversary Update, Windows
[CMACAES128] [CMACAES192] [CMACAES256] Server 2016, Windows Storage Server 2016; Microsoft
[HMACSHA1] [HMACSHA256] [HMACSHA384] Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) w/ Windows 10 Anniversary Update; Microsoft Lumia 950
rlength( [32] ) ) and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651 Implementations #101
Version 10.0.14393

CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10 November 2015 Update; Microsoft
[CMACAES128] [CMACAES192] [CMACAES256] Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
[HMACSHA1] [HMACSHA256] [HMACSHA384] Surface Pro 2, and Surface Pro w/ Windows 10 November
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) 2015 Update; Windows 10 Mobile for Microsoft Lumia
rlength( [32] ) ) 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” Cryptography Next
KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381 Generation (CNG) Implementations #72
Version 10.0.10586
 CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( Microsoft Windows 10, Microsoft Surface Pro 3 with
[CMACAES128] [CMACAES192] [CMACAES256] Windows 10, Microsoft Surface 3 with Windows 10,
[HMACSHA1] [HMACSHA256] [HMACSHA384] Microsoft Surface Pro 2 with Windows 10, Microsoft
[HMACSHA512] ) LocationCounter( [BeforeFixedData] ) Surface Pro with Windows 10 Cryptography Next
rlength( [32] ) ) Generation (CNG) Implementations #66
KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233 Version 10.0.10240

CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( Windows Storage Server 2012 R2, Microsoft Windows RT
[HMACSHA1] [HMACSHA256] [HMACSHA512] ) 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
DRBG Val#489 MAC Val#1773 Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry and Microsoft StorSimple 8100 Cryptography
Next Generation Cryptographic Implementations #30
Version 6.3.9600

CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( Windows 8, Windows RT, Windows Server 2012, Surface
[HMACSHA1] [HMACSHA256] [HMACSHA512] ) Windows RT, Surface Windows 8 Pro, and Windows Phone 8
LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Cryptography Next Generation (CNG) Implementations #3
DRBG #258 HMAC Val#1345

Random Number Generator (RNG )

Modes / States / Key Sizes Algorithm Implementation and Certificate #

FIPS 186-2 General Purpose Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
[ (x-Original); (SHA-1) ] Cryptography Next Generation (CNG) Implementations #1110

FIPS 186-2 Windows Embedded Compact 7 Enhanced Cryptographic

[ (x-Original); (SHA-1) ] Provider (RSAENH) #1060
Windows CE 6.0 and Windows CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH) #292
Windows CE and Windows Mobile 6.0 and Windows
Mobile 6.5 Enhanced Cryptographic Provider (RSAENH)
#286
Windows CE 5.00 and Window CE 5.01 Enhanced
Cryptographic Provider (RSAENH) #66

FIPS 186-2 Windows 7 and SP1 and Windows Server 2008 R2 and
[ (x-Change Notice); (SHA-1) ] SP1 RNG Library #649
FIPS 186-2 General Purpose Windows Vista Ultimate SP1 and Windows Server 2008
[ (x-Change Notice); (SHA-1) ] RNG Implementation #435
Windows Vista RNG implementation #321
 FIPS 186-2 General Purpose Windows Server 2003 SP2 Enhanced Cryptographic
[ (x-Change Notice); (SHA-1) ] Provider (RSAENH) #470
Windows XP Professional SP3 Kernel Mode Cryptographic
Module (fips.sys) #449
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #447
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #316
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #313

FIPS 186-2 Windows XP Professional SP3 Enhanced DSS and Diffie-

[ (x-Change Notice); (SHA-1) ] Hellman Cryptographic Provider (DSSENH) #448
Windows Server 2003 SP2 Enhanced DSS and Diffie-
Hellman Cryptographic Provider #314

RSA

Modes / States / Key Sizes Algorithm Implementation and Certificate #

RSA: Microsoft Surface Hub Virtual TPM Implementations

#2677
186-4:
Signature Generation PKCS1.5: Version 10.0.15063.674
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384
Signature Verification PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
Prerequisite: SHS #4011, DRBG #1734
RSA: Windows 10 Home, Pro, Enterprise, Education, Windows
10 S Fall Creators Update and Windows Server, Windows
186-4: Server Datacenter (version 1709); Virtual TPM
Signature Generation PKCS1.5: Implementations #2676
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384 Version 10.0.16299
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 240 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384
Signature Verification PSS:
Mod 1024:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
Prerequisite: SHS #4009, DRBG #1733

RSA: Microsoft Surface Hub RSA32 Algorithm Implementations

#2675
186-4:
Key Generation: Version 10.0.15063.674
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Prerequisite: SHS #4011, DRBG #1732

RSA: Windows 10 Home, Pro, Enterprise, Education, Windows

10 S Fall Creators Update and Windows Server, Windows
186-4: Server Datacenter (version 1709); RSA32 Algorithm
Signature Verification PKCS1.5: Implementations #2674
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512 Version 10.0.16299
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Prerequisite: SHS #4009, DRBG #1730
RSA: Windows 10 Mobile (version 1709) RSA32 Algorithm
Implementations #2673
186-4:
Signature Verification PKCS1.5: Version 10.0.15254
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Prerequisite: SHS #4010, DRBG #1731
RSA: Microsoft Surface Hub MsBignum Cryptographic
Implementations #2672
186-4:
Key Generation: Version 10.0.15063.674
Public Key Exponent: Fixed (10001)
Provable Primes with Conditions:
Mod lengths: 2048, 3072 (bits)
Primality Tests: C.3
Signature Generation PKCS1.5:
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Verification PSS:
Mod 1024:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 496 (bits)
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Prerequisite: SHS #4011, DRBG #1732
RSA: Microsoft Surface Hub SymCrypt Cryptographic
Implementations #2671
186-4:
Key Generation: Version 10.0.15063.674
Probable Random Primes:
Mod lengths: 2048, 3072 (bits)
Primality Tests: C.2
Signature Generation PKCS1.5:
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Verification PSS:
Mod 1024:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 496 (bits)
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Prerequisite: SHS #4011, DRBG #1732
RSA: Windows 10 Mobile (version 1709) SymCrypt
Cryptographic Implementations #2670
186-4:
Key Generation: Version 10.0.15254
Probable Random Primes:
Mod lengths: 2048, 3072 (bits)
Primality Tests: C.2
Signature Generation PKCS1.5:
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Verification PSS:
Mod 1024:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 496 (bits)
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Prerequisite: SHS #4010, DRBG #1731
RSA: Windows 10 Mobile (version 1709) MsBignum
Cryptographic Implementations #2669
186-4:
Key Generation: Version 10.0.15254
Public Key Exponent: Fixed (10001)
Provable Primes with Conditions:
Mod lengths: 2048, 3072 (bits)
Primality Tests: C.3
Signature Generation PKCS1.5:
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Verification PSS:
Mod 1024:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 496 (bits)
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Prerequisite: SHS #4010, DRBG #1731
 186-4: Windows 10 Home, Pro, Enterprise, Education, Windows
Key Generation: 10 S Fall Creators Update and Windows Server, Windows
Public Key Exponent: Fixed (10001) Server Datacenter (version 1709); MsBignum
Provable Primes with Conditions: Cryptographic Implementations #2668
Mod lengths: 2048, 3072 (bits) Version 10.0.16299
Primality Tests: C.3
Signature Generation PKCS1.5:
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Verification PSS:
Mod 1024:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 496 (bits)
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Prerequisite: SHS #4009, DRBG #1730
 186-4: Windows 10 Home, Pro, Enterprise, Education, Windows
Key Generation: 10 S Fall Creators Update and Windows Server, Windows
Probable Random Primes: Server Datacenter (version 1709); SymCrypt
Mod lengths: 2048, 3072 (bits) Cryptographic Implementations #2667
Primality Tests: C.2 Version 10.0.16299
Signature Generation PKCS1.5:
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Generation PSS:
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Signature Verification PKCS1.5:
Mod 1024 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 2048 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Mod 3072 SHA: SHA-1, SHA-256, SHA-
384, SHA-512
Signature Verification PSS:
Mod 1024:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 496 (bits)
Mod 2048:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Mod 3072:
SHA-1: Salt Length: 160 (bits)
SHA-256: Salt Length: 256 (bits)
SHA-384: Salt Length: 384 (bits)
SHA-512: Salt Length: 512 (bits)
Prerequisite: SHS #4009, DRBG #1730
FIPS186-4: Windows 10 Creators Update (version 1703) Pro,
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , Enterprise, Education Virtual TPM Implementations #2524
384 )) SIG(gen) with SHA-1 affirmed for use with protocols
only. Version 10.0.15063
SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384
))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256
SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1
affirmed for use with protocols only.
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384
SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) ,
384 SaltLen( 48 ) ))
SHA Val#3790

FIPS186-4: Windows 10 Creators Update (version 1703) Home, Pro,

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , Enterprise, Education, Windows 10 S, Windows 10 Mobile
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , RSA32 Algorithm Implementations #2523
256 , 384 , 512 ))
SHA Val#3790 Version 10.0.15063

FIPS186-4: Windows 10 Creators Update (version 1703) Home, Pro,

186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ; Enterprise, Education, Windows 10 S, Windows 10 Mobile
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) MsBignum Cryptographic Implementations #2522
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 ,
384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with Version 10.0.15063
SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 ,
384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072
SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ,
512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use
with protocols only.
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384
SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) ,
256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
(3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen(
48 ) , 512 SaltLen( 64 ) ))
SHA Val#3790
DRBG: Val# 1555

FIPS186-4: Windows 10 Creators Update (version 1703) Home, Pro,

186-4KEY(gen): Enterprise, Education, Windows 10 S, Windows 10 Mobile
PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 ) SymCrypt Cryptographic Implementations #2521
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 ,
384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with Version 10.0.15063
SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 ,
384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072
SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ,
512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use
with protocols only.
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384
SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) ,
256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
(3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen(
48 ) , 512 SaltLen( 64 ) ))
SHA Val#3790
FIPS186-2: Windows Embedded Compact Enhanced Cryptographic
ALG[ANSIX9.31]: Provider (RSAENH) #2415
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#3652 Version 7.00.2872
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-
256Val#3652, SHA-384Val#3652, SHA-512Val#3652
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-
512Val#3652
FIPS186-4:
ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1
))
SIG(gen) with SHA-1 affirmed for use with protocols
only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA(
1 ))
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256
, 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen)
with SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3652

FIPS186-2: Windows Embedded Compact Enhanced Cryptographic

ALG[ANSIX9.31]: Provider (RSAENH) #2414
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#3651 Version 8.00.6246
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-
256Val#3651, SHA-384Val#3651, SHA-512Val#3651
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-
512Val#3651
FIPS186-4:
ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1
))
SIG(gen) with SHA-1 affirmed for use with protocols
only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA(
1 ))
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256
, 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen)
with SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3651
FIPS186-2: Windows Embedded Compact Cryptographic Primitives
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA- Library (bcrypt.dll) #2412
256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA- Version 7.00.2872
1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 ,
SHA-512Val# 3649
FIPS186-4:
186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256
, 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen)
with SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val# 3649
DRBG: Val# 1430

FIPS186-2: Windows Embedded Compact Cryptographic Primitives

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA- Library (bcrypt.dll) #2411
256Val#3648, SHA-384Val#3648, SHA-512Val#3648
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA- Version 8.00.6246
1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-
512Val#3648
FIPS186-4:
186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256
, 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen)
with SHA-1 affirmed for use with protocols only.
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
SHA Val#3648
DRBG: Val# 1429

FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows

ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 Server 2016, Windows Storage Server 2016; Microsoft
, 384 )) SIG(gen) with SHA-1 affirmed for use with Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
protocols only. 10 Anniversary Update Virtual TPM Implementations
SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , #2206
384 ))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 Version 10.0.14393
SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1
affirmed for use with protocols only.
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) ,
384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256
SaltLen( 32 ) , 384 SaltLen( 48 ) ))
SHA Val# 3347

FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows

186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ; Server 2016, Windows Storage Server 2016; Microsoft
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
SHA Val# 3347 DRBG: Val# 1217 and Lumia 650 w/ Windows 10 Mobile Anniversary
Update RSA Key Generation Implementation #2195
Version 10.0.14393
FIPS186-4: soft Windows 10 Anniversary Update, Windows Server
ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 2016, Windows Storage Server 2016; Microsoft Surface
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/
1 , 256 , 384 , 512 )) Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
SHA Val#3346 Update RSA32 Algorithm Implementations #2194
Version 10.0.14393

FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows

ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , Server 2016, Windows Storage Server 2016; Microsoft
384 , 512 )) (3072 SHA( 256 , 384 , 512 )) Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , w/ Windows 10 Anniversary Update; Microsoft Lumia 950
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) and Lumia 650 w/ Windows 10 Mobile Anniversary
Update MsBignum Cryptographic Implementations #2193
SHA Val# 3347 DRBG: Val# 1217
Version 10.0.14393

FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows

[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , Server 2016, Windows Storage Server 2016; Microsoft
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , Update Cryptography Next Generation (CNG)
384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 Implementations #2192
SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512
SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( Version 10.0.14393
32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
SHA Val# 3347 DRBG: Val# 1217

FIPS186-4: Microsoft Windows 10 November 2015 Update; Microsoft

186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ; Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
SHA Val# 3047 DRBG: Val# 955 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” RSA Key Generation
Implementation #1889
Version 10.0.10586

FIPS186-4: Microsoft Windows 10 November 2015 Update; Microsoft

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Surface Pro 2, and Surface Pro w/ Windows 10 November
1 , 256 , 384 , 512 )) 2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
SHA Val#3048 Surface Hub and Surface Hub RSA32 Algorithm
Implementations #1871
Version 10.0.10586
FIPS186-4: Microsoft Windows 10 November 2015 Update; Microsoft
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
384 , 512 )) (3072 SHA( 256 , 384 , 512 )) Surface Pro 2, and Surface Pro w/ Windows 10 November
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 2015 Update; Windows 10 Mobile for Microsoft Lumia
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) 950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub and Surface Hub MsBignum Cryptographic
SHA Val# 3047 Implementations #1888
Version 10.0.10586

FIPS186-4: Microsoft Windows 10 November 2015 Update; Microsoft

[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 Surface Pro 2, and Surface Pro w/ Windows 10 November
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) 2015 Update; Windows 10 Mobile for Microsoft Lumia
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 950 and Microsoft Lumia 635; Windows 10 for Microsoft
384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 Surface Hub and Surface Hub Cryptography Next
SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 Generation (CNG) Implementations #1887
SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen(
32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Version 10.0.10586

SHA Val# 3047

FIPS186-4: Microsoft Windows 10, Microsoft Surface Pro 3 with

186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ; Windows 10, Microsoft Surface 3 with Windows 10,
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 RSA Key Generation
SHA Val# 2886 DRBG: Val# 868 Implementation #1798
Version 10.0.10240

FIPS186-4: Microsoft Windows 10, Microsoft Surface Pro 3 with

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , Windows 10, Microsoft Surface 3 with Windows 10,
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Microsoft Surface Pro 2 with Windows 10, Microsoft
1 , 256 , 384 , 512 )) Surface Pro with Windows 10 RSA32 Algorithm
Implementations #1784
SHA Val#2871
Version 10.0.10240

FIPS186-4: Microsoft Windows 10, Microsoft Surface Pro 3 with

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , Windows 10, Microsoft Surface 3 with Windows 10,
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Microsoft Surface Pro 2 with Windows 10, Microsoft
1 , 256 , 384 , 512 )) Surface Pro with Windows 10 MsBignum Cryptographic
Implementations #1783
SHA Val#2871
Version 10.0.10240

FIPS186-4: Microsoft Windows 10, Microsoft Surface Pro 3 with

[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , Windows 10, Microsoft Surface 3 with Windows 10,
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 Microsoft Surface Pro 2 with Windows 10, Microsoft
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Surface Pro with Windows 10 Cryptography Next
Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , Generation (CNG) Implementations #1802
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1
SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 Version 10.0.10240
SaltLen( 64 ) ))
SHA Val# 2886
FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012
186-4KEY(gen): FIPS186-4_Fixed_e ; R2, Microsoft Windows Storage Server 2012 R2, Microsoft
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 ) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Microsoft Surface Pro with Windows 8.1, Microsoft Surface
SHA Val#2373 DRBG: Val# 489 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry and Microsoft StorSimple 8100
RSA Key Generation Implementation #1487
Version 6.3.9600

FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012

ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , R2, Microsoft Windows Storage Server 2012 R2, Microsoft
384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
1 , 256 , 384 , 512 )) Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
SHA Val#2373 Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry RSA32 Algorithm
Implementations #1494
Version 6.3.9600

FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012

ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , R2, Microsoft Windows Storage Server 2012 R2, Microsoft
384 , 512 )) (3072 SHA( 256 , 384 , 512 )) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , Microsoft Surface Pro with Windows 8.1, Microsoft Surface
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
SHA Val#2373 Embedded 8.1 Industry and Microsoft StorSimple 8100
MsBignum Cryptographic Implementations #1493
Version 6.3.9600

FIPS186-4: Windows Storage Server 2012 R2, Microsoft Windows RT

[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 8.1, Microsoft Surface with Windows RT 8.1, Microsoft
384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 Surface Pro with Windows 8.1, Microsoft Surface 2,
SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , Windows Phone 8.1, Microsoft Windows Embedded 8.1
384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 Industry and Microsoft StorSimple 8100 Cryptography
SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 Next Generation Cryptographic Implementations #1519
SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen(
32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Version 6.3.9600

SHA Val#2373
FIPS186-4: Windows 8, Windows RT, Windows Server 2012, Surface
ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , Windows RT, Surface Windows 8 Pro, and Windows Phone 8
384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 )) Cryptography Next Generation (CNG) Implementations #1134
SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA(
1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-
256 ))
[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 ))
(3072 SHA( 256 , 384 , 512 ))
Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 ,
256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
SHA #1903
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical
RSA List Val#1134.

FIPS186-4: Windows 8, Windows RT, Windows Server 2012, Surface

186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186- Windows RT, Surface Windows 8 Pro, and Windows Phone 8
4_Fixed_e_Value RSA Key Generation Implementation #1133
PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
SHA #1903 DRBG: #258

FIPS186-2: Windows 8, Windows RT, Windows Server 2012, Surface

ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Windows RT, Surface Windows 8 Pro, and Windows Phone 8
Values: 65537 DRBG: #258 Enhanced Cryptographic Provider (RSAENH) #1132
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#1132.

FIPS186-2: Windows Embedded Compact 7 Enhanced Cryptographic

ALG[ANSIX9.31]: Provider (RSAENH) #1052
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#1774
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-
512Val#1774,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-
512Val#1774,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#1052.
FIPS186-2: Windows Embedded Compact Cryptographic Primitives
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Library (bcrypt.dll) #1051
Values: 65537 DRBG: Val# 193
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-
512Val#1773,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-
512Val#1773,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#1051.

FIPS186-2: Windows Server 2008 R2 and SP1 Enhanced Cryptographic

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , Provider (RSAENH) #568
SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-
512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-
512Val#1081,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#568.

FIPS186-2: Windows Server 2008 R2 and SP1 CNG algorithms #567

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#1081, SHA-384Val#1081, SHA- Windows 7 and SP1 CNG algorithms #560
512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-
512Val#1081,
ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-
256Val#1081, SHA-384Val#1081, SHA-512Val#1081
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-
512Val#1081
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#567. See Historical RSA List Val#560.

FIPS186-2: Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Generation Implementation #559
Values: 65537 DRBG: Val# 23
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#559.

FIPS186-2: Windows 7 and SP1 Enhanced Cryptographic Provider

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , (RSAENH) #557
SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-
512Val#1081,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-
512Val#1081,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#557.
FIPS186-2: Windows Server 2003 SP2 Enhanced Cryptographic Provider
ALG[ANSIX9.31]: (RSAENH) #395
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-
512Val#816,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#395.

FIPS186-2: Windows XP Professional SP3 Enhanced Cryptographic

ALG[ANSIX9.31]: Provider (RSAENH) #371
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#783
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#371.

FIPS186-2: Windows Server 2008 CNG algorithms #358

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753, Windows Vista SP1 CNG algorithms #357
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-
512Val#753,
ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-
256Val#753, SHA-384Val#753, SHA-512Val#753
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-
512Val#753
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#358. See Historical RSA List Val#357.

FIPS186-2: Windows Server 2008 Enhanced Cryptographic Provider

ALG[ANSIX9.31]: (RSAENH) #355
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#753 Windows Vista SP1 Enhanced Cryptographic Provider
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , (RSAENH) #354
SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-
512Val#753,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#355. See Historical RSA List Val#354.

FIPS186-2: Windows Vista SP1 and Windows Server 2008 RSA Key
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Generation Implementation #353
Values: 65537
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#353.
FIPS186-2: Windows Vista RSA key generation implementation #258
ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey
Values: 65537 RNG: Val# 321
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#258.

FIPS186-2: Windows Vista CNG algorithms #257

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-
512Val#618,
ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-
256Val#618, SHA-384Val#618, SHA-512Val#618
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-
512Val#618
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#257.

FIPS186-2: Windows Vista Enhanced Cryptographic Provider (RSAENH)

ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , #255
SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-
512Val#618,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#255.

FIPS186-2: Windows Server 2003 SP2 Enhanced Cryptographic Provider

ALG[ANSIX9.31]: (RSAENH) #245
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#613
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-
512Val#613,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#245.

FIPS186-2: Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile

ALG[ANSIX9.31]: Enhanced Cryptographic Provider (RSAENH) #230
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#589
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-
512Val#589,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#230.
 FIPS186-2: Windows CE and Windows Mobile 6 and Windows Mobile 6.1
ALG[ANSIX9.31]: Enhanced Cryptographic Provider (RSAENH) #222
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#578
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-
512Val#578,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#222.

FIPS186-2: Windows Server 2003 SP1 Enhanced Cryptographic Provider

ALG[RSASSA-PKCS1_V1_5]: (RSAENH) #81
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#364
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#81.

FIPS186-2: Windows CE 5.00 and Windows CE 5.01 Enhanced

ALG[ANSIX9.31]: Cryptographic Provider (RSAENH) #52
SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#305
ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 ,
SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-
1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-
512Val#305,
Some of the previously validated components for this
validation have been removed because they are now non-
compliant per the SP800-131A transition. See Historical RSA
List Val#52.

FIPS186-2: Windows XP, vendor-affirmed

– PKCS#1 v1.5, signature generation and verification Windows 2000, vendor-affirmed
– Mod sizes: 1024, 1536, 2048, 3072, 4096
– SHS: SHA–1/256/384/512

Secure Hash Standard (SHS)

Modes / States / Key Sizes Algorithm Implementation and Certificate #

SHA-1: Microsoft Surface Hub SymCrypt Cryptographic

Supports Empty Message Implementations #4011
SHA-256:
Version 10.0.15063.674
Supports Empty Message
SHA-384:
Supports Empty Message
SHA-512:
Supports Empty Message
 SHA-1: Windows 10 Mobile (version 1709) SymCrypt
Supports Empty Message Cryptographic Implementations #4010
SHA-256:
Version 10.0.15254
Supports Empty Message
SHA-384:
Supports Empty Message
SHA-512:
Supports Empty Message

SHA-1: Windows 10 Home, Pro, Enterprise, Education, Windows

Supports Empty Message 10 S Fall Creators Update and Windows Server, Windows
SHA-256: Server Datacenter (version 1709); SymCrypt
Supports Empty Message Cryptographic Implementations #4009
SHA-384: Version 10.0.16299
Supports Empty Message
SHA-512:
Supports Empty Message

SHA-1 (BYTE-only) Windows 10 Creators Update (version 1703) Home, Pro,

SHA-256 (BYTE-only) Enterprise, Education, Windows 10 S, Windows 10 Mobile
SHA-384 (BYTE-only) SymCrypt Cryptographic Implementations #3790
SHA-512 (BYTE-only)
Version 10.0.15063

SHA-1 (BYTE-only) Windows Embedded Compact Enhanced Cryptographic

SHA-256 (BYTE-only) Provider (RSAENH) #3652
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Version 7.00.2872

SHA-1 (BYTE-only) Windows Embedded Compact Enhanced Cryptographic

SHA-256 (BYTE-only) Provider (RSAENH) #3651
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Version 8.00.6246

SHA-1 (BYTE-only) Windows Embedded Compact Cryptographic Primitives

SHA-256 (BYTE-only) Library (bcrypt.dll) #3649
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Version 7.00.2872

SHA-1 (BYTE-only) Windows Embedded Compact Cryptographic Primitives

SHA-256 (BYTE-only) Library (bcrypt.dll) #3648
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Version 8.00.6246

SHA-1 (BYTE-only) Microsoft Windows 10 Anniversary Update, Windows Server

SHA-256 (BYTE-only) 2016, Windows Storage Server 2016; Microsoft Surface Book,
SHA-384 (BYTE-only) Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10
SHA-512 (BYTE-only) Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/
Windows 10 Mobile Anniversary Update SymCrypt
Cryptographic Implementations #3347
Version 10.0.14393
SHA-1 (BYTE-only) Microsoft Windows 10 Anniversary Update, Windows Server
SHA-256 (BYTE-only) 2016, Windows Storage Server 2016; Microsoft Surface Book,
SHA-384 (BYTE-only) Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10
SHA-512 (BYTE-only) Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/
Windows 10 Mobile Anniversary Update RSA32 Algorithm
Implementations #3346
Version 10.0.14393

SHA-1 (BYTE-only) Microsoft Windows 10 November 2015 Update; Microsoft

SHA-256 (BYTE-only) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
SHA-384 (BYTE-only) Pro 2, and Surface Pro w/ Windows 10 November 2015
SHA-512 (BYTE-only) Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
and Surface Hub RSA32 Algorithm Implementations #3048
Version 10.0.10586

SHA-1 (BYTE-only) Microsoft Windows 10 November 2015 Update; Microsoft

SHA-256 (BYTE-only) Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface
SHA-384 (BYTE-only) Pro 2, and Surface Pro w/ Windows 10 November 2015
SHA-512 (BYTE-only) Update; Windows 10 Mobile for Microsoft Lumia 950 and
Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub
and Surface Hub SymCrypt Cryptographic Implementations
#3047
Version 10.0.10586

SHA-1 (BYTE-only) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
SHA-256 (BYTE-only) 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
SHA-384 (BYTE-only) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
SHA-512 (BYTE-only) 10 SymCrypt Cryptographic Implementations #2886
Version 10.0.10240

SHA-1 (BYTE-only) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows
SHA-256 (BYTE-only) 10, Microsoft Surface 3 with Windows 10, Microsoft Surface
SHA-384 (BYTE-only) Pro 2 with Windows 10, Microsoft Surface Pro with Windows
SHA-512 (BYTE-only) 10 RSA32 Algorithm Implementations #2871
Version 10.0.10240

SHA-1 (BYTE-only) Microsoft Windows 8.1, Microsoft Windows Server 2012 R2,
SHA-256 (BYTE-only) Microsoft Windows Storage Server 2012 R2, Microsoft
SHA-384 (BYTE-only) Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
SHA-512 (BYTE-only) Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2,
Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
Industry RSA32 Algorithm Implementations #2396
Version 6.3.9600

SHA-1 (BYTE-only) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1,
SHA-256 (BYTE-only) Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro
SHA-384 (BYTE-only) with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro
SHA-512 (BYTE-only) 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1,
Microsoft Windows Embedded 8.1 Industry and Microsoft
StorSimple 8100 SymCrypt Cryptographic Implementations
#2373
Version 6.3.9600
SHA-1 (BYTE-only) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
SHA-256 (BYTE-only) 8 Next Generation Symmetric Cryptographic Algorithms
SHA-384 (BYTE-only) Implementations (SYMCRYPT) #1903
SHA-512 (BYTE-only) Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
Implementation does not support zero-length (null) 8 Symmetric Algorithm Implementations (RSA32) #1902
messages.

SHA-1 (BYTE-only) Windows Embedded Compact 7 Enhanced Cryptographic

SHA-256 (BYTE-only) Provider (RSAENH) #1774
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Embedded Compact 7 Cryptographic Primitives
Library (bcrypt.dll) #1773

SHA-1 (BYTE-only) Windows 7 and SP1 and Windows Server 2008 R2 and
SHA-256 (BYTE-only) SP1 Symmetric Algorithm Implementation #1081
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #816

SHA-1 (BYTE-only) Windows XP Professional SP3 Kernel Mode Cryptographic

Module (fips.sys) #785
Windows XP Professional SP3 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #784

SHA-1 (BYTE-only) Windows XP Professional SP3 Enhanced Cryptographic

SHA-256 (BYTE-only) Provider (RSAENH) #783
SHA-384 (BYTE-only)
SHA-512 (BYTE-only)

SHA-1 (BYTE-only) Windows Vista SP1 and Windows Server 2008 Symmetric
SHA-256 (BYTE-only) Algorithm Implementation #753
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Vista Symmetric Algorithm Implementation
#618

SHA-1 (BYTE-only) Windows Vista BitLocker Drive Encryption #737

SHA-256 (BYTE-only)
Windows Vista Beta 2 BitLocker Drive Encryption #495

SHA-1 (BYTE-only) Windows Server 2003 SP2 Enhanced Cryptographic

SHA-256 (BYTE-only) Provider (RSAENH) #613
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows Server 2003 SP1 Enhanced Cryptographic
Provider (RSAENH) #364
 SHA-1 (BYTE-only) Windows Server 2003 SP2 Enhanced DSS and Diffie-
Hellman Cryptographic Provider #611
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #610
Windows Server 2003 SP1 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #385
Windows Server 2003 SP1 Kernel Mode Cryptographic
Module (fips.sys) #371
Windows Server 2003 Enhanced DSS and Diffie-Hellman
Cryptographic Provider (DSSENH) #181
Windows Server 2003 Kernel Mode Cryptographic Module
(fips.sys) #177
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #176

SHA-1 (BYTE-only) Windows CE 6.0 and Windows CE 6.0 R2 and Windows

SHA-256 (BYTE-only) Mobile Enhanced Cryptographic Provider (RSAENH) #589
SHA-384 (BYTE-only)
SHA-512 (BYTE-only) Windows CE and Windows Mobile 6 and Windows Mobile
6.5 Enhanced Cryptographic Provider (RSAENH) #578
Windows CE 5.00 and Windows CE 5.01 Enhanced
Cryptographic Provider (RSAENH) #305

SHA-1 (BYTE-only) Windows XP Microsoft Enhanced Cryptographic Provider

#83
Crypto Driver for Windows 2000 (fips.sys) #35
Windows 2000 Microsoft Outlook Cryptographic Provider
(EXCHCSP.DLL) SR-1A (3821) #32
Windows 2000 RSAENH.DLL #24
Windows 2000 RSABASE.DLL #23
Windows NT 4 SP6 RSAENH.DLL #21
Windows NT 4 SP6 RSABASE.DLL #20

Triple DES

Modes / States / Key Sizes Algorithm Implementation and Certificate #

TDES-CBC: Microsoft Surface Hub SymCrypt Cryptographic

Modes: Decrypt, Encrypt Implementations #2558
Keying Option: 1
Version 10.0.15063.674
TDES-CFB64:
Modes: Decrypt, Encrypt
Keying Option: 1
TDES-CFB8:
Modes: Decrypt, Encrypt
Keying Option: 1
TDES-ECB:
Modes: Decrypt, Encrypt
Keying Option: 1
 TDES-CBC: Windows 10 Mobile (version 1709) SymCrypt
Modes: Decrypt, Encrypt Cryptographic Implementations #2557
Keying Option: 1
Version 10.0.15254
TDES-CFB64:
Modes: Decrypt, Encrypt
Keying Option: 1
TDES-CFB8:
Modes: Decrypt, Encrypt
Keying Option: 1
TDES-ECB:
Modes: Decrypt, Encrypt
Keying Option: 1

TDES-CBC: Windows 10 Home, Pro, Enterprise, Education, Windows

Modes: Decrypt, Encrypt 10 S Fall Creators Update and Windows Server, Windows
Keying Option: 1 Server Datacenter (version 1709); SymCrypt
TDES-CFB64: Cryptographic Implementations #2556
Modes: Decrypt, Encrypt Version 10.0.16299
Keying Option: 1
TDES-CFB8:
Modes: Decrypt, Encrypt
Keying Option: 1
TDES-ECB:
Modes: Decrypt, Encrypt
Keying Option: 1

TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; Windows 10 Creators Update (version 1703) Home, Pro,
TCFB64( KO 1 e/d, ) Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #2459
Version 10.0.15063

TECB( KO 1 e/d, ) ; Windows Embedded Compact Enhanced Cryptographic

Provider (RSAENH) #2384
TCBC( KO 1 e/d, )
Version 8.00.6246

TECB( KO 1 e/d, ) ; Windows Embedded Compact Enhanced Cryptographic

Provider (RSAENH) #2383
TCBC( KO 1 e/d, )
Version 8.00.6246

TECB( KO 1 e/d, ) ; Windows Embedded Compact Cryptographic Primitives

Library (bcrypt.dll) #2382
TCBC( KO 1 e/d, ) ;
Version 7.00.2872
CTR ( int only )

TECB( KO 1 e/d, ) ; Windows Embedded Compact Cryptographic Primitives

Library (bcrypt.dll) #2381
TCBC( KO 1 e/d, )
Version 8.00.6246
TECB( KO 1 e/d, ) ; Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
TCBC( KO 1 e/d, ) ; Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
TCFB8( KO 1 e/d, ) ; w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
TCFB64( KO 1 e/d, ) Update SymCrypt Cryptographic Implementations #2227

Version 10.0.14393

TECB( KO 1 e/d, ) ; Microsoft Windows 10 November 2015 Update; Microsoft

Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
TCBC( KO 1 e/d, ) ; Surface Pro 2, and Surface Pro w/ Windows 10 November
TCFB8( KO 1 e/d, ) ; 2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
TCFB64( KO 1 e/d, ) Surface Hub and Surface Hub SymCrypt Cryptographic
Implementations #2024

Version 10.0.10586

TECB( KO 1 e/d, ) ; Microsoft Windows 10, Microsoft Surface Pro 3 with

Windows 10, Microsoft Surface 3 with Windows 10,
TCBC( KO 1 e/d, ) ; Microsoft Surface Pro 2 with Windows 10, Microsoft
TCFB8( KO 1 e/d, ) ; Surface Pro with Windows 10 SymCrypt Cryptographic
Implementations #1969
TCFB64( KO 1 e/d, )
Version 10.0.10240

TECB( KO 1 e/d, ) ; Windows Storage Server 2012 R2, Microsoft Windows RT

8.1, Microsoft Surface with Windows RT 8.1, Microsoft
TCBC( KO 1 e/d, ) ; Surface Pro with Windows 8.1, Microsoft Surface 2,
TCFB8( KO 1 e/d, ) ; Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft
Windows Phone 8.1, Microsoft Windows Embedded 8.1
TCFB64( KO 1 e/d, ) Industry and Microsoft StorSimple 8100 SymCrypt
Cryptographic Implementations #1692
Version 6.3.9600

TECB( e/d; KO 1,2 ) ; Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
TCBC( e/d; KO 1,2 ) ; Next Generation Symmetric Cryptographic Algorithms
TCFB8( e/d; KO 1,2 ) ; Implementations (SYMCRYPT) #1387

TCFB64( e/d; KO 1,2 )

TECB( e/d; KO 1,2 ) ; Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone 8
TCBC( e/d; KO 1,2 ) ; Symmetric Algorithm Implementations (RSA32) #1386
TCFB8( e/d; KO 1,2 )

TECB( e/d; KO 1,2 ) ; Windows 7 and SP1 and Windows Server 2008 R2 and SP1
Symmetric Algorithm Implementation #846
TCBC( e/d; KO 1,2 ) ;
TCFB8( e/d; KO 1,2 )
TECB( e/d; KO 1,2 ) ; Windows Vista SP1 and Windows Server 2008 Symmetric
Algorithm Implementation #656
TCBC( e/d; KO 1,2 ) ;
TCFB8( e/d; KO 1,2 )

TECB( e/d; KO 1,2 ) ; Windows Vista Symmetric Algorithm Implementation #549

TCBC( e/d; KO 1,2 ) ;
TCFB8( e/d; KO 1,2 )

Triple DES MAC Windows 8, Windows RT, Windows Server 2012, Surface
Windows RT, Surface Windows 8 Pro, and Windows Phone
8 #1386, vendor-affirmed
Windows 7 and SP1 and Windows Server 2008 R2 and
SP1 #846, vendor-affirmed
 TECB( e/d; KO 1,2 ) ; Windows Embedded Compact 7 Enhanced Cryptographic
Provider (RSAENH) #1308
TCBC( e/d; KO 1,2 )
Windows Embedded Compact 7 Cryptographic Primitives
Library (bcrypt.dll) #1307
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #691
Windows XP Professional SP3 Kernel Mode Cryptographic
Module (fips.sys) #677
Windows XP Professional SP3 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #676
Windows XP Professional SP3 Enhanced Cryptographic
Provider (RSAENH) #675
Windows Server 2003 SP2 Enhanced Cryptographic
Provider (RSAENH) #544
Windows Server 2003 SP2 Enhanced DSS and Diffie-
Hellman Cryptographic Provider #543
Windows Server 2003 SP2 Kernel Mode Cryptographic
Module (fips.sys) #542
Windows CE 6.0 and Window CE 6.0 R2 and Windows
Mobile Enhanced Cryptographic Provider (RSAENH) #526
Windows CE and Windows Mobile 6 and Windows Mobile
6.1 and Windows Mobile 6.5 Enhanced Cryptographic
Provider (RSAENH) #517
Windows Server 2003 SP1 Enhanced DSS and Diffie-
Hellman Cryptographic Provider (DSSENH) #381
Windows Server 2003 SP1 Kernel Mode Cryptographic
Module (fips.sys) #370
Windows Server 2003 SP1 Enhanced Cryptographic
Provider (RSAENH) #365
Windows CE 5.00 and Windows CE 5.01 Enhanced
Cryptographic Provider (RSAENH) #315
Windows Server 2003 Kernel Mode Cryptographic Module
(fips.sys) #201
Windows Server 2003 Enhanced DSS and Diffie-Hellman
Cryptographic Provider (DSSENH) #199
Windows Server 2003 Enhanced Cryptographic Provider
(RSAENH) #192
Windows XP Microsoft Enhanced Cryptographic Provider
#81
Windows 2000 Microsoft Outlook Cryptographic Provider
(EXCHCSP.DLL) SR-1A (3821) #18
Crypto Driver for Windows 2000 (fips.sys) #16

SP 800-132 Password Based Key Derivation Function (PBKDF)

Modes / States / Key Sizes Algorithm Implementation and Certificate #

 PBKDF (vendor affirmed) Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives
Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10,
Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows
10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter,
Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)
Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10
Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows
Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)
Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10
Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server
2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016
#2935
(Software Version: 10.0.14393)
Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10
Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server
2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016
#2931
(Software Version: 10.0.14393)

PBKDF (vendor affirmed) Kernel Mode Cryptographic

Primitives Library (cng.sys) in
Microsoft Windows 10, Windows 10
Pro, Windows 10 Enterprise,
Windows 10 Enterprise LTSB,
Windows 10 Mobile, Windows
Server 2016 Standard, Windows
Server 2016 Datacenter, Windows
Storage Server 2016 #2936
(Software Version: 10.0.14393)
Windows 8, Windows RT, Windows
Server 2012, Surface Windows RT,
Surface Windows 8 Pro, and
Windows Phone 8 Cryptography
Next Generation (CNG), vendor-
affirmed

Component Validation List

Publication / Component Validated / Description Implementation and Certificate #

ECDSA SigGen: Microsoft Windows 8.1, Microsoft Windows Server 2012

P-256 SHA: SHA-256 R2, Microsoft Windows Storage Server 2012 R2, Microsoft
P-384 SHA: SHA-384 Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
P-521 SHA: SHA-512 Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Prerequisite: DRBG #489 Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry and Microsoft StorSimple 8100
MsBignum Cryptographic Implementations #1540
Version 6.3.9600

RSASP1: Microsoft Surface Hub Virtual TPM Implementations

Modulus Size: 2048 (bits) #1519
Padding Algorithms: PKCS 1.5
Version 10.0.15063.674
 RSASP1: Windows 10 Home, Pro, Enterprise, Education, Windows
Modulus Size: 2048 (bits) 10 S Fall Creators Update and Windows Server, Windows
Padding Algorithms: PKCS 1.5 Server Datacenter (version 1709); Virtual TPM
Implementations #1518
Version 10.0.16299

RSADP: Microsoft Surface Hub MsBignum Cryptographic

Modulus Size: 2048 (bits) Implementations #1517
Version 10.0.15063.674

RSASP1: Microsoft Surface Hub MsBignum Cryptographic

Modulus Size: 2048 (bits) Implementations #1516
Padding Algorithms: PKCS 1.5
Version 10.0.15063.674

ECDSA SigGen: Microsoft Surface Hub MsBignum Cryptographic

P-256 SHA: SHA-256 Implementations #1515
P-384 SHA: SHA-384
Version 10.0.15063.674
P-521 SHA: SHA-512
Prerequisite: DRBG #1732

ECDSA SigGen: Microsoft Surface Hub SymCrypt Cryptographic

P-256 SHA: SHA-256 Implementations #1514
P-384 SHA: SHA-384
Version 10.0.15063.674
P-521 SHA: SHA-512
Prerequisite: DRBG #1732

RSADP: Microsoft Surface Hub SymCrypt Cryptographic

Modulus Size: 2048 (bits) Implementations #1513
Version 10.0.15063.674

RSASP1: Microsoft Surface Hub SymCrypt Cryptographic

Modulus Size: 2048 (bits) Implementations #1512
Padding Algorithms: PKCS 1.5
Version 10.0.15063.674
 IKEv1: Microsoft Surface Hub SymCrypt Cryptographic
Methods: Digital Signature, Pre-shared Key, Implementations #1511
Public Key Encryption
Version 10.0.15063.674
Pre-shared Key Length: 64-2048
Diffie-Hellman shared secrets:
Diffie-Hellman shared secret:
Length: 2048 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 256 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 384 (bits)
SHA Functions: SHA-384
Prerequisite: SHS #4011, HMAC #3269
IKEv2:
Derived Keying Material length: 192-1792
Diffie-Hellman shared secrets:
Diffie-Hellman shared secret:
Length: 2048 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 256 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 384 (bits)
SHA Functions: SHA-384
Prerequisite: SHS #4011, HMAC #3269
TLS:
Supports TLS 1.0/1.1
Supports TLS 1.2:
SHA Functions: SHA-256, SHA-384
Prerequisite: SHS #4011, HMAC #3269

ECDSA SigGen: Windows 10 Mobile (version 1709) SymCrypt

P-256 SHA: SHA-256 Cryptographic Implementations #1510
P-384 SHA: SHA-384
Version 10.0.15254
P-521 SHA: SHA-512
Prerequisite: DRBG #1731

RSADP: Windows 10 Mobile (version 1709) SymCrypt

Modulus Size: 2048 (bits) Cryptographic Implementations #1509
Version 10.0.15254

RSASP1: Windows 10 Mobile (version 1709) SymCrypt

Modulus Size: 2048 (bits) Cryptographic Implementations #1508
Padding Algorithms: PKCS 1.5
Version 10.0.15254
 IKEv1: Windows 10 Mobile (version 1709) SymCrypt
Methods: Digital Signature, Pre-shared Key, Cryptographic Implementations #1507
Public Key Encryption
Version 10.0.15254
Pre-shared Key Length: 64-2048
Diffie-Hellman shared secrets:
Diffie-Hellman shared secret:
Length: 2048 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 256 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 384 (bits)
SHA Functions: SHA-384
Prerequisite: SHS #4010, HMAC #3268
IKEv2:
Derived Keying Material length: 192-1792
Diffie-Hellman shared secrets:
Diffie-Hellman shared secret:
Length: 2048 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 256 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 384 (bits)
SHA Functions: SHA-384
Prerequisite: SHS #4010, HMAC #3268
TLS:
Supports TLS 1.0/1.1
Supports TLS 1.2:
SHA Functions: SHA-256, SHA-384
Prerequisite: SHS #4010, HMAC #3268

ECDSA SigGen: Windows 10 Mobile (version 1709) MsBignum

P-256 SHA: SHA-256 Cryptographic Implementations #1506
P-384 SHA: SHA-384
Version 10.0.15254
P-521 SHA: SHA-512
Prerequisite: DRBG #1731

RSADP: Windows 10 Mobile (version 1709) MsBignum

Modulus Size: 2048 (bits) Cryptographic Implementations #1505
Version 10.0.15254

RSASP1: Windows 10 Mobile (version 1709) MsBignum

Modulus Size: 2048 (bits) Cryptographic Implementations #1504
Padding Algorithms: PKCS 1.5
Version 10.0.15254
 ECDSA SigGen: Windows 10 Home, Pro, Enterprise, Education, Windows
P-256 SHA: SHA-256 10 S Fall Creators Update and Windows Server, Windows
P-384 SHA: SHA-384 Server Datacenter (version 1709); MsBignum
P-521 SHA: SHA-512 Cryptographic Implementations #1503

Prerequisite: DRBG #1730 Version 10.0.16299

RSADP: Windows 10 Home, Pro, Enterprise, Education, Windows

Modulus Size: 2048 (bits) 10 S Fall Creators Update and Windows Server, Windows
Server Datacenter (version 1709); MsBignum
Cryptographic Implementations #1502
Version 10.0.16299

RSASP1: Windows 10 Home, Pro, Enterprise, Education, Windows

Modulus Size: 2048 (bits) 10 S Fall Creators Update and Windows Server, Windows
Padding Algorithms: PKCS 1.5 Server Datacenter (version 1709); MsBignum
Cryptographic Implementations #1501
Version 10.0.16299

ECDSA SigGen: Windows 10 Home, Pro, Enterprise, Education, Windows

P-256 SHA: SHA-256 10 S Fall Creators Update and Windows Server, Windows
P-384 SHA: SHA-384 Server Datacenter (version 1709); SymCrypt
P-521 SHA: SHA-512 Cryptographic Implementations #1499

Prerequisite: DRBG #1730 Version 10.0.16299

RSADP: Windows 10 Home, Pro, Enterprise, Education, Windows

Modulus Size: 2048 (bits) 10 S Fall Creators Update and Windows Server, Windows
Server Datacenter (version 1709); SymCrypt
Cryptographic Implementations #1498
Version 10.0.16299

RSASP1: Windows 10 Home, Pro, Enterprise, Education, Windows

Modulus Size: 2048 (bits) 10 S Fall Creators Update and Windows Server, Windows
Padding Algorithms: PKCS 1.5 Server Datacenter (version 1709); SymCrypt
Cryptographic Implementations #1497
Version 10.0.16299
 IKEv1: Windows 10 Home, Pro, Enterprise, Education, Windows
Methods: Digital Signature, Pre-shared Key, 10 S Fall Creators Update and Windows Server, Windows
Public Key Encryption Server Datacenter (version 1709); SymCrypt
Pre-shared Key Length: 64-2048 Cryptographic Implementations #1496
Diffie-Hellman shared secrets: Version 10.0.16299
Diffie-Hellman shared secret:
Length: 2048 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 256 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 384 (bits)
SHA Functions: SHA-384
Prerequisite: SHS #4009, HMAC #3267
IKEv2:
Derived Keying Material length: 192-1792
Diffie-Hellman shared secrets:
Diffie-Hellman shared secret:
Length: 2048 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 256 (bits)
SHA Functions: SHA-256
Diffie-Hellman shared secret:
Length: 384 (bits)
SHA Functions: SHA-384
Prerequisite: SHS #4009, HMAC #3267
TLS:
Supports TLS 1.0/1.1
Supports TLS 1.2:
SHA Functions: SHA-256, SHA-384
Prerequisite: SHS #4009, HMAC #3267
FIPS186-4 ECDSA Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
Signature Generation of hash sized messages MsBignum Cryptographic Implementations #1284
ECDSA SigGen Component: CURVES( P-256 P-384 P-521 Version 10.0. 15063
) Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #1279
Version 10.0. 15063
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update MsBignum Cryptographic Implementations #922
Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
10 Anniversary Update Virtual TPM Implementations
#894
Version 10.0.14393icrosoft Windows 10 November 2015
Update; Microsoft Surface Book, Surface Pro 4, Surface Pro
3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows
10 November 2015 Update; Windows 10 Mobile for
Microsoft Lumia 950 and Microsoft Lumia 635; Windows
10 for Microsoft Surface Hub 84” and Surface Hub 55”
MsBignum Cryptographic Implementations #666
Version 10.0.10586
Microsoft Windows 8.1, Microsoft Windows Server 2012
R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry and Microsoft StorSimple 8100
MsBignum Cryptographic Implementations #288
Version 6.3.9600
FIPS186-4 RSA; PKCS#1 v2.1 Windows 10 Creators Update (version 1703) Pro,
Enterprise, Education Virtual TPM Implementations #1285
RSASP1 Signature Primitive Version 10.0.15063
RSASP1: (Mod2048: PKCS1.5 PKCSPSS) Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
MsBignum Cryptographic Implementations #1282
Version 10.0.15063
Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #1280
Version 10.0.15063
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
10 Anniversary Update Virtual TPM Implementations
#893
Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update MsBignum Cryptographic Implementations #888
Version 10.0.14393
Microsoft Windows 10 November 2015 Update; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” MsBignum
Cryptographic Implementations #665
Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with
Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 MsBignum Cryptographic
Implementations #572
Version 10.0.10240
Microsoft Windows 8.1, Microsoft Windows Server 2012
R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry MsBignum Cryptographic
Implementations #289
Version 6.3.9600
FIPS186-4 RSA; RSADP Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
RSADP Primitive MsBignum Cryptographic Implementations #1283
RSADP: (Mod2048) Version 10.0.15063
Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #1281
Version 10.0.15063
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows
10 Anniversary Update Virtual TPM Implementations
#895
Version 10.0.14393
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update Cryptography Next Generation (CNG)
Implementations #887
Version 10.0.14393
Microsoft Windows 10 November 2015 Update; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” Cryptography Next
Generation (CNG) Implementations #663
Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with
Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 Cryptography Next
Generation (CNG) Implementations #576
Version 10.0.10240
 SP800-135 Windows 10 Home, Pro, Enterprise, Education, Windows
10 S Fall Creators Update and Windows Server, Windows
Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS Server Datacenter (version 1709); SymCrypt
Cryptographic Implementations #1496
Version 10.0.16299
Windows 10 Creators Update (version 1703) Home, Pro,
Enterprise, Education, Windows 10 S, Windows 10 Mobile
SymCrypt Cryptographic Implementations #1278
Version 10.0.15063
Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #1140
Version 7.00.2872
Windows Embedded Compact Cryptographic Primitives
Library (bcrypt.dll) #1139
Version 8.00.6246
Microsoft Windows 10 Anniversary Update, Windows
Server 2016, Windows Storage Server 2016; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3
w/ Windows 10 Anniversary Update; Microsoft Lumia 950
and Lumia 650 w/ Windows 10 Mobile Anniversary
Update BcryptPrimitives and NCryptSSLp #886
Version 10.0.14393
Microsoft Windows 10 November 2015 Update; Microsoft
Surface Book, Surface Pro 4, Surface Pro 3, Surface 3,
Surface Pro 2, and Surface Pro w/ Windows 10 November
2015 Update; Windows 10 Mobile for Microsoft Lumia
950 and Microsoft Lumia 635; Windows 10 for Microsoft
Surface Hub 84” and Surface Hub 55” BCryptPrimitives
and NCryptSSLp #664
Version 10.0.10586
Microsoft Windows 10, Microsoft Surface Pro 3 with
Windows 10, Microsoft Surface 3 with Windows 10,
Microsoft Surface Pro 2 with Windows 10, Microsoft
Surface Pro with Windows 10 BCryptPrimitives and
NCryptSSLp #575
Version 10.0.10240
Microsoft Windows 8.1, Microsoft Windows Server 2012
R2, Microsoft Windows Storage Server 2012 R2, Microsoft
Windows RT 8.1, Microsoft Surface with Windows RT 8.1,
Microsoft Surface Pro with Windows 8.1, Microsoft Surface
2, Microsoft Surface Pro 2, Microsoft Surface Pro 3,
Microsoft Windows Phone 8.1, Microsoft Windows
Embedded 8.1 Industry and Microsoft StorSimple 8100
BCryptPrimitives and NCryptSSLp #323
Version 6.3.9600

References
[FIPS 140] - FIPS 140-2, Security Requirements for Cryptographic Modules
[FIPS FAQ ] - Cryptographic Module Validation Program (CMVP ) FAQ
[SP 800-57] - Recommendation for Key Management – Part 1: General (Revised)
[SP 800-131A] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key
Lengths
 Common Criteria Certifications
12/11/2019 • 5 minutes to read • Edit Online

Microsoft is committed to optimizing the security of its products and services. As part of that commitment,
Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the
features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria
certifications of Microsoft Windows products.

Common Criteria Security Targets

Information for Systems Integrators and Accreditors
The Security Target describes security functionality and assurance measures used to evaluate Windows.
Microsoft Windows 10 (May 2019 Update)
Microsoft Windows 10 (October 2018 Update)
Microsoft Windows 10 (April 2018 Update)
Microsoft Windows 10 (Fall Creators Update)
Microsoft Windows 10 (Creators Update)
Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V
Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)
Microsoft Windows 10 (Anniversary Update) and Windows Server 2016
Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client
Microsoft Windows 10 IPsec VPN Client
Microsoft Windows 10 November 2015 Update with Surface Book
Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4
Windows 10 and Windows Server 2012 R2
Windows 10
Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830
Microsoft Surface Pro 3 and Windows 8.1
Windows 8.1 and Windows Phone 8.1
Windows 8 and Windows Server 2012
Windows 8 and Windows RT
Windows 8 and Windows Server 2012 BitLocker
Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client
Windows 7 and Windows Server 2008 R2
Microsoft Windows Server 2008 R2 Hyper-V Role
Windows Vista and Windows Server 2008 at EAL4+
Microsoft Windows Server 2008 Hyper-V Role
Windows Vista and Windows Server 2008 at EAL1
Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and
Windows XP Embedded SP2
Windows Server 2003 Certificate Server
Windows Rights Management Services (RMS ) 1.0 SP2

Common Criteria Deployment and Administration

Information for IT Administrators
These documents describe how to configure Windows to replicate the configuration used during the Common
Criteria evaluation.
Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2
Microsoft Windows 10 (May 2019 Update)
Microsoft Windows 10 (October 2018 Update)
Microsoft Windows 10 (April 2018 Update)
Microsoft Windows 10 (Fall Creators Update)
Microsoft Windows 10 (Creators Update)
Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V
Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)
Microsoft Windows 10 (Anniversary Update) and Windows Server 2016
Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance
Microsoft Windows 10 IPsec VPN Client
Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide
Microsoft Windows 10 Mobile and Windows 10 Administrative Guide
Windows 10 and Windows Server 2012 R2 Administrative Guide
Windows 10 Common Criteria Operational Guidance
Windows 8.1 and Windows Phone 8.1
Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance
Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide
Windows 8, Windows RT, and Windows Server 2012
Windows 8 and Windows Server 2012
Windows 8 and Windows RT
Windows 8 and Windows Server 2012 BitLocker
Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client
Windows 7 and Windows Server 2008 R2
Windows 7 and Windows Server 2008 R2 Supplemental CC Guide
Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide
Windows Vista and Windows Server 2008
Windows Vista and Windows Server 2008 Supplemental CC Guide
Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide
Windows Server 2003 SP2 including R2, x64, and Itanium
Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0
Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0
Windows Server 2003 SP1(x86), x64, and IA64
Windows Server 2003 with x64 Hardware Administrator's Guide
Windows Server 2003 with x64 Hardware Configuration Guide
Windows Server 2003 SP1
Windows Server 2003 Administrator's Guide
 Windows Server 2003 Configuration Guide
Windows XP Professional SP2 (x86) and x64 Edition
Windows XP Common Criteria Administrator Guide 3.0
Windows XP Common Criteria Configuration Guide 3.0
Windows XP Common Criteria User Guide 3.0
Windows XP Professional with x64 Hardware Administrator's Guide
Windows XP Professional with x64 Hardware Configuration Guide
Windows XP Professional with x64 Hardware User’s Guide
Windows XP Professional SP2, and XP Embedded SP2
Windows XP Professional Administrator's Guide
Windows XP Professional Configuration Guide
Windows XP Professional User's Guide
Windows Server 2003 Certificate Server
Windows Server 2003 Certificate Server Administrator's Guide
Windows Server 2003 Certificate Server Configuration Guide
Windows Server 2003 Certificate Server User's Guide

Common Criteria Evaluation Technical Reports and Certification /

Validation Reports
Information for Systems Integrators and Accreditors
An Evaluation Technical Report (ETR ) is a report submitted to the Common Criteria certification authority for how
Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the
results of the evaluation by the validation team.
Microsoft Windows 10 (May 2019 Update)
Microsoft Windows 10 (October 2018 Update)
Microsoft Windows 10 (April 2018 Update)
Microsoft Windows 10 (Fall Creators Update)
Microsoft Windows 10 (Creators Update)
Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V
Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)
Microsoft Windows 10 (Anniversary Update) and Windows Server 2016
Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client
Microsoft Windows 10 IPsec VPN Client
Microsoft Windows 10 November 2015 Update with Surface Book
Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4
Windows 10 and Windows Server 2012 R2
Windows 10
Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830
Microsoft Surface Pro 3 and Windows 8.1
Windows 8.1 and Windows Phone 8.1
Windows 8 and Windows Server 2012
Windows 8 and Windows RT
Windows 8 and Windows Server 2012 BitLocker
 Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client
Windows 7 and Windows Server 2008 R2 Validation Report
Windows Vista and Windows Server 2008 Validation Report at EAL4+
Windows Server 2008 Hyper-V Role Certification Report
Windows Vista and Windows Server 2008 Certification Report at EAL1
Windows XP / Windows Server 2003 with x64 Hardware ETR
Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II
Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation
Report
Windows XP Professional SP2 and x64 SP2 Validation Report
Windows XP Embedded SP2 Validation Report
Windows XP and Windows Server 2003 ETR
Windows XP and Windows Server 2003 Validation Report
Windows Server 2003 Certificate Server ETR
Windows Server 2003 Certificate Server Validation Report
Microsoft Windows Rights Management Services (RMS ) 1.0 SP2 Validation Report

Other Common Criteria Related Documents

Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST
Special Publication 800-53
 The Windows Security app
8/27/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10, version 1703 and later
This library describes the Windows Security app, and provides information on configuring certain features,
including:
Showing and customizing contact information on the app and in notifications
Hiding notifications
In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall
apps.
In Windows 10, version 1803, the app has two new areas, Account protection and Device security.
 NOTE
The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender
Security Center web portal console that is used to review and manage Microsoft Defender Advanced Threat Protection.

You can't uninstall the Windows Security app, but you can do one of the following:
Disable the interface on Windows Server 2016. See Windows Defender Antivirus on Windows Server 2016.
Hide all of the sections on client computers (see below ).
Disable Windows Defender Antivirus, if needed. See Enable and configure Windows Defender AV always-on
protection and monitoring.
You can find more information about each section, including options for configuring the sections - such as hiding
each of the sections - at the following topics:
Virus & threat protection, which has information and access to antivirus ransomware protection settings and
notifications, including Controlled folder access, and sign-in to Microsoft OneDrive.
 Account protection, which has information and access to sign-in and account protection settings.
Firewall & network protection, which has information and access to firewall settings, including Windows
Defender Firewall.
App & browser control, covering Windows Defender SmartScreen settings and Exploit protection mitigations.
Device security, which provides access to built-in device security settings.
Device performance & health, which has information about drivers, storage space, and general Windows
Update issues.
Family options, which includes access to parental controls along with tips and information for keeping kids safe
online.

NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:

Open the Windows Security app

Click the icon in the notification area on the taskbar.

Search the Start menu for Windows Security.

Open an area from Windows Settings.
 NOTE
Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration
Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for
links to configuring the associated features or products.

How the Windows Security app works with Windows security features
 IMPORTANT
Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
The Windows Security app uses the Windows Security Service (SecurityHealthService or Windows Security Health Servce),
which in turn utilizes the Security Center service (wscsvc) to ensure the app provides the most up-to-date information about
the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender
Firewall, third-party firewalls, and other security protection.
These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable
Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party
antivirus product.
Windows Defender AV will be disabled automatically when a third-party antivirus product is installed and kept up to date.
Disabling the Windows Security Center service will not disable Windows Defender AV or Windows Defender Firewall.

WARNING
If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or
running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you
have installed on the device.
It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you
uninstall any third-party antivirus products you may have previously installed.
This will significantly lower the protection of your device and could lead to malware infection.

The Windows Security app operates as a separate app or process from each of the individual features, and will
display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
Disabling any of the individual features (through Group Policy or other management tools, such as System Center
Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The
Windows Security app itself will still run and show status for the other security features.

IMPORTANT
Individually disabling any of the services will not disable the other services or the Windows Security app.

For example, using a third-party antivirus will disable Windows Defender Antivirus. However, the Windows
Security app will still run, show its icon in the taskbar, and display information about the other features, such as
Windows Defender SmartScreen and Windows Defender Firewall.
 Customize the Windows Security app for your
organization
8/27/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10, version 1709 and later
Audience
Enterprise security administrators
Manageability available with
Group Policy
You can add information about your organization in a contact card to the Windows Security app. This can include a
link to a support site, a phone number for a help desk, and an email address for email-based support.

This information will also be shown in some enterprise-specific notifications (including those for the Block at first
sight feature, and potentially unwanted applications.
Users can click on the displayed information to initiate a support request:
Clicking Call or the phone number will open Skype to start a call to the displayed number
Clicking Email or the email address will create a new email in the machine's default email app address to the
displayed email
Clicking Help portal or the website URL will open the machine's default web browser and go to the displayed
address

Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of
Windows do not include these Group Policy settings.

Use Group Policy to enable and customize contact information

There are two stages to using the contact card and customized notifications. First, you have to enable the contact
card or custom notifications (or both), and then you must specify at least a name for your organization and one
piece of contact information.
This can only be done in Group Policy.
1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Enterprise Customization.
4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings.
They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or slect
one or the other:
a. To enable the contact card, open the Configure customized contact information setting and set it
to Enabled. Click OK.
b. To enable the customized notifications, open the Configure customized notifications setting and
set it to Enabled. Click OK.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the
Specify contact company name to Enabled. Enter your company or organization's name in the field in
the Options section. Click OK.
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the
following settings by opening them, setting them to Enabled and adding the contact information in the
field under Options:
a. Specify contact email address or Email ID
 b. Specify contact phone number or Skype ID
c. Specify contact website
7. Click OK after configuring each setting to save your changes.

IMPORTANT
You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you
do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and
notifications will not be customized.
 Hide Windows Security app notifications
8/10/2019 • 7 minutes to read • Edit Online

Applies to
Windows 10, version 1809 and above
Audience
Enterprise security administrators
Manageability available with
Group Policy
The Windows Security app is used by a number of Windows security features to provide notifications about the
health and security of the machine. These include notifications about firewalls, antivirus products, Windows
Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status
updates, or if you want to hide all notifications to the employees in your organization.
There are two levels to hiding notifications:
1. Hide non-critical notifications, such as regular updates about the number of scans Windows Defender Antivirus
ran in the past week
2. Hide all notifications
If you set Hide all notifications to Enabled, changing the Hide non-critical notifications setting will have no
effect.
You can only use Group Policy to change these settings.

Use Group Policy to hide non-critical notifications

You can hide notifications that describe regular events related to the health and security of the machine. These are
notifications that do not require an action from the machine's user. It can be useful to hide these notifications if you
find they are too numerours or you have other status reporting on a larger scale (such as Update Compliance or
System Center Configuration Manager reporting).
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include
these Group Policy settings.

1. Download the latest Administrative Templates (.admx) for Windows 10, v1809.
2. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
3. In the Group Policy Management Editor go to Computer configuration and click Administrative
 templates.
4. Expand the tree to Windows components > Windows Security > Notifications. For Windows 10
version 1803 and below the path would be Windows components > Windows Defender Security
Center > Notifications
5. Open the Hide non-critical notifications setting and set it to Enabled. Click OK.
6. Deploy the updated GPO as you normally do.

Use Group Policy to hide all notifications

You can hide all notifications that are sourced from the Windows Security app. This may be useful if you don't want
users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing
security-related actions without your input.
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include
these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Notifications. For Windows 10
version 1803 and below the path would be Windows components > Windows Defender Security
Center > Notifications
4. Open the Hide all notifications setting and set it to Enabled. Click OK.
5. Use the following registry key and DWORD value to Hide all notifications.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security
Center\Notifications] "DisableNotifications"=dword:00000001
6. Use the following registry key and DWORD value to Hide not-critical notifications
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security
Center\Notifications] "DisableEnhancedNotifications"=dword:00000001
7. Deploy the updated GPO as you normally do.

Notifications
PURPOSE NOTIFICATION TEX T TOAST IDENTIFIER CRITICAL?

Network isolation Your IT administrator has SENSE_ISOLATION Yes

caused Windows Defender
to disconnect your device.
Contact IT help desk.
PURPOSE NOTIFICATION TEX T TOAST IDENTIFIER CRITICAL?

Network isolation Company name has caused SENSE_ISOLATION_CUSTOM Yes

customized Windows Defender to (body)
disconnect your device.
Contact IT help desk phone
number, email address, url.

Restricted access Your IT administrator has SENSE_PROCESS_RESTRICTI Yes

caused Windows Defender ON
to limit actions on this
device. Some apps may not
function as expected.
Contact IT help desk.

Restricted access customized Company has caused SENSE_PROCESS_RESTRICTI Yes

Windows Defender to limit ON_CUSTOM (body)
actions on this device. Some
apps may not function as
expected. Contact IT help
desk.

HVCI, driver compat check There may be an HVCI_ENABLE_FAILURE Yes

fails (upon trying to enable) incompatibility on your
device.

HVCI, reboot needed to The recent change to your HVCI_ENABLE_SUCCESS Yes

enable protection settings requires
a restart of your device.

Item skipped in scan, due to The Windows Defender ITEM_SKIPPED Yes

exclusion setting, or network Antivirus scan skipped an
scanning disabled by admin item due to exclusion or
network scanning settings.

Remediation failure Windows Defender Antivirus CLEAN_FAILED Yes

couldn’t completely resolve
potential threats.

Follow-up action (restart & Windows Defender Antivirus MANUALSTEPS_REQUIRED Yes

scan) found threat in file name.
Please restart and scan your
device. Restart and scan

Follow-up action (restart) Windows Defender Antivirus WDAV_REBOOT Yes

found threat in file. Please
restart your device.

Follow-up action (Full scan) Windows Defender Antivirus FULLSCAN_REQUIRED Yes

found threat in file. Please
run a full scan of your
device.
PURPOSE NOTIFICATION TEX T TOAST IDENTIFIER CRITICAL?

Sample submission prompt Review files that Windows SAMPLE_SUBMISSION_REQ Yes

Defender will send to UIRED
Microsoft. Sending this
information can improve
how Windows Defender
Antivirus helps protect your
device.

OS support ending warning Support for your version of SUPPORT_ENDING Yes

Windows is ending. When
this support ends, Windows
Defender Antivirus won’t be
supported, and your device
might be at risk.

OS support ended, device at Support for your version of SUPPORT_ENDED and Yes
risk Windows has ended. SUPPORT_ENDED_NO_DEFE
Windows Defender Antivirus NDER
is no longer supported, and
your device might be at risk.

Summary notification, items Windows Defender Antivirus RECAP_FOUND_THREATS_SC No

found successfully took action on n ANNED
threats since your last
summary. Your device was
scanned n times.

Summary notification, items Windows Defender Antivirus RECAP_FOUND_THREATS No

found, no scan count successfully took action on n
threats since your last
summary.

Summary notification, no Windows Defender Antivirus RECAP_NO No

items found, scans did not find any threats THREATS_SCANNED
performed since your last summary.
Your device was scanned n
times.

Summary notification, no Windows Defender Antivirus RECAP_NO_THREATS No

items found, no scans did not find any threats
since your last summary.

Scan finished, manual, Windows Defender Antivirus RECENT_SCAN_FOUND_THR No

threats found scanned your device at EATS
timestamp on date, and
took action against threats.

Scan finished, manual, no Windows Defender Antivirus RECENT_SCAN_NO_THREATS No

threats found scanned your device at
timestamp on date. No
threats were found.

Threat found Windows Defender Antivirus CRITICAL No

found threats. Get details.
PURPOSE NOTIFICATION TEX T TOAST IDENTIFIER CRITICAL?

LPS on notification Windows Defender Antivirus PERIODIC_SCANNING_ON No

is periodically scanning your
device. You’re also using
another antivirus program
for active protection.

Long running BaFS Your IT administrator BAFS No

requires a security scan of
this item. The scan could
take up to n seconds.

Long running BaFS Company requires a security BAFS_DETECTED_CUSTOM No

customized scan of this item. The scan (body)
could take up to n seconds.

Sense detection This application was WDAV_SENSE_DETECTED No

removed because it was
blocked by your IT security
settings

Sense detection customized This application was WDAV_SENSE_DETECTED_C No

removed because it was USTOM (body)
blocked by your IT security
settings

Ransomware specific Windows Defender Antivirus WDAV_RANSOMWARE_DET No

detection has detected threats which ECTED
may include ransomware.

ASR (HIPS) block Your IT administrator caused HIPS_ASR_BLOCKED No

Windows Defender Security
Center to block this action.
Contact your IT help desk.

ASR (HIPS) block customized Company caused Windows HIPS_ASR_BLOCKED_CUSTO No

Defender Security Center to M (body)
block this action. Contact
your IT help desk.

CFA (FolderGuard) block Controlled folder access FOLDERGUARD_BLOCKED No

blocked process from
making changes to the
folder path

Network protect (HIPS) Company caused Windows HIPS_NETWORK_BLOCKED_ No

network block customized Defender Security Center to CUSTOM (body)
block this network
connection. Contact your IT
help desk.

Network protection (HIPS) Your IT administrator caused HIPS_NETWORK_BLOCKED No

network block Windows Defender Security
Center to block this network
connection. Contact your IT
help desk.
PURPOSE NOTIFICATION TEX T TOAST IDENTIFIER CRITICAL?

PUA detection, not blocked Your settings cause the PUA_DETECTED No

detection of any app that
might perform unwanted
actions on your computer.

PUA notification Your IT settings caused PUA_BLOCKED No

Windows Defender Antivirus
to block an app that may
potentially perform
unwanted actions on your
device.

PUA notification, customized Company caused Windows PUA_BLOCKED_CUSTOM No

Defender Antivirus to block (body)
an app that may potentially
perform unwanted actions
on your device.

Network isolation ended No

Network isolation ended, No

customized

Restricted access ended No

Restricted access ended, No

customized

Dynamic lock on, but No

bluetooth off

Dynamic lock on, bluetooth No

on, but device unpaired

Dynamic lock on, bluetooth No

on, but unable to detect
device

NoPa or federated no hello No

NoPa or federated hello No

broken
 Manage Windows Security in Windows 10 in S mode
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10 in S mode, version 1803
Audience
Enterprise security administrators
Manageability available with
Microsoft Intune
Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode,
users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize
malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra
protections against phishing and malicious software.
The Windows Security interface is a little different in Windows 10 in S mode. The Virus & threat protection area
has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from
running on devices in your organization. In addition, devices running Windows 10 in S mode receive security
updates automatically.
For more information about Windows 10 in S mode, including how to switch out of S mode, see Windows 10
Pro/Enterprise in S mode.

Managing Windows Security settings with Intune

In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft
Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell
scripts.
For information about using Intune to manage Windows Security settings on your organization's devices, see Set
up Intune and Endpoint protection settings for Windows 10 (and later) in Intune.
 Virus and threat protection
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10, version 1703 and later
The Virus & threat protection section contains information and settings for antivirus protection from Windows
Defender Antivirus and third-party AV products.
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and
recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected
folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also
notifies users and provides recovery instructions in the event of a ransomware attack.
IT administrators and IT pros can get more information and documentation about configuration from the
following:
Windows Defender Antivirus in the Windows Security app
Windows Defender Antivirus documentation library
Protect important folders with Controlled folder access
Defend yourself from cybercrime with new Office 365 capabilities
Office 365 advanced protection
Ransomware detection and recovering your files
You can choose to hide the Virus & threat protection section or the Ransomware protection area from users
of the machine. This can be useful if you don't want employees in your organization to see or have access to user-
configured options for the features shown in the section.

Hide the Virus & threat protection section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of
the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Virus and threat protection.
4. Open the Hide the Virus and threat protection area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.

NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:

Hide the Ransomware protection area

You can choose to hide the Ransomware protection area by using Group Policy. The area will not appear on the
Virus & threat protection section of the Windows Security app.
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Virus and threat protection.
4. Open the Hide the Ransomware data recovery area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
 Account protection
12/4/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10, version 1803 and later
The Account protection section contains information and settings for account protection and sign in. IT
administrators and IT pros can get more information and documentation about configuration from the following:
Microsoft Account
Windows Hello for Business
Lock your Windows 10 PC automatically when you step away from it
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees
in your organization to see or have access to user-configured options for the features shown in the section.

Hide the Account protection section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of
the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Account protection.
4. Open the Hide the Account protection area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 Firewall and network protection
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10, version 1703 and later
The Firewall & network protection section contains information about the firewalls and network connections
used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT
administrators and IT pros can get configuration guidance from the Windows Defender Firewall with Advanced
Security documentation library.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if
you don't want employees in your organization to see or have access to user-configured options for the features
shown in the section.

Hide the Firewall & network protection section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of
the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Firewall and network protection.
4. Open the Hide the Firewall and network protection area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 App and browser control
8/27/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10, version 1703 and later
The App and browser control section contains information and settings for Windows Defender SmartScreen. IT
administrators and IT pros can get configuration guidance from the Windows Defender SmartScreen
documentation library.
In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You
can prevent users from modifying these specific options with Group Policy. IT administrators can get more
information at Exploit protection.
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees
in your organization to see or have access to user-configured options for the features shown in the section.

Prevent users from making changes to the Exploit protection area in

the App & browser control section
You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out
or not appear if you enable this setting. Users will still have access to other settings in the App & browser control
section, such as those for Windows Defender SmartScreen, unless those options have been configured separately.
You can only prevent users from modifying Exploit protection settings by using Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > App and browser protection.
4. Open the Prevent users from modifying settings setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.

Hide the App & browser control section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of
the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
 IMPORTANT
Requirements
You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of
Windows do not include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > App and browser protection.
4. Open the Hide the App and browser protection area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.

NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 Device security
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10, version 1803 and later
The Device security section contains information and settings for built-in device security.
You can choose to hide the section from users of the machine. This can be useful if you don't want employees in
your organization to see or have access to user-configured options for the features shown in the section.

Hide the Device security section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of
the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Device security.
4. Open the Hide the Device security area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.

NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
Disable the Clear TPM button
If you don't want users to be able to click the Clear TPM button in the Windows Security app, you can disable it.

IMPORTANT
Requirements
You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Device security.
4. Open the Disable the Clear TPM button setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.

Hide the TPM Firmware Update recommendation

If you don't want users to see the recommendation to update TPM firmware, you can disable it.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Device security.
4. Open the Hide the TPM Firmware Update recommendation setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.

Disable Memory integrity switch

If you don't want users to be able to change the Hypervisor Control Integrity (HVCI), or memory integrity, setting
on their computers, you can disable the Memory integrity switch.
1. On your Group Policy management computer, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Device security.
4. Open the Disable Memory integrity switch setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
 Device performance and health
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10, version 1703 and later
The Device performance & health section contains information about hardware, devices, and drivers related to
the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues
they are seeing, such as the configure the Load and unload device drivers security policy setting and how to deploy
drivers during Windows 10 deployment using System Center Configuration Manager.
The Windows 10 IT pro troubleshooting topic, and the main Windows 10 documentation library can also be
helpful for resolving issues.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if
you don't want employees in your organization to see or have access to user-configured options for the features
shown in the section.

Hide the Device performance & health section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of
the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Device performance and health.
4. Open the Hide the Device performance and health area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 Family options
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10, version 1703 and later
The Family options section contains links to settings and further information for parents of a Windows 10 PC. It
is not generally intended for enterprise or business environments.
Home users can learn more at the Help protection your family online in Windows Security topic at
support.microsoft.com
In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't
want employees in your organization to see or have access to this section.

Hide the Family options section

You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of
the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.

IMPORTANT
Requirements
You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not
include these Group Policy settings.

1. On your Group Policy management machine, open the Group Policy Management Console, right-click the
Group Policy Object you want to configure and click Edit.
2. In the Group Policy Management Editor go to Computer configuration and click Administrative
templates.
3. Expand the tree to Windows components > Windows Security > Family options.
4. Open the Hide the Family options area setting and set it to Enabled. Click OK.
5. Deploy the updated GPO as you normally do.
NOTE
If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 Windows Defender SmartScreen
12/4/2019 • 3 minutes to read • Edit Online

Applies to:
Windows 10
Windows 10 Mobile
Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of
potentially malicious files.
Windows Defender SmartScreen determines whether a site is potentially malicious by:
Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender
Smartscreen determines that a page is suspicious, it will show a warning page to advise caution.
Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it
finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might
be malicious.
Windows Defender SmartScreen determines whether a downloaded app or app installer is potentially
malicious by:
Checking downloaded files against a list of reported malicious software sites and programs known to be
unsafe. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the
site might be malicious.
Checking downloaded files against a list of files that are well known and downloaded by many Windows
users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution.

NOTE
Before Windows 10, version 1703, this feature was called the SmartScreen filter when used within the browser and
Windows SmartScreen when used outside of the browser.

Benefits of Windows Defender SmartScreen

Windows Defender SmartScreen provide an early warning system against websites that might engage in
phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
Anti-phishing and anti-malware support. Windows Defender SmartScreen helps to protect your
employees from sites that are reported to host phishing attacks or attempt to distribute malicious software.
It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks
are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-
used software. Because drive-by attacks can happen even if the user does not click or download anything
on the page, the danger often goes unnoticed. For more info about drive-by attacks, see Evolving Windows
Defender SmartScreen to protect you from drive-by attacks
Reputation-based URL and app protection. Windows Defender SmartScreen evaluates a website's
URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks
for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an
app, or a certificate has an established reputation, your employees won't see any warnings. If however
 there's no reputation, the item is marked as a higher risk and presents a warning to the employee.
Operating system integration. Windows Defender SmartScreen is integrated into the Windows 10
operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients)
attempts to download and run.
Improved heuristics and diagnostic data. Windows Defender SmartScreen is constantly learning and
endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
Management through Group Policy and Microsoft Intune. Windows Defender SmartScreen
supports using both Group Policy and Microsoft Intune settings. For more info about all available settings,
see Available Windows Defender SmartScreen Group Policy and mobile device management (MDM )
settings.
Blocking URLs associated with potentially unwanted applications. In the next major version of
Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted
applications, or PUAs. For more information on blocking URLs associated with PUAs, see Detect and block
potentially unwanted applications.

Viewing Windows Defender SmartScreen anti-phishing events

When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as Event 1035 -
Anti-Phishing.

Viewing Windows event logs for Windows Defender SmartScreen

Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event
Viewer.
Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use
the command line to enable it:

wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true

NOTE
For information on how to use the Event Viewer, see Windows Event Viewer.

EVENTID DESCRIPTION

1000 Application Windows Defender SmartScreen Event

1001 Uri Windows Defender SmartScreen Event

1002 User Decision Windows Defender SmartScreen Event

Related topics
Windows Defender SmartScreen Frequently Asked Questions (FAQ )
SmartScreen Frequently Asked Questions (FAQ )
Threat protection
Available Windows Defender SmartScreen Group Policy and mobile device management (MDM ) settings
 Available Windows Defender SmartScreen Group
Policy and mobile device management (MDM)
settings
12/4/2019 • 7 minutes to read • Edit Online

Applies to:
Windows 10
Windows 10 Mobile
Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM )
settings to help you manage your organization's computer settings. Based on how you set up Windows Defender
SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site
entirely.
See Windows 10 (and later) settings to protect devices using Intune for the controls you can use in Intune.

Group Policy settings

SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see
the Group Policy TechCenter. This site provides links to the latest technical documentation, videos, and downloads
for Group Policy.

SETTING SUPPORTED ON DESCRIPTION

Windows 10, version 1703: At least Windows Server 2012, This policy setting turns on Windows
Administrative Templates\Windows Windows 8 or Windows RT Defender SmartScreen.
Components\Windows Defender If you enable this setting, it turns
SmartScreen\Explorer\Configure on Windows Defender SmartScreen
Windows Defender SmartScreen and your employees are unable to
Windows 10, Version 1607 and turn it off. Additionally, when
earlier: enabling this feature, you must also
Administrative Templates\Windows pick whether Windows Defender
Components\File SmartScreen should Warn your
Explorer\Configure Windows employees or Warn and prevent
SmartScreen bypassing the message (effectively
blocking the employee from the
site).
If you disable this setting, it turns
off Windows Defender SmartScreen
and your employees are unable to
turn it on.
If you don't configure this setting,
your employees can decide whether
to use Windows Defender
SmartScreen.
Administrative Templates\Windows Windows 10, version 1703 This setting helps protect PCs by
Components\Windows Defender allowing users to install apps only from
SmartScreen\Explorer\Configure App the Microsoft Store. Windows Defender
Install Control SmartScreen must be enabled for this
feature to work properly.
If you enable this setting, your
employees can only install apps
from the Microsoft Store.
If you disable this setting, your
employees can install apps from
anywhere, including as a download
from the Internet.
If you don't configure this setting,
your employees can choose
whether they can install from
anywhere or only from Microsoft
Store.

Windows 10, version 1703: Microsoft Edge on Windows 10 or later This policy setting turns on Windows
Administrative Templates\Windows Defender SmartScreen.
Components\Windows Defender If you enable this setting, it turns
SmartScreen\Microsoft Edge\Configure on Windows Defender SmartScreen
Windows Defender SmartScreen and your employees are unable to
Windows 10, Version 1607 and turn it off.
earlier:
Administrative Templates\Windows If you disable this setting, it turns
Components\Microsoft off Windows Defender SmartScreen
Edge\Configure Windows and your employees are unable to
SmartScreen turn it on.
If you don't configure this setting,
your employees can decide whether
to use Windows Defender
SmartScreen.

Windows 10, version 1703: Microsoft Edge on Windows 10, version This policy setting stops employees
Administrative Templates\Windows 1511 or later from bypassing the Windows Defender
Components\Windows Defender SmartScreen warnings about potentially
SmartScreen\Microsoft Edge\Prevent malicious files.
bypassing Windows Defender If you enable this setting, it stops
SmartScreen prompts for files employees from bypassing the
Windows 10, Version 1511 and warning, stopping the file
1607: download.
Administrative Templates\Windows
Components\Microsoft If you disable or don't configure this
Edge\Prevent bypassing Windows setting, your employees can bypass
SmartScreen prompts for files the warnings and continue to
download potentially malicious files.
Windows 10, version 1703: Microsoft Edge on Windows 10, version This policy setting stops employees
Administrative Templates\Windows 1511 or later from bypassing the Windows Defender
Components\Windows Defender SmartScreen warnings about potentially
SmartScreen\Microsoft Edge\Prevent malicious sites.
bypassing Windows Defender If you enable this setting, it stops
SmartScreen prompts for sites employees from bypassing the
Windows 10, Version 1511 and warning, stopping them from going
1607: to the site.
Administrative Templates\Windows
Components\Microsoft If you disable or don't configure this
Edge\Prevent bypassing Windows setting, your employees can bypass
SmartScreen prompts for sites the warnings and continue to visit a
potentially malicious site.

Administrative Templates\Windows Internet Explorer 9 or later This policy setting prevents the
Components\Internet Explorer\Prevent employee from managing Windows
managing SmartScreen Filter Defender SmartScreen.
If you enable this policy setting, the
employee isn't prompted to turn on
Windows Defender SmartScreen. All
website addresses that are not on
the filter's allow list are sent
automatically to Microsoft without
prompting the employee.
If you disable or don't configure this
policy setting, the employee is
prompted to decide whether to
turn on Windows Defender
SmartScreen during the first-run
experience.

Administrative Templates\Windows Internet Explorer 8 or later This policy setting determines whether
Components\Internet Explorer\Prevent an employee can bypass warnings from
bypassing SmartScreen Filter warnings Windows Defender SmartScreen.
If you enable this policy setting,
Windows Defender SmartScreen
warnings block the employee.
If you disable or don't configure this
policy setting, the employee can
bypass Windows Defender
SmartScreen warnings.

Administrative Templates\Windows Internet Explorer 9 or later This policy setting determines whether
Components\Internet Explorer\Prevent the employee can bypass warnings from
bypassing SmartScreen Filter warnings Windows Defender SmartScreen.
about files that are not commonly Windows Defender SmartScreen warns
downloaded from the Internet the employee about executable files
that Internet Explorer users do not
commonly download from the Internet.
If you enable this policy setting,
Windows Defender SmartScreen
warnings block the employee.
If you disable or don't configure this
policy setting, the employee can
bypass Windows Defender
SmartScreen warnings.
MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings
support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft
Intune) and Windows 10 Mobile devices.

For Windows Defender SmartScreen Internet Explorer MDM policies, see Policy CSP - InternetExplorer.

SETTING SUPPORTED VERSIONS DETAILS

AllowSmartScreen Windows 10 URI full path.

./Vendor/MSFT/Policy/Config/Br
owser/AllowSmartScreen
Data type. Integer
Allowed values:
0 . Turns off Windows
Defender SmartScreen in
Edge.
1. Turns on Windows
Defender SmartScreen in
Edge.

EnableAppInstallControl Windows 10, version 1703 URI full path.

./Vendor/MSFT/Policy/Config/Sm
artScreen/EnableAppInstallContr
ol
Data type. Integer
Allowed values:
0 . Turns off Application
Installation Control,
allowing users to
download and install files
from anywhere on the
web.
1. Turns on Application
Installation Control,
allowing users to install
apps from the Microsoft
Store only.

EnableSmartScreenInShell Windows 10, version 1703 URI full path.

./Vendor/MSFT/Policy/Config/Sm
artScreen/EnableSmartScreenInS
hell
Data type. Integer
Allowed values:
0 . Turns off Windows
Defender SmartScreen in
Windows for app and file
execution.
1. Turns on Windows
Defender SmartScreen in
Windows for app and file
execution.
 PreventOverrideForFilesInShell Windows 10, version 1703 URI full path.
./Vendor/MSFT/Policy/Config/Sm
artScreen/PreventOverrideForFil
esInShell
Data type. Integer
Allowed values:
0 . Employees can ignore
Windows Defender
SmartScreen warnings
and run malicious files.
1. Employees can't ignore
Windows Defender
SmartScreen warnings
and run malicious files.

PreventSmartScreenPromptOverride Windows 10, Version 1511 and later URI full path.
./Vendor/MSFT/Policy/Config/Br
owser/PreventSmartscreenProm
ptOverride
Data type. Integer
Allowed values:
0 . Employees can ignore
Windows Defender
SmartScreen warnings.
1. Employees can't ignore
Windows Defender
SmartScreen warnings.

PreventSmartScreenPromptOverrideFor Windows 10, Version 1511 and later URI full path.
Files ./Vendor/MSFT/Policy/Config/Br
owser/PreventSmartScreenProm
ptOverrideForFiles
Data type. Integer
Allowed values:
0 . Employees can ignore
Windows Defender
SmartScreen warnings for
files.
1. Employees can't ignore
Windows Defender
SmartScreen warnings for
files.

Recommended Group Policy and MDM settings for your organization

By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let
employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because
of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk
interactions instead of providing just a warning.
To better help you protect your organization, we recommend turning on and using these specific Windows
Defender SmartScreen Group Policy and MDM settings.

GROUP POLICY SETTING RECOMMENDATION

 Administrative Templates\Windows Components\Microsoft Enable. Turns on Windows Defender SmartScreen.
Edge\Configure Windows Defender SmartScreen

Administrative Templates\Windows Components\Microsoft Enable. Stops employees from ignoring warning messages
Edge\Prevent bypassing Windows Defender SmartScreen and continuing to a potentially malicious website.
prompts for sites

Administrative Templates\Windows Components\Microsoft Enable. Stops employees from ingnoring warning messages
Edge\Prevent bypassing Windows Defender SmartScreen and continuing to download potentially malicious files.
prompts for files

Administrative Templates\Windows Components\File Enable with the Warn and prevent bypass option. Stops
Explorer\Configure Windows Defender SmartScreen employees from ignoring warning messages about malicious
files downloaded from the Internet.

MDM SETTING RECOMMENDATION

Browser/AllowSmartScreen 1. Turns on Windows Defender SmartScreen.

Browser/PreventSmartScreenPromptOverride 1. Stops employees from ignoring warning messages and

continuing to a potentially malicious website.

Browser/PreventSmartScreenPromptOverrideForFiles 1. Stops employees from ingnoring warning messages and

continuing to download potentially malicious files.

SmartScreen/EnableSmartScreenInShell 1. Turns on Windows Defender SmartScreen in Windows.

Requires at least Windows 10, version 1703.

SmartScreen/PreventOverrideForFilesInShell 1. Stops employees from ignoring warning messages about

malicious files downloaded from the Internet.
Requires at least Windows 10, version 1703.

Related topics
Threat protection
Windows Defender SmartScreen overview
Available Group Policy and Mobile Device Management (MDM ) settings for Microsoft Edge

NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this
topic, see Contributing to TechNet content.
 Set up and use Windows Defender SmartScreen on
individual devices
12/24/2019 • 3 minutes to read • Edit Online

Applies to:
Windows 10, version 1703
Windows 10 Mobile
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as
phishing or malware websites, or if an employee tries to download potentially malicious files.

How employees can use Windows Security to set up Windows

Defender SmartScreen
Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender
SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.

NOTE
If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears
as unavailable to the employee.

To use Windows Security to set up Windows Defender SmartScreen on a device

1. Open the Windows Security app, and then click App & browser control.
2. In the App & browser control screen, choose from the following options:
In the Check apps and files area:
Block. Stops employees from downloading and running unrecognized apps and files from the
web.
Warn. Warns employees that the apps and files being downloaded from the web are
potentially dangerous, but allows the action to continue.
Off. Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from
downloading potentially malicious apps and files.
In the Windows Defender SmartScreen for Microsoft Edge area:
Block. Stops employees from downloading and running unrecognized apps and files from the
web, while using Microsoft Edge.
Warn. Warns employees that sites and downloads are potentially dangerous, but allows the
action to continue while running in Microsoft Edge.
Off. Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from
downloading potentially malicious apps and files.
In the Windows Defender SmartScreen from Microsoft Store apps area:
 Warn. Warns employees that the sites and downloads used by Microsoft Store apps are
potentially dangerous, but allows the action to continue.
Off. Turns off Windows Defender SmartScreen, so an employee isn't alerted or stopped from
visiting sites or from downloading potentially malicious apps and files.

How Windows Defender SmartScreen works when an employee tries to

run an app
Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the
Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no
reputation or is known to be malicious, Windows Defender SmartScreen can warn the employee or block the app
from running entirely, depending on how you've configured the feature to run in your organization.
By default, your employees can bypass Windows Defender SmartScreen protection, letting them run legitimate
apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block
employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not
recommended).

How employees can report websites as safe or unsafe

You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site.
Employees can then choose to report a website as safe from the warning message or as unsafe from within
Microsoft Edge and Internet Explorer 11.
To report a website as safe from the warning message
On the warning screen for the site, click More Information, and then click Report that this site does not
contain threats. The site info is sent to the Microsoft feedback site, which provides further instructions.
To report a website as unsafe from Microsoft Edge
If a site seems potentially dangerous, employees can report it to Microsoft by clicking More (...), clicking Send
feedback, and then clicking Report unsafe site.
To report a website as unsafe from Internet Explorer 11
If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the Tools menu,
clicking Windows Defender SmartScreen, and then clicking Report unsafe website.

Related topics
Threat protection
Windows Defender SmartScreen overview

NOTE
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this
topic, see Contributing to TechNet content.
 Windows Defender Application Control and
virtualization-based protection of code integrity
12/3/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to
"lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this
configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature
called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through
the use of virtualization-based protection of code integrity (more specifically, HVCI).
Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However,
when these two technologies are configured to work together, they present a very strong protection capability for
Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other
solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early
in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in
user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
3. Customers can protect the configurable code integrity policy even from local administrator tampering by
digitally signing the policy. This would mean that changing the policy would require both administrative
privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker
with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the
application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a
vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is
significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would
otherwise have enough privilege to disable most system defenses and override the application control policies
enforced by configurable code integrity or any other application control solution.

Windows Defender Application Control

When we originally designed this configuration state, we did so with a specific security promise in mind. Although
there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our
discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies
on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver
compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that
because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
Configurable code integrity carries no specific hardware or software requirements other than running Windows
10, which means many IT professionals were wrongly denied the benefits of this powerful application control
capability.
Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where
application control alone could have prevented the attack altogether. With this in mind, we are discussing and
documenting configurable code integrity as a independent technology within our security stack and giving it a
name of its own: Windows Defender Application Control. We hope this change will help us better communicate
options for adopting application control within an organization.

Related articles
Windows Defender Application Control
Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender
Driver compatibility with Windows Defender in Windows 10
Code integrity
 Control the health of Windows 10-based devices
9/11/2019 • 61 minutes to read • Edit Online

Applies to
Windows 10
This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and
reporting the health of Windows 10-based devices.

Introduction
In Bring Your Own Device (BYOD ) scenarios, employees bring commercially available devices to access both work-
related resources and their personal data. Users want to use the device of their choice to access the organization’s
applications, data, and resources not only from the internal network but also from anywhere. This phenomenon is
also known as the consumerization of IT.
Users want to have the best productivity experience when accessing corporate applications and working on
organization data from their devices. That means they will not tolerate being prompted to enter their work
credentials each time they access an application or a file server. From a security perspective, it also means that
users will manipulate corporate credentials and corporate data on unmanaged devices.
With the increased use of BYOD, there will be more unmanaged and potentially unhealthy systems accessing
corporate services, internal resources, and cloud apps.
Even managed devices can be compromised and become harmful. Organizations need to detect when security has
been breached and react as early as possible in order to protect high-value assets.
As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and
also on detection and response capabilities.
Windows 10 is an important component of an end-to-end security solution that focuses not only on the
implementation of security preventive defenses, but adds device health attestation capabilities to the overall
security strategy.

Description of a robust end-to-end security solution

Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of
criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in
all industries.
During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs).
The term APT is commonly used to describe any attack that seems to target individual organizations on an on-
going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or
techniques necessary.
With the BYOD phenomena, a poorly maintained device represents a target of choice. For an attacker, it’s an easy
way to breach the security network perimeter, gain access to, and then steal high-value assets.
The attackers target individuals, not specifically because of who they are, but because of who they work for. An
infected device will bring malware into an organization, even if the organization has hardened the perimeter of
networks or has invested in its defensive posture. A defensive strategy is not sufficient against these threats.
A different approach
Rather than the traditional focus on the prevention of compromise, an effective security strategy assumes that
determined adversaries will successfully breach any defenses. It means that it’s necessary to shift focus away from
preventative security controls to detection of, and response to, security issues. The implementation of the risk
management strategy, therefore, balances investment in prevention, detection, and response.
Because mobile devices are increasingly being used to access corporate information, some way to evaluate device
security or health is required. This section describes how to provision device health assessment in such a way that
high-value assets can be protected from unhealthy devices.
Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is
able to evaluate device health and use the current security state when granting access to a high-value asset.

A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn
behavior like the network ___location the user regularly connects from. Also, a modern approach must be able to
release sensitive content only if user devices are determined to be healthy and secure.
The following figure shows a solution built to assess device health from the cloud. The device authenticates the
user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential
information, the conditional access engine of the identity provider may elect to verify the security compliance of the
mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any
time or when mobile device management (MDM ) requests it.

Windows devices can be protected from low -level rootkits and bootkits by using low -level hardware technologies
such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification.
The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware,
which can perform faster and with more efficient input/output (I/O ) functions than older, software interrupt-driven
BIOS systems.
A device health attestation module can communicate measured boot data that is protected by a Trusted Platform
Module (TPM ) to a remote service. After the device successfully boots, boot process measurement data is sent to a
trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication
channel.
Remote health attestation service performs a series of checks on the measurements. It validates security related
data points, including boot state (Secure Boot, Debug Mode, and so on), and the state of components that manage
security (BitLocker, Device Guard, and so on). It then conveys the health state of the device by sending a health
encrypted blob back to the device.
An MDM solution typically applies configuration policies and deploys software to devices. MDM defines the
security baseline and knows the level of compliance of the device with regular checks to see what software is
installed and what configuration is enforced, as well as determining the health status of the device.
An MDM solution asks the device to send device health information and forward the health encrypted blob to the
remote health attestation service. The remote health attestation service verifies device health data, checks that
MDM is communicating to the same device, and then issues a device health report back to the MDM solution.
An MDM solution evaluates the health assertions and, depending on the health rules belonging to the
organization, can decide if the device is healthy. If the device is healthy and compliant, MDM passes that
information to the identity provider so the organization’s access control policy can be invoked to grant access.
Access to content is then authorized to the appropriate level of trust for whatever the health status and other
conditional elements indicate.
Depending on the requirements and the sensitivity of the managed asset, device health status can be combined
with user identity information when processing an access request. Access to content is then authorized to the
appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as
needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional
security authentication may need to be established by querying the user to answer a phone call before access is
granted.
Microsoft’s security investments in Windows 10
In Windows 10, there are three pillars of investments:
Secure identities. Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of
secure authentication by moving away from the use of passwords for authentication, both on the local system
as well as for services like on-premises resources and cloud resources.
Information protection. Microsoft is making investments to allow organizations to have better control over
who has access to important data and what they can do with that data. With Windows 10, organizations can
take advantage of policies that specify which applications are considered to be corporate applications and can
be trusted to access secure data.
Threat resistance. Microsoft is helping organizations to better secure enterprise assets against the threats of
malware and attacks by using security defenses relying on hardware.
Protect, control, and report on the security status of Windows 10-based devices
This section is an overview that describes different parts of the end-to-end security solution that helps protect
high-value assets and information from attackers and malware.
 NUMBER PART OF THE SOLUTION DESCRIPTION

1 Windows 10-based device The first time a Windows 10-based

device is powered on, the out-of-box
experience (OOBE) screen is displayed.
During setup, the device can be
automatically registered into Azure
Active Directory (AD) and enrolled in
MDM.
A Windows 10-based device with TPM
can report health status at any time by
using the Health Attestation Service
available with all editions of Windows
10.

2 Identity provider Azure AD contains users, registered

devices, and registered application of
organization’s tenant. A device always
belongs to a user and a user can have
multiple devices. A device is represented
as an object with different attributes like
the compliance status of the device. A
trusted MDM can update the
compliance status.
Azure AD is more than a repository.
Azure AD is able to authenticate users
and devices and can also authorize
access to managed resources. Azure AD
has a conditional access control engine
that leverages the identity of the user,
the ___location of the device and also the
compliance status of the device when
making a trusted access decision.

3 Mobile device management Windows 10 has MDM support that

enables the device to be managed out-
of-box without deploying any agent.
MDM can be Microsoft Intune or any
third-party MDM solution that is
compatible with Windows 10.

4 Remote health attestation The Health Attestation Service is a

trusted cloud service operated by
Microsoft that performs a series of
health checks and reports to MDM
what Windows 10 security features are
enabled on the device.
Security verification includes boot state
(WinPE, Safe Mode, Debug/test modes)
and components that manage security
and integrity of runtime operations
(BitLocker, Device Guard).

5 Enterprise managed asset Enterprise managed asset is the

resource to protect.
For example, the asset can be Office
365, other cloud apps, on-premises web
resources published by Azure AD, or
even VPN access.

The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a
robust end-to-end-solution that provides validation of health and compliance of devices that access high-value
assets.

Protect devices and enterprise credentials against threats

This section describes what Windows 10 offers in terms of security defenses and what control can be measured
and reported to.
Windows 10 hardware -based security defenses
The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that
they can take control of the operating system early and prevent protection mechanisms and antimalware software
from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal
with low -level malware is to secure the boot process so that the device is protected from the very start. Windows
10 supports multiple layers of boot protection. Some of these features are available only if specific types of
hardware are installed. For more information, see the Hardware requirements section.

Windows 10 supports features to help prevent sophisticated low -level malware like rootkits and bootkits from
loading during the startup process:
Trusted Platform Module. A Trusted Platform Module (TPM ) is a hardware component that provides
unique security features.
Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based
on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health
attestation.
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG ).
At the time of this writing, there are two versions of TPM specification produced by TCG that are not
compatible with each other:
The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized
under ISO / IEC 11889 standard.
The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved
by the ISO/IEC Joint Technical Committee (JTC ) as ISO/IEC 11889:2015.
Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the
keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more
information, see TPM requirements in Windows 10.
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent
and modern security features, Windows 10 supports only TPM 2.0.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
Update crypto strength to meet modern security needs
Support for SHA-256 for PCRs
Support for HMAC command
Cryptographic algorithms flexibility to support government needs
TPM 1.2 is severely restricted in terms of what algorithms it can support
TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
Consistency across implementations
The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
TPM 2.0 standardizes much of this behavior
Secure Boot. Devices with UEFI firmware can be configured to load only trusted operating system
bootloaders. Secure Boot does not require a TPM.
The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture.
On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an
alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you
can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB.
Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which
allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default
on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot
files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD
store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully
boot into a usable operating system by using policies that are defined by the OEM at build time. Secure
Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the
Windows platform. Secure Boot protects the operating system boot process whether booting from local
hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE ). Secure Boot
protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot
components to confirm malicious activity did not compromise them. Secure Boot protection ends after the
Windows kernel file (ntoskrnl.exe) has been loaded.

Note: Secure Boot protects the platform until the Windows kernel is loaded. Then protections like
ELAM take over.

Secure Boot configuration policy. Extends Secure Boot functionality to critical Windows 10
configuration.
Examples of protected configuration information include protecting Disable Execute bit (NX option) or
ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and
configuration of the computer can be trusted after the boot process has completed. Secure Boot
configuration policy does this with UEFI policy. These signatures for these policies are signed in the same
way that operating system binaries are signed for use with Secure Boot.
The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public
keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the
KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall
be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying
a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10
kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers,
startup files, and the ELAM component. This step is important and protects the rest of the boot process by
verifying that all Windows boot components have integrity and can be trusted.
Early Launch Antimalware (ELAM ). ELAM tests all drivers before they load and prevents unapproved
drivers from loading.
Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit
that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a
previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus,
the antimalware component is the first third-party component to run and control the initialization of other
boot drivers until the Windows operating system is operational. When the system is started with a complete
runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded.
ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and
applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the
operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a
simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not
trusted, Windows won’t load it.

Note: Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM;
it can be replaced with a third-party antimalware compatible solution. The name of the Windows
Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll
back any malicious changes made to the Windows Defender driver at the next reboot. This prevents
kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before
shutdown or reboot.

The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the
antimalware software to detect and block any attempts to tamper with the boot process by trying to load
unsigned or untrusted code.
The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on
drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also
measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be
signed by Microsoft and the associated certificate must contain the complementary EKU
(1.3.6.1.4.1.311.61.4.1).
Virtualization-based security (Hyper-V + Secure Kernel). Virtualization-based security is a completely
new enforced security boundary that allows you to protect critical parts of Windows 10.
Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate
___domain credentials from the rest of the Windows operating system. For more information, refer to the
Virtualization-based security section.
Hypervisor-protected Code Integrity (HVCI ). Hypervisor-protected Code Integrity is a feature of Device
Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity
policy are allowed to run.
When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services.
HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware
solutions, by preventing malware from running early in the boot process, or after startup.
HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become
executable is through a Code Integrity verification. This means that kernel memory pages can never be
Writable and Executable (W+X) and executable code cannot be directly modified.

Note: Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security
must have compatible drivers. For additional information, please read the Driver compatibility with
Device Guard in Windows 10 blog post.

The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the
Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy.
Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the
Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to
modify or remove the current Code Integrity policy.
Credential Guard. Credential Guard protects corporate credentials with hardware-based credential
isolation.
In Windows 10, Credential Guard aims to protect ___domain corporate credentials from theft and reuse by
malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally
prevents the current forms of the pass-the-hash (PtH) attack.
This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a
protected container where trusted code and secrets are isolated from the Windows kernel. That means that
even if the Windows kernel is compromised an attacker has no way to read and extract the data required to
initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no
longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the
memory.
Health attestation. The device’s firmware logs the boot process, and Windows 10 can send it to a trusted
server that can check and assess the device’s health.
Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware
components are made as they load during the boot process. Additionally, they are taken and measured
sequentially, not all at once. When these measurements are complete, their values are digitally signed and
stored securely in the TPM and cannot be changed unless the system is reset.
For more information, see Secured Boot and Measured Boot: Hardening Early Boot Components Against
Malware.
During each subsequent boot, the same components are measured, which allows comparison of the
measurements against an expected baseline. For additional security, the values measured by the TPM can be
signed and transmitted to a remote server, which can then perform the comparison. This process, called
remote device health attestation, allows the server to verify health status of the Windows device.
Although Secure Boot is a proactive form of protection, health attestation is a reactive form of boot
protection. Health attestation ships disabled in Windows and is enabled by an antimalware or an MDM
 vendor. Unlike Secure Boot, health attestation will not stop the boot process and enter remediation when a
measurement does not work. But with conditional access control, health attestation will help to prevent
access to high-value assets.
Virtualization-based security
Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor
technology to enhance platform security. Virtualization-based security provides a secure execution environment to
run specific Windows trusted code (trustlet) and to protect sensitive data.
Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator
privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
The following Windows 10 services are protected with virtualization-based security:
Credential Guard (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft
that happens by reading and dumping the content of lsass memory
Device Guard (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows
10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures
defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity
service runs alongside the kernel in a Windows hypervisor-protected container.
Other isolated services: for example, on Windows Server 2016, there is the vTPM feature that allows you to
have encrypted virtual machines (VMs) on servers.

Note: Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security
requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization
Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional,
but recommended.

The schema below is a high-level view of Windows 10 with virtualization-based security.

Credential Guard
In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs
sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user
mode. This helps ensure that protected data is not stolen and reused on remote machines, which mitigates many
PtH-style attacks.
Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
The per-boot key is used for any in-memory credentials that do not require persistence. An example of such a
credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution
Center (KDC ) every time authentication occurs and is protected with a per-boot key.
The persistent key, or some derivative, is used to help protect items that are stored and reloaded after a
reboot. Such protection is intended for long-term storage, and must be protected with a consistent key.
Credential Guard is activated by a registry key and then enabled by using an UEFI variable. This is done to
protect against remote modifications of the configuration. The use of a UEFI variable implies that physical
access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then
spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of
LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode
support routines are ready before any authentication begins.
Device Guard
Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help
protect it from running untrusted software. In this configuration, the only applications allowed to run are those that
are trusted by the organization.
The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-
based security, a Hyper-V protected container that runs alongside regular Windows.
Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into
memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or
whether a system file has been modified by malicious software that is being run by a user account with
Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.

Note: Independently of activation of Device Guard Policy, Windows 10 by default raises the bar for what runs
in the kernel. Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows
Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver
submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation
(“EV”) Code Signing Certificate.

With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on
x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines
what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts.
The system is then locked down to only run applications that the organization trusts.
Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and
applications. Device Guard can be configured using two rule actions - allow and deny:
Allow limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
Deny completes the allow trusted publisher approach by blocking the execution of a specific application.
At the time of this writing, and according to Microsoft’s latest research, more than 90 percent of malware is
unsigned completely. So implementing a basic Device Guard policy can simply and effectively help block the vast
majority of malware. In fact, Device Guard has the potential to go further, and can also help block signed malware.
Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or
disabled. Device Guard is a combination of hardware security features and software security features that, when
configured together, can lock down a computer to help ensure the most secure and resistant system possible.
There are three different parts that make up the Device Guard solution in Windows 10:
The first part is a base set of hardware security features introduced with the previous version of Windows.
TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows
 you to control what the device is running when the systems start.
After the hardware security feature, there is the code integrity engine. In Windows 10, Code Integrity is now
fully configurable and now resides in Isolated user mode, a part of the memory that is protected by
virtualization-based security.
The last part of Device Guard is manageability. Code Integrity configuration is exposed through specific
Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
For more information on how to deploy Device Guard in an enterprise, see the Device Guard deployment guide.
Device Guard scenarios
As previously described, Device Guard is a powerful way to lock down systems. Device Guard is not intended to be
used broadly and it may not always be applicable, but there are some high-interest scenarios.
Device Guard is useful and applicable on fixed workloads systems like cash registers, kiosk machines, Secure
Admin Workstations (SAWs), or well managed desktops. Device Guard is highly relevant on systems that have very
well-defined software that are expected to run and don’t change too frequently. It could also help protect
Information Workers (IWs) beyond just SAWs, as long as what they need to run is known and the set of
applications is not going to change on a daily basis.
SAWs are computers that are built to help significantly reduce the risk of compromise from malware, phishing
attacks, bogus websites, and PtH attacks, among other security risks. Although SAWs can’t be considered a “silver
bullet” security solution to these attacks, these types of clients are helpful as part of a layered, defense-in-depth
approach to security.
To protect high-value assets, SAWs are used to make secure connections to those assets.
Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool
like System Center Configuration Manager, Intune, or any third-party device management, then Device Guard is
very applicable. In that type of scenario, the organization has a good idea of the software that an average user is
running.
It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically
allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run
Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the
event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in
Audit mode, organizations can get rich data about drivers and applications that users install and run.
Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by
using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group
Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both
the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard
Code Integrity policy restricts what code can run on a device.

Note: Device Guard policy can be signed in Windows 10, which adds additional protection against
administrative users changing or removing this policy.

Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat
Device Guard.
When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers
tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of
the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the
UpdateSigner section.
The importance of signing applications
On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run
without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
With Windows 10, organizations will make line-of-business (LOB ) apps available to members of the organization
through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the
public Microsoft Store. Microsoft Store signs and distributes Universal Windows apps and Classic Windows apps.
All apps downloaded from the Microsoft Store are signed.
In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a
tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best
practice, a lot of internal applications are not signed.
Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them
through a process to create additional signatures that can be distributed along with existing applications.
Why are antimalware and device management solutions still necessary?
Although allow -list mechanisms are extremely efficient at ensuring that only trusted applications can be run, they
cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a
known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting
vulnerabilities.
Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or
confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by
causing it to run malicious code without the user’s knowledge.
It’s common to see attackers distributing specially crafted content in an attempt to exploit known vulnerabilities in
user mode software like web browsers (and their plug-ins), Java virtual machines, PDF readers, or document
editors. As of today, 90 percent of discovered vulnerabilities affect user mode applications compared to the
operating system and kernel mode drivers that host them.
To combat these threats, patching is the single most effective control, with antimalware software forming
complementary layers of defense.
Most application software has no facility for updating itself, so even if the software vendor publishes an update that
fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains
vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends
the management capabilities that have become available for MDMs. One key feature Microsoft has added to
Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered
devices.
Device health attestation
Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of
the chain of software used to boot the device.
For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a
remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with
other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove
to be healthy.
For more information on device health attestation, see the Detect an unhealthy Windows 10-based device section.
Hardware requirements
The following table details the hardware requirements for both virtualization-based security services and the health
attestation feature. For more information, see Minimum hardware requirements.
 HARDWARE MOTIVATION

UEFI 2.3.1 or later firmware with Secure Boot enabled Required to support UEFI Secure Boot.
UEFI Secure Boot ensures that the device boots only
authorized code.
Additionally, Boot Integrity (Platform Secure Boot) must
be supported following the requirements in Hardware
Compatibility Specification for Systems for Windows 10
under the subsection:
“System.Fundamentals.Firmware.CS.UEFISecureBoot.Conn
ectedStandby”

Virtualization extensions, such as Intel VT-x, AMD-V, and Required to support virtualization-based security.
SLAT must be enabled
Note
Device Guard can be enabled without using
virtualization-based security.

X64 processor Required to support virtualization-based security that

uses Windows Hypervisor. Hyper-V is supported only on
x64 processor (and not on x86).
Direct Memory Access (DMA) protection can be enabled
to provide additional memory protection but requires
processors to include DMA protection technologies.

IOMMU, such as Intel VT-d, AMD-Vi Support for the IOMMU in Windows 10 enhances system
resiliency against DMA attacks.

Trusted Platform Module (TPM) Required to support health attestation and necessary for
additional key protections for virtualization-based security.
TPM 2.0 is supported. Support for TPM 1.2 was added
beginning in Windows 10, version 1607 (RS1)

This section presented information about several closely related controls in Windows 10. The multi-layer defenses
and in-depth approach helps to eradicate low -level malware during boot sequence. Virtualization-based security is
a fundamental operating system architecture change that adds a new security boundary. Device Guard and
Credential Guard respectively help to block untrusted code and protect corporate ___domain credentials from theft
and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All
these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising
them.

Detect an unhealthy Windows 10-based device

As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a
variety of checks that show, for example, that the operating system is in the correct state, properly configured, and
has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable
because malware can spoof a software statement about system health. A rootkit, or a similar low -level exploit, can
report a false healthy state to traditional compliance tools.
The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before
antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to
access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with
antimalware running.
As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to
securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and
even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the
log of all boot measured components remains out of the reach of any malware.
By attesting a trusted boot state, devices can prove that they are not running low -level malware that could spoof
later compliance checks. TPM -based health attestation provides a reliable anchor of trust for assets that contain
high-value data.
What is the concept of device health?
To understand the concept of device health, it’s important to know traditional measures that IT pros have taken to
prevent the breach of malware. Malware control technologies are highly focused on the prevention of installation
and distribution.
However, the use of traditional malware prevention technologies like antimalware or patching solutions brings a
new set of issues for IT pros: the ability to monitor and control the compliance of devices accessing organization’s
resources.
The definition of device compliance will vary based on an organization’s installed antimalware, device configuration
settings, patch management baseline, and other security requirements. But health of the device is part of the
overall device compliance policy.
The health of the device is not binary and depends on the organization’s security implementation. The Health
Attestation Service provides information back to the MDM on which security features are enabled during the boot
of the device by leveraging trustworthy hardware TPM.
But health attestation only provides information, which is why an MDM solution is needed to take and enforce a
decision.
Remote device health attestation
In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process
is sent to a remote device health attestation service operated by Microsoft.
This is the most secure approach available for Windows 10-based devices to detect when security defenses are
down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs
are then checked by the Health Attestation Service to determine what changes have occurred on the device.
A relying party like an MDM can inspect the report generated by the remote health attestation service.

Note: To use the health attestation feature of Windows 10, the device must be equipped with a discrete or
firmware TPM. There is no restriction on any particular edition of Windows 10.

Windows 10 supports health attestation scenarios by allowing applications access to the underlying health
attestation configuration service provider (CSP ) so that applications can request a health attestation token. The
measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the
current security status and detecting any changes, without having to trust the software running on the system.
In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is
present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code
running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control
which code is loaded during the boot sequence.
The antimalware software can search to determine whether the boot sequence contains any signs of malware, such
as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation
between the measurement component and the verification component.
Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs
during the boot process.

When starting a device equipped with TPM, a measurement of different components is performed. This includes
firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw
measurements are stored in the TPM PCR registers while the details of all events (executable path, authority
certification, and so on) are available in the TCG log.
The health attestation process works as follows:
1. Hardware boot components are measured.
2. Operating system boot components are measured.
3. If Device Guard is enabled, current Device Guard policy is measured.
4. Windows kernel is measured.
5. Antivirus software is started as the first kernel mode driver.
6. Boot start drivers are measured.
7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation
CSP.
8. Boot measurements are validated by the Health Attestation Service

Note: By default, the last 100 system boot logs and all associated resume logs are archived in the
%SystemRoot%\logs\measuredboot folder. The number of retained logs may be set with the registry
REG_DWORD value PlatformLogRetention under the
HKLM\SYSTEM\CurrentControlSet\Services\TPM key. A value of 0 will turn off log archival and a value
of 0xffffffff will keep all logs.

The following process describes how health boot measurements are sent to the health attestation service:
1. The client (a Windows 10-based device with TPM ) initiates the request with the remote device health
attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI
is already pre-provisioned in the client.
2. The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate
information.
3. The remote device heath attestation service then:
a. Verifies that the AIK certificate is issued by a known and trusted CA and the certificate is valid and not
revoked.
b. Verifies that the signature on the PCR quotes is correct and consistent with the TCG log value.
c. Parses the properties in the TCG log.
d. Issues the device health token that contains the health information, the AIK information, and the boot
counter information. The health token also contains valid issuance time. The device health token is
encrypted and signed, that means that the information is protected and only accessible to issuing health
attestation service.
4. The client stores the health encrypted blob in its local store. The device health token contains device health
status, a device ID (the Windows AIK), and the boot counter.

Device health attestation components

The device health attestation solution involves different components that are TPM, Health Attestation CSP, and the
Windows Health Attestation Service. Those components are described in this section.
Trusted Platform Module
This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an
identity card for TPM ), SRK (that protect keys) and AIKs (that can report platform state) are used for health
attestation reporting.
In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers,
RSA keys, decrypt short data, store hashes taken when booting the device.
A TPM incorporates in a single component:
A RSA 2048-bit key generator
A random number generator
Nonvolatile memory for storing EK, SRK, and AIK keys
A cryptographic engine to encrypt, decrypt, and sign
Volatile memory for storing the PCRs and RSA keys
Endorsement key
The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a
pair of asymmetric keys (RSA size 2048 bits).
The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking
possession of the TPM that contains the defining hash of the owner password. The EK private key is used when
creating secondary keys like AIKs.
The endorsement key acts as an identity card for the TPM. For more information, see Understand the TPM
endorsement key.
The endorsement key is often accompanied by one or two digital certificates:
One certificate is produced by the TPM manufacturer and is called the endorsement certificate. The
endorsement certificate is used to prove the authenticity of the TPM (for example, that it’s a real TPM
manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement
certificate is created during manufacturing or the first time the TPM is initialized by communicating with an
online service.
The other certificate is produced by the platform builder and is called the platform certificate to indicate that a
specific TPM is integrated with a certain device. For certain devices that use firmware-based TPM produced by
Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of
Windows 10.

Note: Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted
Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a
signed certificate online from the manufacturer that has created the chip and then stores the signed certificate
in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you
must authorize the following URLs:

For Intel firmware TPM: https://ekop.intel.com/ekcertservice

For Qualcomm firmware TPM: https://ekcert.spserv.microsoft.com/
Attestation Identity Keys
Because the endorsement certificate is unique for each device and does not change, the usage of it may present
privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem,
Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which
can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is
called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.

Note: Before the device can report its health using the TPM attestation functions, an AIK certificate must be
provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is
provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature
over the platform log state (and a monotonic counter value) at each boot by using the AIK.

The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM
for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be
used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for
limited, TPM -defined operations.
Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is
hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a
real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established
these facts, it will issue an AIK certificate to the Windows 10-based device.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an
endorsement certificate. To accommodate those devices, Windows 10 allows the issuance of AIK
certificates without the presence of an endorsement certificate. Such AIK certificates are not issued by
Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the
device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for
Business without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the
attestation process. This information can be leveraged by a relying party to decide whether to reject devices that
are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to
not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an
endorsement certificate.
Storage root key
The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has
a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is
created when the ownership of the TPM is taken.
Platform Configuration Registers
The TPM contains a set of registers that are designed to provide a cryptographic representation of the software
and state of the system that booted. These registers are called Platform Configuration Registers (PCRs).
The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when
the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core
Root of Trust for Measurement (CRTM ) is executed from the boot, calculates the hash of the firmware, then stores
it by expanding the register PCR [0] and transfers execution to the firmware.
PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to
measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components
take the hash of the next component that is to be run and record the measurements in the PCRs. The initial
component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are
required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative
hash of the components that have been measured.
The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with
details of what has been measured, and the PCRs merely ensure that the log has not been tampered with. The logs
are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout
the boot process, a trace of the executable code and configuration data is created in the TCG log.
TPM provisioning
For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning
differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner
authorization data (ownerAuth) for the TPM being stored locally on the registry.
When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored ownerAuth
values by looking in the registry at the following ___location:
HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement
During the provisioning process, the device may need to be restarted.
Note that the Get-TpmEndorsementKeyInfo PowerShell cmdlet can be used with administrative privilege to get
information about the endorsement key and certificates of the TPM.
If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the
resulting ownerAuth value into the registry if the policy allows it will store the SRK public portion at the following
___location: HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin\SRKPub
As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is
performed, the resulting AIK public portion is stored in the registry at the following ___location:
HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\WindowsAIKPub

Note: For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard
URL: https://*.microsoftaik.azure.net

Windows 10 Health Attestation CSP

Windows 10 contains a configuration service provider (CSP ) specialized for interacting with the health attestation
feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how
MDM servers can configure settings and manage Windows-based devices. The management protocol is
represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”,
“set”, “delete”, and so on.
The following is a list of functions performed by the Windows 10 Health Attestation CSP:
Collects data that is used to verify a device’s health status
Forwards the data to the Health Attestation Service
Provisions the Health Attestation Certificate that it receives from the Health Attestation Service
Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and
related runtime information to the MDM server for verification
During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are
measured during the boot, by using a secure communication channel to the Health Attestation Service.
When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of
statements and claims about how that device booted, with the assurance that the device did not reboot between the
time that it attested its health and the time that the MDM server validated it.
Windows Health Attestation Service
The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR
values), make a series of detections (based on available health data) and generate encrypted health blob or produce
report to MDM servers.

Note: Both device and MDM servers must have access to has.spserv.microsoft.com using the TCP protocol
on port 443 (HTTPS ).

Checking that a TPM attestation and the associated log are valid takes several steps:
1. First, the server must check that the reports are signed by trustworthy AIKs. This might be done by checking
that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is
a valid signature over PCR values.
3. Next the logs should be checked to ensure that they match the PCR values reported.
4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent known or
valid security configurations. For example, a simple check might be to see whether the measured early OS
components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is
up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to
determine whether or not the client should be granted access to a resource.
The Health Attestation Service provides the following information to an MDM solution about the health of the
device:
Secure Boot enablement
Boot and kernel debug enablement
 BitLocker enablement
VSM enabled
Signed or unsigned Device Guard Code Integrity policy measurement
ELAM loaded
Safe Mode boot, DEP enablement, test signing enablement
Device TPM has been provisioned with a trusted endorsement certificate
For completeness of the measurements, see Health Attestation CSP.
The following table presents some key items that can be reported back to MDM depending on the type of
Windows 10-based device.

OS TYPE KEY ITEMS THAT CAN BE REPORTED

Windows 10 Mobile PCR0 measurement

Secure Boot enabled
Secure Boot db is default
Secure Boot dbx is up to date
Secure Boot policy GUID is default
Device Encryption enabled
Code Integrity revocation list timestamp/version is
up to date

Windows 10 for desktop editions PCR0 measurement

Secure Boot Enabled
Secure Boot db matches Expected
Secure Boot dbx is up to date
Secure Boot policy GUID matches Expected
BitLocker enabled
Virtualization-based security enabled
ELAM was loaded
Code Integrity version is up to date
Code Integrity policy hash matches Expected

Leverage MDM and the Health Attestation Service

To make device health relevant, the MDM solution evaluates the device health report and is configured to the
organization’s device health requirements.
A solution that leverages MDM and the Health Attestation Service consists of three main parts:
1. A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM
provider (health attestation will be disabled by default).
2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health
Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health
Attestation Service to decrypt the content and validate that it’s been attested.
Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as
follows:
1. The client initiates a session with the MDM server. The URI for the MDM server would be part of the client
app that initiates the request. The MDM server at this time could request the health attestation data by using
the appropriate CSP URI.
2. The MDM server specifies a nonce along with the request.
3. The client then sends the AIK quoted nonce + the boot counter and the health blob information. This health
blob is encrypted with a Health Attestation Service public key that only the Health Attestation Service can
decrypt.
4. The MDM server:
a. Verifies that the nonce is as expected.
b. Passes the quoted data, the nonce and the encrypted health blob to the Health Attestation Service server.
5. The Health Attestation Service:
a. Decrypts the health blob.
b. Verifies that the boot counter in the quote is correct using the AIK in the health blob and matches the
value in the health blob.
c. Verifies that the nonce matches in the quote and the one that is passed from MDM.
d. Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that
the device is the same one as the one for which the health blob has been generated.
e. Sends data back to the MDM server including health parameters, freshness, and so on.

Note: The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the
quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for
validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.

Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet
health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant
devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a
consequence for unhealthy devices like refusing access to high-value assets. That is the purpose of conditional
access control, which is detailed in the next section.

Control the security of a Windows 10-based device before access is

granted
Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right
resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and
systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before
giving access to email, but what if the device is infected with malware?
The remote device health attestation process uses measured boot data to verify the health status of the device. The
health of the device is then available for an MDM solution like Intune.

Note: For the latest information on Intune and Windows 10 features support, see the Microsoft Intune blog
and What's new in Microsoft Intune.

The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based
Intune MDM service.

An MDM solution can then leverage health state statements and take them to the next level by coupling with client
policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware
free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is
compliant.
Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This
feature is much needed for BYOD devices that need to access organizational resources.
Built-in support of MDM in Windows 10
Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage
Windows 10-based devices without requiring a separate agent.
Third-party MDM server support
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is
able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise
management tasks. For additional information, see Azure Active Directory integration with MDM.

Note: MDM servers do not need to create or download a client to manage Windows 10. For more
information, see Mobile device management.
The third-party MDM server will have the same consistent first-party user experience for enrollment, which also
provides simplicity for Windows 10 users.
Management of Windows Defender by third-party MDM
This management infrastructure makes it possible for IT pros to use MDM -capable products like Intune, to manage
health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that
aren’t ___domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar
with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that
currently only manage ___domain joined devices through Group Policy will find it easy to transition to managing
Windows 10-based devices by using MDM because many of the settings and actions are shared across both
mechanisms.
For more information on how to manage Windows 10 security and system settings with an MDM solution, see
Custom URI settings for Windows 10 devices.
Conditional access control
On most platforms, the Azure Active Directory (Azure AD ) device registration happens automatically during
enrollment. The device states are written by the MDM solution into Azure AD, and then read by Office 365 (or by
any authorized Windows app that interacts with Azure AD ) the next time the client tries to access an Office 365
compatible workload.
If the device is not registered, the user will get a message with instructions on how to register (also known as
enrolling). If the device is not compliant, the user will get a different message that redirects them to the MDM web
portal where they can get more information on the compliance problem and how to resolve it.
Azure AD authenticates the user and the device, MDM manages the compliance and conditional access policies,
and the Health Attestation Service reports about the health of the device in an attested way.

Office 365 conditional access control

Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a
conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The
user must conform to the company’s device policies before access can be granted to the service. Alternately, the
admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service.
Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to
include additional target groups.
When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates
the user and device from which the user launches the request; and grants access to the service only when the user
conforms to the policy set for the service. Users that do not have their device enrolled are given remediation
instructions on how to enroll and become compliant to access corporate Office 365 services.
When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like
Intune.

Note Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy
based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the
Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud! blog post.

When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access
company applications and enforces conditional access policy to grant access to a service not only the first time the
user requests access, but every time the user requests to renew access.
The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the
compliance policy is not met at the time of request for renewal.
Depending on the type of email application that employees use to access Exchange online, the path to establish
secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange
Online, and Intune, are the same. The IT experience and end-user experience also are similar.

Clients that attempt to access Office 365 will be evaluated for the following properties:
Is the device managed by an MDM?
Is the device registered with Azure AD?
Is the device compliant?
To get to a compliant state, the Windows 10-based device needs to:
Enroll with an MDM solution.
 Register with Azure AD.
Be compliant with the device policies set by the MDM solution.

Note: At the present time, conditional access policies are selectively enforced on users on iOS and Android
devices. For more information, see the Azure AD, Microsoft Intune and Windows 10 – Using the cloud to
modernize enterprise mobility! blog post.

Cloud and on-premises apps conditional access control

Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way
to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions
about which applications they should be allowed to access.
IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even
on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health
and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow
access.
For more information about conditional access, see Azure Conditional Access Preview for SaaS Apps.

Note: Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't
have an Azure AD Premium subscription, you can get a trial from the Microsoft Azure site.

For on-premises applications there are two options to enable conditional access control based on a device's
compliance state:
For on-premises applications that are published through the Azure AD Application Proxy, you can configure
conditional access control policies as you would for cloud applications. For more details, see the Azure AD
Conditional Access preview updated: Now supports On-Premises and Custom LOB apps blog post.
Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD.
ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT
pros will configure conditional access control policies in ADFS that use the device's compliance state reported
by a compatible MDM solution to secure on-premises applications.

The following process describes how Azure AD conditional access works:

1. User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with
Azure AD.
2. When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in
background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service.
3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health
state with details on failed checks (if any).
 4. User logs on and the MDM agent contacts the Intune/MDM server.
5. MDM server pushes down new policies if available and queries health blob state and other inventory state.
6. Device sends a health attestation blob previously acquired and also the value of the other state inventory
requested by the Intune/MDM server.
7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated.
8. Health Attestation Service validates that the device which sent the health attestation blob is healthy, and returns
this result to Intune/MDM server.
9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health
attestation state from device.
10. Intune/MDM server updates compliance state against device object in Azure AD.
11. User opens app, attempts to access a corporate managed asset.
12. Access gated by compliance claim in Azure AD.
13. If the device is compliant and the user is authorized, an access token is generated.
14. User can access the corporate managed asset.
For more information about Azure AD join, see the Azure AD & Windows 10: Better Together for Work or School
white paper.
Conditional access control is a topic that many organizations and IT pros may not know as well as they should. The
different attributes that describe a user, a device, compliance, and context of access are very powerful when used
with a conditional access engine. Conditional access control is an essential step that helps organizations secure
their environment.

Takeaways and summary

The following list contains high-level key take-aways to improve the security posture of any organization. However,
the few take-aways presented in this section should not be interpreted as an exhaustive list of security best
practices.
Understand that no solution is 100 percent secure
If determined adversaries with malicious intent gain physical access to the device, they could eventually
break through its security layers and control it.
Use health attestation with an MDM solution
Devices that attempt to connect to high-value assets must have their health evaluated so that unhealthy and
noncompliant devices can be detected, reported, and eventually blocked.
Use Credential Guard
Credential Guard is a feature that greatly helps protect corporate ___domain credentials from pass-the-hash
attacks.
Use Device Guard
Device Guard is a real advance in security and an effective way to help protect against malware. The new
Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
Sign Device Guard policy
Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the
current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a
new version of the policy signed by the same signer or from a signer specify as part of the Device Guard
policy.
Use virtualization-based security
 When you have Kernel Mode Code Integrity protected by virtualization-based security, the code integrity
rules are still enforced even if a vulnerability allows unauthorized kernel mode memory access. Keep in mind
that Device Guard devices that run Kernel Code Integrity with virtualization-based security must have
compatible drivers.
Start to deploy Device Guard with Audit mode
Deploy Device Guard policy to targeted computers and devices in Audit mode. Monitor the Code Integrity
event log that indicates a program or a driver would have been blocked if Device Guard was configured in
Enforcement mode. Adjust Device Guard rules until a high level of confidence has been reached. After the
testing phase has been completed, Device Guard policy can be switched to Enforcement mode.
Build an isolated reference machine when deploying Device Guard
Because the corporate network can contain malware, you should start to configure a reference environment
that is isolated from your main corporate network. After that, you can create a code integrity policy that
includes the trusted applications you want to run on your protected devices.
Use AppLocker when it makes sense
Although AppLocker is not considered a new Device Guard feature, it complements Device Guard
functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user
or a group of users.
Lock down firmware and configuration
After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical
access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in
order to protect against an administrator trying to disable Device Guard, add a rule in the current Device
Guard policy that will deny and block execution of the C:\Windows\System32\SecConfig.efi tool.
Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to
high-value assets based on a user and their device’s identity and compliance with corporate governance policy.
Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based
on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and
software developers can use to build and integrate a customized solution.

Related topics
Protect derived ___domain credentials with Credential Guard
Device Guard deployment guide
Trusted Platform Module technology overview
 Mitigate threats by using Windows 10 security
features
12/18/2019 • 31 minutes to read • Edit Online

Applies to:
Windows 10
This topic provides an overview of some of the software and firmware threats faced in the current security
landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related
types of protection offered by Microsoft, see Related topics.

SECTION CONTENTS

The security threat landscape Describes the current nature of the security threat landscape,
and outlines how Windows 10 is designed to mitigate
software exploits and similar threats.

Windows 10 mitigations that you can configure Provides tables of configurable threat mitigations with links to
more information. Product features such as Device Guard
appear in Table 1, and memory protection options such as
Data Execution Prevention appear in Table 2.

Mitigations that are built in to Windows 10 Provides descriptions of Windows 10 mitigations that require
no configuration—they are built into the operating system.
For example, heap protections and kernel pool protections are
built into Windows 10.

Understanding Windows 10 in relation to the Enhanced Describes how mitigations in the Enhanced Mitigation
Mitigation Experience Toolkit Experience Toolkit (EMET) correspond to features built into
Windows 10 and how to convert EMET settings into
mitigation policies for Windows 10.

This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections
work with other security defenses in Windows 10, as shown in the following illustration:
Figure 1. Device protection and threat resistance as part of the Windows 10 security defenses

The security threat landscape

Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers
mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system
offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data
hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual
property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that
threatens the security of individuals, businesses, and national interests all over the world. These attackers are
typically highly trained individuals and security experts, some of whom are in the employ of nation states that have
large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this
challenge.
In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple
security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities.
These features are designed to:
Eliminate entire classes of vulnerabilities
Break exploitation techniques
Contain the damage and prevent persistence
Limit the window of opportunity to exploit
The following sections provide more detail about security mitigations in Windows 10, version 1703.

Windows 10 mitigations that you can configure

Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide
array of protections for devices and users across the enterprise and the second table drills down into specific
memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations
against malware that attempts to manipulate memory in order to gain control of a system.
Table 1 Windows 10 mitigations that you can configure

MITIGATION AND CORRESPONDING THREAT DESCRIPTION AND LINKS

Windows Defender SmartScreen Windows Defender SmartScreen can check the reputation of a
helps prevent downloaded application by using a service that Microsoft
malicious applications maintains. The first time a user runs an app that originates
from being downloaded from the Internet (even if the user copied it from another PC),
SmartScreen checks to see if the app lacks a reputation or is
known to be malicious, and responds accordingly.

More information: Windows Defender SmartScreen, later in

this topic

Credential Guard Credential Guard uses virtualization-based security to isolate

helps keep attackers secrets, such as NTLM password hashes and Kerberos Ticket
from gaining access through Granting Tickets, so that only privileged system software can
Pass-the-Hash or access them.
Pass-the-Ticket attacks Credential Guard is included in Windows 10 Enterprise and
Windows Server 2016.

More information: Protect derived ___domain credentials with

Credential Guard
MITIGATION AND CORRESPONDING THREAT DESCRIPTION AND LINKS

Enterprise certificate pinning Enterprise certificate pinning enables you to protect your
helps prevent internal ___domain names from chaining to unwanted certificates
man-in-the-middle attacks or to fraudulently issued certificates. With enterprise certificate
that leverage PKI pinning, you can “pin” (associate) an X.509 certificate and its
public key to its Certification Authority, either root or leaf.

More information: Enterprise Certificate Pinning

Device Guard Device Guard includes a Code Integrity policy that you create;
helps keep a device a whitelist of trusted apps—the only apps allowed to run in
from running malware or your organization. Device Guard also includes a powerful
other untrusted apps system mitigation called hypervisor-protected code integrity
(HVCI), which leverages virtualization-based security (VBS) to
protect Windows’ kernel-mode code integrity validation
process. HVCI has specific hardware requirements, and works
with Code Integrity policies to help stop attacks even if they
gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and
Windows Server 2016.

More information: Introduction to Device Guard

Windows Defender Antivirus, Windows 10 includes Windows Defender Antivirus, a robust

which helps keep devices inbox antimalware solution. Windows Defender Antivirus has
free of viruses and other been significantly improved since it was introduced in
malware Windows 8.

More information: Windows Defender Antivirus, later in this

topic

Blocking of untrusted fonts Block Untrusted Fonts is a setting that allows you to prevent
helps prevent fonts users from loading fonts that are "untrusted" onto your
from being used in network, which can mitigate elevation-of-privilege attacks
elevation-of-privilege attacks associated with the parsing of font files. However, as of
Windows 10, version 1703, this mitigation is less important,
because font parsing is isolated in an AppContainer sandbox
(for a list describing this and other kernel pool protections, see
Kernel pool protections, later in this topic).

More information: Block untrusted fonts in an enterprise

Memory protections These mitigations, listed in Table 2, help to protect against

help prevent malware memory-based attacks, where malware or other code
from using memory manipulation manipulates memory to gain control of a system (for example,
techniques such as buffer malware that attempts to use buffer overruns to inject
overruns malicious executable code into memory. Note:
A subset of apps will not be able to run if some of these
mitigations are set to their most restrictive settings. Testing
can help you maximize protection while still allowing these
apps to run.

More information: Table 2, later in this topic

 MITIGATION AND CORRESPONDING THREAT DESCRIPTION AND LINKS

UEFI Secure Boot Unified Extensible Firmware Interface (UEFI) Secure Boot is a
helps protect security standard for firmware built in to PCs by
the platform from manufacturers beginning with Windows 8. It helps to protect
bootkits and rootkits the boot process and firmware against tampering, such as
from a physically present attacker or from forms of malware
that run early in the boot process or in kernel after startup.

More information: UEFI and Secure Boot

Early Launch Antimalware (ELAM) Early Launch Antimalware (ELAM) is designed to enable the
helps protect antimalware solution to start before all non-Microsoft drivers
the platform from and apps. If malware modifies a boot-related driver, ELAM will
rootkits disguised as drivers detect the change, and Windows will prevent the driver from
starting, thus blocking driver-based rootkits.

More information: Early Launch Antimalware

Device Health Attestation Device Health Attestation (DHA) provides a way to confirm
helps prevent that devices attempting to connect to an organization's
compromised devices from network are in a healthy state, not compromised with
accessing an organization’s malware. When DHA has been configured, a device’s actual
assets boot data measurements can be checked against the expected
"healthy" boot data. If the check indicates a device is
unhealthy, the device can be prevented from accessing the
network.

More information: Control the health of Windows 10-based

devices and Device Health Attestation

Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth
understanding of these threats and mitigations and knowledge about how the operating system and applications
handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover
whether a given setting interferes with any applications that you use so that you can deploy settings that maximize
protection while still allowing apps to run correctly.
As an IT professional, you can ask application developers and software vendors to deliver applications that include
an additional protection called Control Flow Guard (CFG ). No configuration is needed in the operating system—
the protection is compiled into applications. More information can be found in Control Flow Guard.
Table 2 Configurable Windows 10 mitigations designed to help protect against memory exploits
MITIGATION AND CORRESPONDING THREAT DESCRIPTION
 MITIGATION AND CORRESPONDING THREAT DESCRIPTION

Data Execution Prevention (DEP) Data Execution Prevention (DEP) is a system-level memory
helps prevent protection feature available in Windows operating systems.
exploitation of buffer overruns DEP enables the operating system to mark one or more pages
of memory as non-executable, which prevents code from
being run from that region of memory, to help prevent
exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such
as the default heap, stacks, and memory pools. Although
some applications have compatibility problems with DEP, the
vast majority of applications do not.
More information: Data Execution Prevention, later in this
topic.

Group Policy settings: DEP is on by default for 64-bit

applications, but you can configure additional DEP protections
by using the Group Policy settings described in Override
Process Mitigation Options to help enforce app-related
security policies.

SEHOP Structured Exception Handling Overwrite Protection

helps prevent (SEHOP) is designed to help block exploits that use the
overwrites of the Structured Exception Handler (SEH) overwrite technique.
Structured Exception Handler Because this protection mechanism is provided at run-time, it
helps to protect apps regardless of whether they have been
compiled with the latest improvements. A few applications
have compatibility problems with SEHOP, so be sure to test
for your environment.
More information: Structured Exception Handling Overwrite
Protection, later in this topic.

Group Policy setting: SEHOP is on by default for 64-bit

applications, but you can configure additional SEHOP
protections by using the Group Policy setting described in
Override Process Mitigation Options to help enforce app-
related security policies.

ASLR Address Space Layout Randomization (ASLR) loads DLLs

helps mitigate malware into random memory addresses at boot time. This helps
attacks based on mitigate malware that's designed to attack specific memory
expected memory locations locations, where specific DLLs are expected to be loaded.
More information: Address Space Layout Randomization,
later in this topic.

Group Policy settings: ASLR is on by default for 64-bit

applications, but you can configure additional ASLR
protections by using the Group Policy settings described in
Override Process Mitigation Options to help enforce app-
related security policies.

Windows Defender SmartScreen

Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps
protect them against unsafe downloads or make informed decisions about downloads.
For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection
capability by integrating its app reputation abilities into the operating system itself, which allows Windows
Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re
about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet,
Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other
factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious,
Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator
has configured Microsoft Intune or Group Policy settings.
For more information, see Windows Defender SmartScreen overview.
Windows Defender Antivirus
Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware:
Cloud-delivered protection helps detect and block new malware within seconds, even if the malware has
never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources
and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature
updates.
Rich local context improves how malware is identified. Windows 10 informs Windows Defender Antivirus
not only about content like files and processes but also where the content came from, where it has been
stored, and more. The information about source and history enables Windows Defender Antivirus to apply
different levels of scrutiny to different content.
Extensive global sensors help keep Windows Defender Antivirus current and aware of even the newest
malware. This is accomplished in two ways: by collecting the rich local context data from end points and by
centrally analyzing that data.
Tamper proofing helps guard Windows Defender Antivirus itself against malware attacks. For example,
Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from
attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. (Protected
Processes is described later in this topic.)
Enterprise-level features give IT pros the tools and configuration options necessary to make Windows
Defender Antivirus an enterprise-class antimalware solution.
For more information, see Windows Defender in Windows 10 and Windows Defender Overview for Windows
Server.
For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect,
investigate, and respond to advanced and targeted attacks on their networks, see Microsoft Defender Advanced
Threat Protection (ATP ) (resources) and Microsoft Defender Advanced Threat Protection (ATP ) (documentation).
Data Execution Prevention
Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed
later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated
solely for the storage of information?
Data Execution Prevention (DEP ) does exactly that, by substantially reducing the range of memory that malicious
code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only
so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability
exploit.
To use Task Manager to see apps that use DEP
1. Open Task Manager: Press Ctrl+Alt+Del and select Task Manager, or search the Start screen.
2. Click More Details (if necessary), and then click the Details tab.
3. Right-click any column heading, and then click Select Columns.
4. In the Select Columns dialog box, select the last Data Execution Prevention check box.
5. Click OK.
You can now see which processes have DEP enabled.

Figure 2. Processes on which DEP has been enabled in Windows 10

You can use Control Panel to view or change DEP settings.
To use Control Panel to view or change DEP settings on an individual PC
1. Open Control Panel, System: click Start, type Control Panel System, and press ENTER.
2. Click Advanced system settings, and then click the Advanced tab.
3. In the Performance box, click Settings.
4. In Performance Options, click the Data Execution Prevention tab.
5. Select an option:
Turn on DEP for essential Windows programs and services only
Turn on DEP for all programs and services except those I select. If you choose this option, use
the Add and Remove buttons to create the list of exceptions for which DEP will not be turned on.
To use Group Policy to control DEP settings
You can use the Group Policy setting called Process Mitigation Options to control DEP settings. A few
applications have compatibility problems with DEP, so be sure to test for your environment. To use the Group
Policy setting, see Override Process Mitigation Options to help enforce app-related security policies.
Structured Exception Handling Overwrite Protection
Structured Exception Handling Overwrite Protection (SEHOP ) helps prevent attackers from being able to use
malicious code to exploit the Structured Exception Handler (SEH), which is integral to the system and allows (non-
malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it
helps to protect applications regardless of whether they have been compiled with the latest improvements.
You can use the Group Policy setting called Process Mitigation Options to control the SEHOP setting. A few
applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group
Policy setting, see Override Process Mitigation Options to help enforce app-related security policies.
Address Space Layout Randomization
One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged
process that is already running, guess or find a ___location in memory where important system code and data have
been placed, and then overwrite that information with a malicious payload. Any malware that could write directly
to the system memory could simply overwrite it in well-known and predictable locations.
Address Space Layout Randomization (ASLR ) makes that type of attack much more difficult because it randomizes
how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific
___location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical
Windows components can change in memory between restarts.

Figure 3. ASLR at work

Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared
with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and
application processes can take advantage of a vastly increased memory space, which makes it even more difficult
for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR
memory randomization will be increasingly unique across devices, which makes it even more difficult for a
successful exploit that works on one system to work reliably on another.
You can use the Group Policy setting called Process Mitigation Options to control ASLR settings (“Force ASLR”
and “Bottom-up ASLR”), as described in Override Process Mitigation Options to help enforce app-related security
policies.

Mitigations that are built in to Windows 10

Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system
and need no configuration within the operating system. The table that follows describes some of these mitigations.
Control Flow Guard (CFG ) is a mitigation that does not need configuration within the operating system, but does
require that an application developer configure the mitigation into the application when it’s compiled. CFG is built
into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they
are compiled.
Table 3 Windows 10 mitigations to protect against memory exploits – no configuration needed
 MITIGATION AND CORRESPONDING THREAT DESCRIPTION

SMB hardening for SYSVOL and NETLOGON shares Client connections to the Active Directory Domain Services
helps mitigate default SYSVOL and NETLOGON shares on ___domain controllers
man-in-the-middle attacks now require SMB signing and mutual authentication (such as
Kerberos).

More information: SMB hardening improvements for

SYSVOL and NETLOGON shares, later in this topic.

Protected Processes With the Protected Processes feature, Windows 10 prevents

help prevent one process untrusted processes from interacting or tampering with those
from tampering with another that have been specially signed.
process
More information: Protected Processes, later in this topic.

Universal Windows apps protections Universal Windows apps are carefully screened before being
screen downloadable made available, and they run in an AppContainer sandbox
apps and run them in with limited privileges and capabilities.
an AppContainer sandbox
More information: Universal Windows apps protections, later
in this topic.

Heap protections Windows 10 includes protections for the heap, such as the use
help prevent of internal data structures which help protect against
exploitation of the heap corruption of memory used by the heap.

More information: Windows heap protections, later in this

topic.

Kernel pool protections Windows 10 includes protections for the pool of memory used
help prevent by the kernel. For example, safe unlinking protects against
exploitation of pool memory pool overruns that are combined with unlinking operations
used by the kernel that can be used to create an attack.

More information: Kernel pool protections, later in this topic.

Control Flow Guard Control Flow Guard (CFG) is a mitigation that requires no
helps mitigate exploits configuration within the operating system, but instead is built
that are based on into software when it’s compiled. It is built into Microsoft Edge,
flow between code locations IE11, and other areas in Windows 10. CFG can be built into
in memory applications written in C or C++, or applications compiled
using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt
to change the intended flow of code. If this occurs, CFG
terminates the application. You can request software vendors
to deliver Windows applications compiled with CFG enabled.

More information: Control Flow Guard, later in this topic.

Protections built into Microsoft Edge (the browser) Windows 10 includes an entirely new browser, Microsoft Edge,
helps mitigate multiple designed with multiple security improvements.
threats
More information: Microsoft Edge and Internet Explorer 11,
later in this topic.

SMB hardening improvements for SYSVOL and NETLOGON shares

In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default
SYSVOL and NETLOGON shares on ___domain controllers require Server Message Block (SMB ) signing and mutual
authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and
mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process
___domain-based Group Policy and scripts.

NOTE
The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group
Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening),
see Microsoft Knowledge Base article 3000483 and MS15-011 & MS15-014: Hardening Group Policy.

Protected Processes
Most security controls are designed to prevent the initial infection point. However, despite all the best preventative
controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on
malware that gets on the device. Protected Processes creates limits of this type.
With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those
that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes
are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected
Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can
be used by 3rd party anti-malware vendors, as described in Protecting Anti-Malware Services. This helps make the
system and antimalware solutions less susceptible to tampering by malware that does manage to get on the
system.
Universal Windows apps protections
When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter
malware because all apps go through a careful screening process before being made available in the store. Apps
that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure
that they meet organizational security requirements.
Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal
Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal
Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no
access to data unless the user explicitly grants the application permission.
In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the
minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage
the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the
exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and
publisher.
Windows heap protections
The heap is a ___location in memory that Windows uses to store dynamic application data. Windows 10 continues to
improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part
of an attack.
Windows 10 has several important improvements to the security of the heap:
Heap metadata hardening for internal data structures that the heap uses, to improve protections against
memory corruption.
Heap allocation randomization, that is, the use of randomized locations and sizes for heap memory
allocations, which makes it more difficult for an attacker to predict the ___location of critical memory to
overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which
makes the allocation much less predictable.
Heap guard pages before and after blocks of memory, which work as tripwires. If an attacker attempts to
 write past a block of memory (a common technique known as a buffer overflow ), the attacker will have to
overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and
Windows 10 responds by instantly terminating the app.
Kernel pool protections
The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory
(“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types
of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay
free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections,
such as integrity checks, that help protect the kernel pool against such attacks.
In addition to pool hardening, Windows 10 includes other kernel hardening features:
Kernel DEP and Kernel ASLR: Follow the same principles as Data Execution Prevention and Address
Space Layout Randomization, described earlier in this topic.
Font parsing in AppContainer: Isolates font parsing in an AppContainer sandbox.
Disabling of NT Virtual DOS Machine (NTVDM ): The old NTVDM kernel module (for running 16-bit
applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM
decreases protection against Null dereference and other exploits.)
Supervisor Mode Execution Prevention (SMEP ): Helps prevent the kernel (the “supervisor”) from
executing code in user pages, a common technique used by attackers for local kernel elevation of privilege
(EOP ). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN
support.
Safe unlinking: Helps protect against pool overruns that are combined with unlinking operations to create
an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to
all usage of LIST_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process
termination.
Memory reservations: The lowest 64 KB of process memory is reserved for the system. Apps are not
allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques
such as “NULL dereference” to overwrite critical system data structures in memory.
Control Flow Guard
When applications are loaded into memory, they are allocated space based on the size of the code, requested
memory, and other factors. When an application begins to execute code, it calls additional code located in other
memory addresses. The relationships between the code locations are well known—they are written in the code
itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the
opportunity to change the flow to meet their needs.
This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG ) feature. When a trusted
application that was compiled to use CFG calls code, CFG verifies that the code ___location called is trusted for
execution. If the ___location is not trusted, the application is immediately terminated as a potential security risk.
An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring
it when the application is compiled. Consider asking application developers and software vendors to deliver
trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications
written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a
Visual Studio 2015 project, see Control Flow Guard.
Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full
advantage of CFG.
Microsoft Edge and Internet Explorer 11
Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s
interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users
cannot perform at least part of their job without a browser, and many users are completely reliant on one. This
reality has made the browser the common pathway from which malicious hackers initiate their attacks.
All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two
common examples of this are Flash and Java extensions that enable their respective applications to run inside a
browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is
a priority.
Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways,
especially:
Smaller attack surface; no support for non-Microsoft binary extensions. Multiple browser
components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that
have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs),
ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default
through built-in extensions.
Runs 64-bit processes. A 64-bit PC running an older version of Windows often runs in 32-bit compatibility
mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only
64-bit processes, which are much more secure against exploits.
Includes Memory Garbage Collection (MemGC ). This helps protect against use-after-free (UAF ) issues.
Designed as a Universal Windows app. Microsoft Edge is inherently compartmentalized and runs in an
AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can
also take advantage of the same AppContainer technology through Enhanced Protect Mode. However,
because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range
of attacks than Microsoft Edge.
Simplifies security configuration tasks. Because Microsoft Edge uses a simplified application structure
and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge
default settings align with security best practices, which makes it more secure by default.
In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with
websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the
primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the
primary web browser because it provides compatibility with the modern web and the best possible security.
For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable
Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this
configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11.
Functions that software vendors can use to build mitigations into apps
Some of the protections available in Windows 10 are provided through functions that can be called from apps or
other software. Such software is less likely to provide openings for exploits. If you are working with a software
vendor, you can request that they include these security-oriented functions in the application. The following table
lists some types of mitigations and the corresponding security-oriented functions that can be used in apps.

NOTE
Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For
more information, see Control Flow Guard, earlier in this topic.

Table 4 Functions available to developers for building mitigations into apps

 MITIGATION FUNCTION

LoadLib image loading restrictions UpdateProcThreadAttribute function

[PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_N
O_REMOTE_ALWAYS_ON]

MemProt dynamic code restriction UpdateProcThreadAttribute function

[PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNA
MIC_CODE_ALWAYS_ON]

Child Process Restriction to restrict the ability to create child UpdateProcThreadAttribute function
processes [PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY]

Code Integrity Restriction to restrict image loading SetProcessMitigationPolicy function

[ProcessSignaturePolicy]

Win32k System Call Disable Restriction to restrict ability to use SetProcessMitigationPolicy function
NTUser and GDI [ProcessSystemCallDisablePolicy]

High Entropy ASLR for up to 1TB of variance in memory UpdateProcThreadAttribute function

allocations [PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_
ASLR_ALWAYS_ON]

Strict handle checks to raise immediate exception upon bad UpdateProcThreadAttribute function
handle reference [PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_
CHECKS_ALWAYS_ON]

Extension point disable to block the use of certain third-party UpdateProcThreadAttribute function
extension points [PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POI
NT_DISABLE_ALWAYS_ON]

Heap terminate on corruption to protect the system against a UpdateProcThreadAttribute function

corrupted heap [PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINAT
E_ALWAYS_ON]

Understanding Windows 10 in relation to the Enhanced Mitigation

Experience Toolkit
You might already be familiar with the Enhanced Mitigation Experience Toolkit (EMET), which has since 2009
offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section
to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built
into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance
cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into
Windows 10.
Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been
improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5x has
been announced as the final major version release for EMET (see Enhanced Mitigation Experience Toolkit).
The following table lists EMET features in relation to Windows 10 features.
Table 5 EMET features in relation to Windows 10 features
 HOW THESE EMET FEATURES MAP
SPECIFIC EMET FEATURES TO WINDOWS 10 FEATURES

DEP DEP, SEHOP and ASLR are included in Windows 10 as

configurable features. See Table 2, earlier in this topic.
SEHOP
You can install the ProcessMitigations PowerShell module
ASLR (Force ASLR, Bottom-up ASLR) to convert your EMET settings for these features into
policies that you can apply to Windows 10.

Load Library Check (LoadLib) LoadLib and MemProt are supported in Windows 10, for all
applications that are written to use these functions. See Table
Memory Protection Check (MemProt) 4, earlier in this topic.

Null Page Mitigations for this threat are built into Windows 10, as
described in the “Memory reservations” item in Kernel pool
protections, earlier in this topic.

Heap Spray Windows 10 does not include mitigations that map specifically
to these EMET features because they have low impact in the
EAF current threat landscape, and do not significantly increase the
EAF+ difficulty of exploiting vulnerabilities. Microsoft remains
committed to monitoring the security environment as new
exploits appear and taking steps to harden the operating
system against them.

Caller Check Mitigated in Windows 10 with applications compiled with

Control Flow Guard, as described in Control Flow Guard,
Simulate Execution Flow earlier in this topic.
Stack Pivot
Deep Hooks (an ROP “Advanced Mitigation”)
Anti Detours (an ROP “Advanced Mitigation”)
Banned Functions (an ROP “Advanced Mitigation”)

Converting an EMET XML settings file into Windows 10 mitigation policies

One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as
an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an
EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell
session, run this cmdlet:

Install-Module -Name ProcessMitigations

The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process,
or it can save all settings to an XML file.
To get the current settings on all running instances of notepad.exe:

Get-ProcessMitigation -Name notepad.exe -RunningProcess

To get the current settings in the registry for notepad.exe:

 Get-ProcessMitigation -Name notepad.exe

To get the current settings for the running process with pid 1304:

Get-ProcessMitigation -Id 1304

To get the all process mitigation settings from the registry and save them to the xml file settings.xml:

Get-ProcessMitigation -RegistryConfigFilePath settings.xml

The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file.
To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and
disable MandatoryASLR:

Set-ProcessMitigation -Name Notepad.exe -Enable MicrosoftSignedOnly -Disable MandatoryASLR

To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -
RegistryConfigFilePath settings.xml):

Set-ProcessMitigation -PolicyFilePath settings.xml

To set the system default to be MicrosoftSignedOnly:

Set-ProcessMitigation -System -Enable MicrosoftSignedOnly

The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is:

ConvertTo-ProcessMitigationPolicy -EMETFilePath <String> -OutputFilePath <String> [<CommonParameters>]

Examples:
Convert EMET settings to Windows 10 settings: You can run ConvertTo-ProcessMitigationPolicy and
provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation
settings. For example:

ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml

Audit and modify the converted settings (the output file): Additional cmdlets let you apply, enumerate,
enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables
MandatoryASLR and DEPATL registry settings for Notepad:

Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL

Convert Attack surface reduction (ASR) settings to a Code Integrity policy file: If the input file
contains any settings for EMET’s Attack surface reduction (ASR ) mitigation, the converter will also create a
Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for
the Code Integrity policy, as described in Deploy Device Guard: deploy code integrity policies. This will
enable protections on Windows 10 equivalent to EMET’s ASR protections.
 Convert Certificate Trust settings to enterprise certificate pinning rules: If you have an EMET
“Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to
convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling
that file as described in Enterprise Certificate Pinning. For example:

ConvertTo-ProcessMitigationPolicy -EMETfilePath certtrustrules.xml -OutputFilePath

enterprisecertpinningrules.xml

EMET-related products
Microsoft Consulting Services (MCS ) and Microsoft Support/Premier Field Engineering (PFE ) offer a range of
options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET
Enterprise Reporting Service (ERS ). For any enterprise customers who use such products today or who are
interested in similar capabilities, we recommend evaluating Microsoft Defender Advanced Threat Protection (ATP ).

Related topics
Security and Assurance in Windows Server 2016
Microsoft Defender Advanced Threat Protection (ATP ) - resources
Microsoft Defender Advanced Threat Protection (ATP ) - documentation
Exchange Online Advanced Threat Protection Service Description
Office 365 Advanced Threat Protection
Microsoft Malware Protection Center
 Override Process Mitigation Options to help enforce
app-related security policies
12/3/2019 • 3 minutes to read • Edit Online

Applies to:
Windows 10, version 1607
Windows Server 2016
Windows 10 includes Group Policy-configurable “Process Mitigation Options” that add advanced protections against
memory-based attacks, that is, attacks where malware manipulates memory to gain control of a system. For example,
malware might attempt to use buffer overruns to inject malicious executable code into memory, but Process Mitigation
Options can prevent the running of the malicious code.

IMPORTANT
We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with
your organization’s required apps.

The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types
are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can
configure additional protections. The types of process mitigations are:
Data Execution Prevention (DEP ) is a system-level memory protection feature that enables the operating
system to mark one or more pages of memory as non-executable, preventing code from being run from that
region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from
data pages such as the default heap, stacks, and memory pools. For more information, see Data Execution
Prevention.
Structured Exception Handling Overwrite Protection (SEHOP ) is designed to block exploits that use the
Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-
time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For
more information, see Structured Exception Handling Overwrite Protection.
Address Space Layout Randomization (ASLR) loads DLLs into random memory addresses at boot time to
mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected
to be loaded. For more information, see Address Space Layout Randomization. To find additional ASLR
protections in the table below, look for IMAGES or ASLR .

The following procedure describes how to use Group Policy to override individual Process Mitigation Options
settings.
To modify Process Mitigation Options
1. Open your Group Policy editor and go to the Administrative Templates\System\Mitigation
Options\Process Mitigation Options setting.
2. Click Enabled, and then in the Options area, click Show to open the Show Contents box, where you’ll be able
to add your apps and the appropriate bit flag values, as shown in the Setting the bit field and Example sections of
this topic.
Important
For each app you want to include, you must include:
Value name. The app file name, including the extension. For example, iexplore.exe.
Value. A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is
forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
Note
Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
Setting the bit field
Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:

Where the bit flags are read from right to left and are defined as:

FLAG BIT LOCATION SETTING DETAILS

A 0 Turns on Data Execution

PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE
(0x00000001) Prevention (DEP) for child
processes.

B 1 Turns on DEP-ATL thunk

PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE
(0x00000002) emulation for child processes.
DEP-ATL thunk emulation lets
the system intercept non-
executable (NX) faults that
originate from the Active
Template Library (ATL) thunk
layer, and then emulate and
handle the instructions so the
process can continue to run.
 FLAG BIT LOCATION SETTING DETAILS

C 2 Turns on Structured Exception

PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE
(0x00000004) Handler Overwrite Protection
(SEHOP) for child processes.
SEHOP helps to block exploits
that use the Structured
Exception Handler (SEH)
overwrite technique.

D 8 Uses the force Address Space

PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON
(0x00000100) Layout Randomization (ASLR)
setting to act as though an
image base collision happened
at load time, forcibly rebasing
images that aren’t dynamic
base compatible. Images
without the base relocation
section won’t be loaded if
relocations are required.

E 15 Turns on the bottom-up

PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON
(0x00010000) randomization policy, which
includes stack randomization
options and causes a random
___location to be used as the
lowest user address.

F 16 Turns off the bottom-up

PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF
(0x00020000) randomization policy, which
includes stack randomization
options and causes a random
___location to be used as the
lowest user address.

Example
If you want to turn on the PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and
PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON settings, turn off the
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF setting, and leave everything
else as the default values, you’d want to type a value of ???????????????0???????1???????1 .
 Use Windows Event Forwarding to help with intrusion
detection
12/4/2019 • 25 minutes to read • Edit Online

Applies to
Windows 10
Windows Server
Learn about an approach to collect events from devices in your organization. This article talks about events in both
normal operations and when an intrusion is suspected.
Windows Event Forwarding (WEF ) reads any operational or administrative event log on a device in your
organization and forwards the events you choose to a Windows Event Collector (WEC ) server.
To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription
and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect
subscription only includes devices that have been added by you. The Suspect subscription collects additional events
to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios
as needed without impacting baseline operations.
This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices
with online analytical capability, such as Security Event Manager (SEM ), while also sending events to a MapReduce
system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect
subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely
used for host forensic analysis.
An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner
and alert security staff at machine speed.
A MapReduce system has a longer retention time (years versus months for an SEM ), larger ingress ability
(hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and
trend analysis, pattern clustering analysis, or apply Machine Learning algorithms.
Here's an approximate scaling guide for WEF events:

EVENTS/SECOND RANGE DATA STORE

0 - 5,000 SQL or SEM

5,000 - 50,000 SEM

50,000+ Hadoop/HDInsight/Data Lake

Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF
implementation, including enabling of disabled event logs and setting channel permissions. For more info, see
Appendix C - Event channel settings (enable and channel access) methods. This is because WEF is a passive system
with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change
channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events.
Additionally, having event generation already occurring on a device allows for more complete event collection
building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF
subscription refresh cycles to make changes to what is being generated on the device. On modern devices,
enabling additional event channels and expanding the size of event log files has not resulted in noticeable
performance differences.
For the minimum recommended audit policy and registry system ACL settings, see Appendix A - Minimum
recommended minimum audit policy and Appendix B - Recommended minimum registry system ACL policy.

Note: These are only minimum values need to meet what the WEF subscription selects.

From a WEF subscription management perspective, the event queries provided should be used in two separate
subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the
targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should
have access to the Baseline subscription.
This means you would create two base subscriptions:
Baseline WEF subscription. Events collected from all hosts, this includes some role-specific events, which will
only be emitted by those machines.
Targeted WEF subscription. Events collected from a limited set of hosts due to unusual activity and/or
heightened awareness for those systems.
Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing
events” option should be set to true to allow collection of existing events from systems. By default, WEF
subscriptions will only forward events generated after the WEF subscription was received by the client.
In Appendix E – Annotated Baseline Subscription Event Query and Appendix F – Annotated Suspect Subscription
Event Query, the event query XML is included when creating WEF subscriptions. These are annotated for query
purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
Common WEF questions
This section addresses common questions from IT pros and customers.
Will the user notice if their machine is enabled for WEF or if WEF encounters an error?
The short answer is: No.
The longer answer is: The Eventlog-forwardingPlugin/Operational event channel logs the success, warning,
and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and
navigates to that channel, they will not notice WEF either through resource consumption or Graphical User
Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance
degradation. All success, warning, and failure events are logged to this operational event channel.
Is WEF Push or Pull?
A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment
with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are
configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the
subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are
to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the
subscription to access their event logs remotely (normally by adding the credential to the Event Log Readers
built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
Will WEF work over VPN or RAS?
WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog of
events when the connection to the WEF Collector is re-established.
How is client progress tracked?
The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source
for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent
to the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the WEF
client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value
can be individually configured for each subscription.
Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
Yes. WEF is transport agnostic and will work over IPv4 or IPv6.
Are WEF events encrypted? I see an HTTP/HTTPS option!
In a ___domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with
NTLM as a fallback option, which can be disabled by using a GPO ). Only the WEF collector can decrypt the
connection. Additionally, the connection between WEF client and WEC server is mutually authenticated regardless
of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use Kerberos Only.
This authentication and encryption is performed regardless if HTTP or HTTPS is selected.
The HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based mutual
authentication is not an option. The SSL certificate and provisioned client certificates are used to provide mutual
authentication.
Do WEF Clients have a separate buffer for events?
The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost.
To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being
selected. For more info, see Appendix C – Event Channel Settings (enable and Channel Access) methods.
When the event log overwrites existing events (resulting in data loss if the device is not connected to the Event
Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an
indicator that there was a gap encountered in the event stream.
What format is used for forwarded events?
WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of
the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled
depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as
“Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx
file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:

@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime

Wecutil ss “testSubscription” /cf:Events

How frequently are WEF events delivered?

Event delivery options are part of the WEF subscription configuration parameters – There are three built-in
subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called
“Custom” is available but cannot be selected or configured through the WEF UI by using Event Viewer. The
Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All
subscription options define a maximum event count and maximum event age, if either limit is exceeded then the
accumulated events are sent to the event collector.
This table outlines the built-in delivery options:

EVENT DELIVERY OPTIMIZATION OPTIONS DESCRIPTION

 EVENT DELIVERY OPTIMIZATION OPTIONS DESCRIPTION

Normal This option ensures reliable delivery of events and does not
attempt to conserve bandwidth. It is the appropriate choice
unless you need tighter control over bandwidth usage or need
forwarded events delivered as quickly as possible. It uses pull
delivery mode, batches 5 items at a time and sets a batch
timeout of 15 minutes.

Minimize bandwidth This option ensures that the use of network bandwidth for
event delivery is strictly controlled. It is an appropriate choice
if you want to limit the frequency of network connections
made to deliver events. It uses push delivery mode and sets a
batch timeout of 6 hours. In addition, it uses a heartbeat
interval of 6 hours.

Minimize latency This option ensures that events are delivered with minimal
delay. It is an appropriate choice if you are collecting alerts or
critical events. It uses push delivery mode and sets a batch
timeout of 30 seconds.

For more info about delivery options, see Configure Advanced Subscription Settings.
The primary difference is in the latency which events are sent from the client. If none of the built-in options meet
your requirements you can set Custom event delivery options for a given subscription from an elevated command
prompt:

@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime

Wecutil ss “SubscriptionNameGoesHere” /cm:Custom
@rem set DeliveryMaxItems to 1 event
Wecutil ss “SubscriptionNameGoesHere” /dmi:1
@rem set DeliveryMaxLatencyTime to 10 ms
Wecutil ss “SubscriptionNameGoesHere” /dmlt:10

How do I control which devices have access to a WEF Subscription?

For source initiated subscriptions: Each WEF subscription on a WEC server has its own ACL for machine accounts
or security groups containing machine accounts (not user accounts) that are explicitly allowed to participate in that
subscription or are explicitly denied access. This ACL applies to only a single WEF subscription (since there can be
multiple WEF subscriptions on a given WEC server), other WEF Subscriptions have their own separate ACL.
For collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is to
collect events. This list is managed at the WEC server, and the credentials used for the subscription must have
access to read event logs from the WEF Clients – the credentials can be either the machine account or a ___domain
account.
Can a client communicate to multiple WEF Event Collectors?
Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same
subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events
simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access.
What are the WEC server’s limitations?
There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on
commodity hardware is “10k x 10k” – meaning, no more than 10,000 concurrently active WEF Clients per WEC
server and no more than 10,000 events/second average event volume.
Disk I/O. The WEC server does not process or validate the received event, but rather buffers the received
event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by
 the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the
number of events per second that a single WEC server can receive.
Network Connections. While a WEF source does not maintain a permanent, persistent connection to the
WEC server, it does not immediately disconnect after sending its events. This means that the number of
WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available
on the WEC server.
Registry size. For each unique device that connects to a WEF subscription, there is a registry key
(corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat
information. If this is not pruned to remove inactive clients this set of registry keys can grow to an
unmanageable size over time.
When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as
lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the
Subscriptions node in the left-navigation, but will function normally afterwards.
At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with
Windows) must be used to configure and manage subscriptions.
At >100,000 lifetime WEF sources, the registry will not be readable and the WEC server will likely have
to be rebuilt.

Subscription information
Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix.
These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll
(and remove) hosts on an as needed basis to the Targeted subscription.
Baseline subscription
While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions
should be allowed for unusual devices – a device performing complex developer related tasks can be expected to
create an unusually high volume of process create and AppLocker events.) This subscription does not require
special configuration on client devices to enable event channels or modify channel permissions.
The subscription is essentially a collection of query statements applied to the Event Log. This means that it is
modular in nature and a given query statement can be removed or changed without impacting other query
statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within
that query statement and are not to the entire subscription.
Baseline subscription requirements
To gain the most value out of the baseline subscription we recommend to have the following requirements set on
the device to ensure that the clients are already generating the required events to be forwarded off the system.
Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info,
see Appendix A – Minimum Recommended minimum Audit Policy. This ensures that the security event log
is generating the required events.
Apply at least an Audit-Only AppLocker policy to devices.
If you are already whitelisting or blacklisting events by using AppLocker, then this requirement is met.
AppLocker events contain extremely useful information, such as file hash and digital signature
information for executables and scripts.
Enable disabled event channels and set the minimum size for modern event files.
Currently, there is no GPO template for enabling or setting the maximum size for the modern event files.
This must be done by using a GPO. For more info, see Appendix C – Event Channel Settings (enable and
Channel Access) methods.
The annotated event query can be found in the following. For more info, see Appendix F – Annotated Suspect
Subscription Event Query.
Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any
given anti-malware product easily if it writes to the Windows event log.
Security event log Process Create events.
AppLocker Process Create events (EXE, script, packaged App installation and execution).
Registry modification events. For more info, see Appendix B – Recommended minimum Registry System
ACL Policy.
OS startup and shutdown
Startup event include operating system version, service pack level, QFE version, and boot mode.
Service install
Includes what the name of the service, the image path, and who installed the service.
Certificate Authority audit events
This is only applicable on systems with the Certificate Authority role installed.
Logs certificate requests and responses.
User profile events
Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively
logging into a device but not wanting to leave a persistent profile behind.
Service start failure
Failure codes are localized, so you have to check the message DLL for values.
Network share access events
Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
System shutdown initiate requests
Find out what initiated the restart of a device.
User initiated interactive logoff event
Remote Desktop Services session connect, reconnect, or disconnect.
EMET events, if EMET is installed.
Event forwarding plugin events
For monitoring WEF subscription operations, particularly Partial Success events. This is useful for
diagnosing deployment issues.
Network share create and delete
Enables detection of unauthorized share creation.

Note: All shares are re-created when the device starts.

Logon sessions
Logon success for interactive (local and Remote Interactive/Remote Desktop)
Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
Logon success for batch sessions
Logon session close, which are logoff events for non-network sessions.
 Windows Error Reporting (Application crash events only)
This can help detect early signs of intruder not familiar with enterprise environment using targeted
malware.
Event log service events
Errors, start events, and stop events for the Windows Event Log service.
Event log cleared (including the Security Event Log)
This could indicate an intruder that are covering their tracks.
Special privileges assigned to new logon
This indicates that at the time of logon a user is either an Administrator or has the sufficient access to
make themselves Administrator.
Outbound Remote Desktop Services session attempts
Visibility into potential beachhead for intruder
System time changed
SMB Client (mapped drive connections)
Account credential validation
Local accounts or ___domain accounts on ___domain controllers
A user was added or removed from the local Administrators security group.
Crypto API private key accessed
Associated with signing objects using the locally stored private key.
Task Scheduler task creation and delete
Task Scheduler allows intruders to run code at specified times as LocalSystem.
Logon with explicit credentials
Detect credential use changes by intruders to access additional resources.
Smartcard card holder verification events
This detects when a smartcard is being used.
Suspect subscription
This adds some possible intruder-related activity to help analyst further refine their determinations about the state
of the device.
Logon session creation for network sessions
Enables time-series analysis of network graphs.
RADIUS and VPN events
Useful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-> IP address assignment
with remote IP address connecting to the enterprise.
Crypto API X509 object and build chain events
Detects known bad certificate, CA, or sub-CA
Detects unusual process use of CAPI
Groups assigned to local logon
Gives visibility to groups which enable account wide access
Allows better planning for remediation efforts
 Excludes well known, built-in system accounts.
Logon session exit
Specific for network logon sessions.
Client DNS lookup events
Returns what process performed a DNS query and the results returned from the DNS server.
Process exit
Enables checking for processes terminating unexpectedly.
Local credential validation or logon with explicit credentials
Generated when the local SAM is authoritative for the account credentials being authenticated.
Noisy on ___domain controllers
On client devices this is only generated when local accounts log on.
Registry modification audit events
Only when a registry value is being created, modified, or deleted.
Wireless 802.1x authentication
Detect wireless connection with a peer MAC address
Windows PowerShell logging
Covers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging
improvements for in-memory attacks using Windows PowerShell.
Includes Windows PowerShell remoting logging
User Mode Driver Framework “Driver Loaded” event
Can possibly detect a USB device loading multiple device drivers. For example, a USB_STOR device
loading the keyboard or network driver.

Appendix A - Minimum recommended minimum audit policy

If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the
minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.

CATEGORY SUBCATEGORY AUDIT SETTINGS

Account Logon Credential Validation Success and Failure

Account Management Security Group Management Success

Account Management User Account Management Success and Failure

Account Management Computer Account Management Success and Failure

Account Management Other Account Management Events Success and Failure

Detailed Tracking Process Creation Success

Detailed Tracking Process Termination Success

Logon/Logoff User/Device Claims Not configured

 CATEGORY SUBCATEGORY AUDIT SETTINGS

Logon/Logoff IPsec Extended Mode Not configured

Logon/Logoff IPsec Quick Mode Not configured

Logon/Logoff Logon Success and Failure

Logon/Logoff Logoff Success

Logon/Logoff Other Logon/Logoff Events Success and Failure

Logon/Logoff Special Logon Success and Failure

Logon/Logoff Account Lockout Success

Object Access Application Generated Not configured

Object Access File Share Success

Object Access File System Not configured

Object Access Other Object Access Events Not configured

Object Access Registry Not configured

Object Access Removable Storage Success

Policy Change Audit Policy Change Success and Failure

Policy Change MPSSVC Rule-Level Policy Change Success and Failure

Policy Change Other Policy Change Events Success and Failure

Policy Change Authentication Policy Change Success and Failure

Policy Change Authorization Policy Change Success and Failure

Privilege Use Sensitive Privilege Use Not configured

System Security State Change Success and Failure

System Security System Extension Success and Failure

System System Integrity Success and Failure

Appendix B - Recommended minimum registry system ACL policy

The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only
once then removed, respectively) when a user logs into the system.
This can easily be extended to other Auto-Execution Start Points keys in the registry.
Use the following figures to see how you can configure those registry keys.

Appendix C - Event channel settings (enable and channel access)

methods
Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-
CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group
to read from it.
The recommended and most effective way to do this is to configure the baseline GPO to run a scheduled task to
configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next
GPO refresh cycle and has minimal impact on the client device.
The following GPO snippet performs the following:
Enables the Microsoft-Windows-Capi2/Operational event channel.
Sets the maximum file size for Microsoft-Windows-Capi2/Operational to 100MB.
Sets the maximum file size for Microsoft-Windows-AppLocker/EXE and DLL to 100MB.
Sets the maximum channel access for Microsoft-Windows-Capi2/Operational to include the built-in Event
Log Readers security group.
Enables the Microsoft-Windows-DriverFrameworks-UserMode/Operational event channel.
Sets the maximum file size for Microsoft-Windows-DriverFrameworks-UserMode/Operational to 50MB.
Appendix D - Minimum GPO for WEF Client configuration
Here are the minimum steps for WEF to operate:
1. Configure the collector URI(s).
2. Start the WinRM service.
3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from
secured event channel, such as the security event channel.
Appendix E – Annotated baseline subscription event query
<QueryList>
<Query Id="0" Path="System">
<!-- Anti-malware *old* events, but only detect events (cuts down noise) -->
<Select Path="System">*[System[Provider[@Name='Microsoft Antimalware'] and (EventID &gt;= 1116 and EventID
&lt;= 1119)]]</Select>
</Query>
<!-- AppLocker EXE events or Script events -->
<Query Id="1" Path="Microsoft-Windows-AppLocker/EXE and DLL">
<Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*[UserData[RuleAndFileData[PolicyName="EXE"]]]
</Select>
<Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select>
</Query>
<Query Id="2" Path="Security">
<!-- Wireless Lan 802.1x authentication events with Peer MAC address -->
<Select Path="Security">*[System[(EventID=5632)]]</Select>
</Query>
<Query Id="3" Path="Microsoft-Windows-TaskScheduler/Operational">
<!-- Task scheduler Task Registered (106), Task Registration Deleted (141), Task Deleted (142) -->
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[Provider[@Name='Microsoft-Windows-
TaskScheduler'] and (EventID=106 or EventID=141 or EventID=142 )]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or
EventID=141 or EventID=142 )]]</Select>
</Query>
<Query Id="4" Path="System">
<!-- System startup (12 - includes OS/SP/Version) and shutdown -->
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or
EventID=13)]]</Select>
</Query>
<Query Id="5" Path="System">
 <!-- Service Install (7000), service start failure (7045), new service (4697) -->
<Select Path="System">*[System[Provider[@Name='Service Control Manager'] and (EventID = 7000 or
EventID=7045)]]</Select>
<Select Path="Security">*[System[(EventID=4697)]]</Select>
</Query>
<Query Id="6" Path="Security">
<!-- TS Session reconnect (4778), TS Session disconnect (4779) -->
<Select Path="Security">*[System[(EventID=4778 or EventID=4779)]]</Select>
</Query>
<Query Id="7" Path="Security">
<!-- Network share object access without IPC$ and Netlogon shares -->
<Select Path="Security">*[System[(EventID=5140)]] and (*[EventData[Data[@Name="ShareName"]!="\\*\IPC$"]])
and (*[EventData[Data[@Name="ShareName"]!="\\*\NetLogon"]])</Select>
</Query>
<Query Id="8" Path="Security">
<!-- System Time Change (4616) -->
<Select Path="Security">*[System[(EventID=4616)]]</Select>
</Query>
<Query Id="9" Path="System">
<!-- Shutdown initiate requests, with user, process and reason (if supplied) -->
<Select Path="System">*[System[Provider[@Name='USER32'] and (EventID=1074)]]</Select>
</Query>
<!-- AppLocker packaged (Modern UI) app execution -->
<Query Id="10" Path="Microsoft-Windows-AppLocker/Packaged app-Execution">
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select>
</Query>
<!-- AppLocker packaged (Modern UI) app installation -->
<Query Id="11" Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">
<Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select>
</Query>
<Query Id="12" Path="Application">
<!-- EMET events -->
<Select Path="Application">*[System[Provider[@Name='EMET']]]</Select>
</Query>
<Query Id="13" Path="System">
<!-- Event log service events -->
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]</Select>
</Query>
<Query Id="14" Path="Security">
<!-- Local logons without network or service events -->
<Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]!="3"]]) and (*
[EventData[Data[@Name="LogonType"]!="5"]])</Select>
</Query>
<Query Id="15" Path="Application">
<!-- WER events for application crashes only -->
<Select Path="Application">*[System[Provider[@Name='Windows Error Reporting']]] and (*[EventData[Data[3]
="APPCRASH"]])</Select>
</Query>
<Query Id="16" Path="Security">
<!-- Security Log cleared events (1102), EventLog Service shutdown (1100)-->
<Select Path="Security">*[System[(EventID=1102 or EventID = 1100)]]</Select>
</Query>
<Query Id="17" Path="System">
<!-- Other Log cleared events (104)-->
<Select Path="System">*[System[(EventID=104)]]</Select>
</Query>
<Query Id="18" Path="Security">
<!-- user initiated logoff -->
<Select Path="Security">*[System[(EventID=4647)]]</Select>
</Query>
<Query Id="19" Path="Security">
<!-- user logoff for all non-network logon sessions-->
<Select Path="Security">*[System[(EventID=4634)]] and (*[EventData[Data[@Name="LogonType"] != "3"]])
</Select>
</Query>
<Query Id="20" Path="Security">
<!-- Service logon events if the user account isn't LocalSystem, NetworkService, LocalService -->
<Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]="5"]]) and (*
[EventData[Data[@Name="TargetUserSid"] != "S-1-5-18"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-
[EventData[Data[@Name="TargetUserSid"] != "S-1-5-18"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-
19"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-20"]])</Select>
</Query>
<Query Id="21" Path="Security">
<!-- Network Share create (5142), Network Share Delete (5144) -->
<Select Path="Security">*[System[(EventID=5142 or EventID=5144)]]</Select>
</Query>
<Query Id="22" Path="Security">
<!-- Process Create (4688) -->
<Select Path="Security">*[System[EventID=4688]]</Select>
</Query>
<Query Id="23" Path="Security">
<!-- Event log service events specific to Security channel -->
<Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]</Select>
</Query>
<Query Id="26" Path="Security">
<!-- Special Privileges (Admin-equivalent Access) assigned to new logon, excluding LocalSystem-->
<Select Path="Security">*[System[(EventID=4672)]]</Select>
<Suppress Path="Security">*[EventData[Data[1]="S-1-5-18"]]</Suppress>
</Query>
<Query Id="27" Path="Security">
<!-- New user added to local security group-->
<Select Path="Security">*[System[(EventID=4732)]]</Select>
</Query>
<Query Id="28" Path="Security">
<!-- New user added to global security group-->
<Select Path="Security">*[System[(EventID=4728)]]</Select>
</Query>
<Query Id="29" Path="Security">
<!-- New user added to universal security group-->
<Select Path="Security">*[System[(EventID=4756)]]</Select>
</Query>
<Query Id="30" Path="Security">
<!-- User removed from local Administrators group-->
<Select Path="Security">*[System[(EventID=4733)]] and (*
[EventData[Data[@Name="TargetUserName"]="Administrators"]])</Select>
</Query>
<Query Id="31" Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">
<!-- Log attempted TS connect to remote server -->
<Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*[System[(EventID=1024)]]</Select>
</Query>
<Query Id="32" Path="Security">
<!-- Certificate Services received certificate request (4886), Approved and Certificate issued (4887),
Denied request (4888) -->
<Select Path="Security">*[System[(EventID=4886 or EventID=4887 or EventID=4888)]]</Select>
</Query>
<Query Id="34" Path="Security">
<!-- New User Account Created(4720), User Account Enabled (4722), User Account Disabled (4725), User
Account Deleted (4726) -->
<Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4725 or EventID=4726)]]</Select>
</Query>
<Query Id="35" Path="Microsoft-Windows-SmartCard-Audit/Authentication">
<!-- Gets all Smart-card Card-Holder Verification (CHV) events (success and failure) performed on the host.
-->
<Select Path="Microsoft-Windows-SmartCard-Audit/Authentication">*</Select>
</Query>
<Query Id="36" Path="Microsoft-Windows-SMBClient/Operational">
<!-- get all UNC/mapped drive successful connection -->
<Select Path="Microsoft-Windows-SMBClient/Operational">*[System[(EventID=30622 or EventID=30624)]]</Select>
</Query>
<Query Id="37" Path="Application">
<!-- User logging on with Temporary profile (1511), cannot create profile, using temporary profile (1518)--
>
<Select Path="Application">*[System[Provider[@Name='Microsoft-Windows-User Profiles Service'] and
(EventID=1511 or EventID=1518)]]</Select>
</Query>
<Query Id="39" Path="Microsoft-Windows-Sysmon/Operational">
<!-- Modern SysMon event provider-->
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
 </Query>
<Query Id="40" Path="Application">
<!-- Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module.-->
<Select Path="Application">*[System[Provider[@Name='Application Error'] and (EventID=1000)]]</Select>
<Select Path="Application">*[System[Provider[@Name='Application Hang'] and (EventID=1002)]]</Select>
</Query>
<Query Id="41" Path="Microsoft-Windows-Windows Defender/Operational">
<!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) -->
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID &gt;= 1006 and EventID
&lt;= 1009) )]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID &gt;= 1116 and EventID
&lt;= 1119) )]]</Select>
</Query>
<Query Id="42" Path="Security">
<!-- An account Failed to Log on events -->
<Select Path="Security">*[System[(EventID=4625)]] and (*[EventData[Data[@Name="LogonType"]!="2"]])
</Select>
</Query>

</QueryList>

Appendix F – Annotated Suspect Subscription Event Query

<QueryList>
<Query Id="0" Path="Security">
<!-- Network logon events-->
<Select Path="Security">*[System[(EventID=4624)]] and (*[EventData[Data[@Name="LogonType"]="3"]])</Select>
</Query>
<Query Id="1" Path="System">
<!-- RADIUS authentication events User Assigned IP address (20274), User successfully authenticated
(20250), User Disconnected (20275) -->
<Select Path="System">*[System[Provider[@Name='RemoteAccess'] and (EventID=20274 or EventID=20250 or
EventID=20275)]]</Select>
</Query>
<Query Id="2" Path="Microsoft-Windows-CAPI2/Operational">
<!-- CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)-->
<Select Path="Microsoft-Windows-CAPI2/Operational">*[System[(EventID=11 or EventID=70 or EventID=90)]]
</Select>
</Query>
<Query Id="3" Path="Security">
<!-- CA stop/Start events CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted
(4896), CA Template loaded (4898) -->
<Select Path="Security">*[System[(EventID=4880 or EventID = 4881 or EventID = 4896 or EventID = 4898)]]
</Select>
</Query>
<Query Id="4" Path="Microsoft-Windows-LSA/Operational">
<!-- Groups assigned to new login (except for well known, built-in accounts)-->
<Select Path="Microsoft-Windows-LSA/Operational">*[System[(EventID=300)]] and (*
[EventData[Data[@Name="TargetUserSid"] != "S-1-5-20"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-
18"]]) and (*[EventData[Data[@Name="TargetUserSid"] != "S-1-5-19"]])</Select>
</Query>
<Query Id="5" Path="Security">
<!-- Logoff events - for Network Logon events-->
<Select Path="Security">*[System[(EventID=4634)]] and (*[EventData[Data[@Name="LogonType"] = "3"]])
</Select>
</Query>
<Query Id="6" Path="Security">
<!-- RRAS events – only generated on Microsoft IAS server -->
<Select Path="Security">*[System[( (EventID &gt;= 6272 and EventID &lt;= 6280) )]]</Select>
</Query>
<Query Id="7" Path="Microsoft-Windows-DNS-Client/Operational">
<!-- DNS Client events Query Completed (3008) -->
<Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select>
<!-- suppresses local machine name resolution events -->
<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*
[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress>
<!-- suppresses empty name resolution events -->
 <!-- suppresses empty name resolution events -->
<Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]
</Suppress>
</Query>
<Query Id="8" Path="Security">
<!-- Process Terminate (4689) -->
<Select Path="Security">*[System[(EventID = 4689)]]</Select>
</Query>
<Query Id="9" Path="Security">
<!-- Local credential authentication events (4776), Logon with explicit credentials (4648) -->
<Select Path="Security">*[System[(EventID=4776 or EventID=4648)]]</Select>
</Query>
<Query Id="10" Path="Security">
<!-- Registry modified events for Operations: New Registry Value created (%%1904), Existing Registry Value
modified (%%1905), Registry Value Deleted (%%1906) -->
<Select Path="Security">*[System[(EventID=4657)]] and ((*[EventData[Data[@Name="OperationType"] =
"%%1904"]]) or (*[EventData[Data[@Name="OperationType"] = "%%1905"]]) or (*
[EventData[Data[@Name="OperationType"] = "%%1906"]]))</Select>
</Query>
<Query Id="11" Path="Security">
<!-- Request made to authenticate to Wireless network (including Peer MAC (5632) -->
<Select Path="Security">*[System[(EventID=5632)]]</Select>
</Query>
<Query Id="12" Path="Microsoft-Windows-PowerShell/Operational">
<!-- PowerShell execute block activity (4103), Remote Command(4104), Start Command(4105), Stop
Command(4106) -->
<Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4103 or EventID=4104 or
EventID=4105 or EventID=4106)]]</Select>
</Query>
<Query Id="13" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">
<!-- Detect User-Mode drivers loaded - for potential BadUSB detection. -->
<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2004)]]</Select>
</Query>
<Query Id="14" Path="Windows PowerShell">
<!-- Legacy PowerShell pipeline execution details (800) -->
<Select Path="Windows PowerShell">*[System[(EventID=800)]]</Select>
</Query>
</QueryList>

Appendix G - Online resources

You can get more info with the following links:
Event Selection
Event Queries and Event XML
Event Query Schema
Windows Event Collector
4625(F ): An account failed to log on
 Block untrusted fonts in an enterprise
9/11/2019 • 5 minutes to read • Edit Online

Applies to:
Windows 10

Learn more about what features and functionality are supported in each Windows edition at Compare
Windows 10 Editions.

To help protect your company from attacks which may originate from untrusted or attacker controlled font files,
we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops
your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your
network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts
helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-
parsing process.

What does this mean for me?

Blocking untrusted fonts helps improve your network and employee protection against font-processing-related
attacks. By default, this feature is not turned on.

How does this feature work?

There are 3 ways to use this feature:
On. Helps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also
turns on event logging.
Audit. Turns on event logging, but doesn’t block fonts from loading, regardless of ___location. The name of the
apps that use untrusted fonts appear in your event log.
Note
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if
not loading untrusted fonts causes any usability or compatibility issues.
Exclude apps to load untrusted fonts. You can exclude specific apps, allowing them to load untrusted
fonts, even while this feature is turned on. For instructions, see Fix apps having problems because of blocked
fonts.

Potential reductions in functionality

After you turn this feature on, your employees might experience reduced functionality when:
Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t
been specifically excluded. In this situation, any fonts that aren’t already available in the server’s
%windir%/Fonts folder won’t be used.
Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts
folder. For more information, see Introduction to Printer Graphics DLLs.
Using first or third-party apps that use memory-based fonts.
 Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the
embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so
the website might render differently.
Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a
default font picked by Office.

Turn on and use the Blocking Untrusted Fonts feature

Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
To turn on and use the Blocking Untrusted Fonts feature through Group Policy
1. Open the Group Policy editor (gpedit.msc) and go to
Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking .
2. Click Enabled to turn the feature on, and then click one of the following Migitation Options:
Block untrusted fonts and log events. Turns the feature on, blocking untrusted fonts and logging
installation attempts to the event log.
Do not block untrusted fonts. Turns the feature on, but doesn't block untrusted fonts nor does it
log installation attempts to the event log.
Log events without blocking untrusted fonts. Turns the feature on, logging installation attempts
to the event log, but not blocking untrusted fonts.
3. Click OK.
To turn on and use the Blocking Untrusted Fonts feature through the registry To turn this feature on, off, or
to use audit mode:
1. Open the registry editor (regedit.exe) and go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ .
2. If the MitigationOptions key isn't there, right-click and add a new QWORD (64-bit) Value, renaming it to
MitigationOptions.
3. Right click on the MitigationOptions key, and then click Modify.
The Edit QWORD (64-bit) Value box opens.
4. Make sure the Base option is Hexadecimal, and then update the Value data, making sure you keep your
existing value, like in the important note below:
To turn this feature on. Type 1000000000000.
To turn this feature off. Type 2000000000000.
To audit with this feature. Type 3000000000000.

IMPORTANT
Your existing MitigationOptions values should be saved during your update. For example, if the current
value is 1000, your updated value should be 1000000001000.

5. Restart your computer.

View the event log

After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
To look at your event log
1. Open the event viewer (eventvwr.exe) and go to Application and Service
Logs/Microsoft/Windows/Win32k/Operational.
2. Scroll down to EventID: 260 and review the relevant events.
Event Example 1 - MS Word
WINWORD.EXE attempted loading a font that is restricted by font-loading policy.
FontType: Memory
FontPath:
Blocked: true

NOTE
Because the FontType is Memory, there’s no associated FontPath.

Event Example 2 - Winlogon

Winlogon.exe attempted loading a font that is restricted by font-loading policy.
FontType: File
FontPath: \??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
Blocked: true

NOTE
Because the FontType is File, there’s also an associated FontPath.

Event Example 3 - Internet Explorer running in Audit mode

Iexplore.exe attempted loading a font that is restricted by font-loading policy.
FontType: Memory
FontPath:
Blocked: false

NOTE
In Audit mode, the problem is recorded, but the font isn’t blocked.

Fix apps having problems because of blocked fonts

Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first
run this feature in Audit mode to determine which fonts are causing the problems.
After you figure out the problematic fonts, you can try to fix your apps in 2 ways: by directly installing the fonts into
the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default
solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps
because excluded apps can load any font, trusted or untrusted.
To fix your apps by installing the problematic fonts (recommended)
On each computer with the app installed, right-click on the font name and click Install.
The font should automatically install into your %windir%/Fonts directory. If it doesn’t, you’ll need to
manually copy the font files into the Fonts directory and run the installation from there.
To fix your apps by excluding processes
1. On each computer with the app installed, open regedit.exe and go to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
<process_image_name>
.

For example, if you want to exclude Microsoft Word processes, you’d use
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe .
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts
feature on, using the steps in the Turn on and use the Blocking Untrusted Fonts feature section of this topic.

Related content
Dropping the “Untrusted Font Blocking” setting
 Security auditing
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Topics in this section are for IT professionals and describes the security auditing features in Windows and how
your organization can benefit from using these technologies to enhance the security and manageability of your
network.

Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As
part of your overall security strategy, you should determine the level of auditing that is appropriate for your
environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks
against resources that you have determined to be valuable in your risk assessment.

In this section
TOPIC DESCRIPTION

Basic security audit policies Before you implement auditing, you must decide on an
auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this
version of Windows is first installed, all auditing categories are
disabled. By enabling various auditing event categories, you
can implement an auditing policy that suits the security needs
of your organization.

Advanced security audit policies Advanced security audit policy settings are found in Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies and appear to overlap with basic security audit
policies, but they are recorded and applied differently.
 Basic security audit policies
9/11/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of
security-related events that you want to audit. When this version of Windows is first installed, all auditing
categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that
suits the security needs of your organization.
The event categories that you can choose to audit are:
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
If you choose to audit access to objects as part of your audit policy, you must enable either the audit directory
service access category (for auditing objects on a ___domain controller), or the audit object access category (for
auditing objects on a member server or workstation). Once you have enabled the object access category, you can
specify the types of access you want to audit for each group or user.

In this section
TOPIC DESCRIPTION

Create a basic audit policy for an event category By defining auditing settings for specific event categories, you
can create an auditing policy that suits the security needs of
your organization. On devices that are joined to a ___domain,
auditing settings for the event categories are undefined by
default. On ___domain controllers, auditing is turned on by
default.

Apply a basic audit policy on a file or folder You can apply audit policies to individual files and folders on
your computer by setting the permission type to record
successful access attempts or failed access attempts in the
security log.

View the security event log The security log records each event as defined by the audit
policies you set on each object.

Basic security audit policy settings Basic security audit policy settings are found under Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy.
 Create a basic audit policy for an event category
9/11/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security
needs of your organization. On devices that are joined to a ___domain, auditing settings for the event categories are
undefined by default. On ___domain controllers, auditing is turned on by default.
To complete this procedure, you must be logged on as a member of the built-in Administrators group.
To define or modify auditing policy settings for an event category for your local computer
1. Open the Local Security Policy snap-in (secpol.msc), and then click Local Policies.
2. Click Audit Policy.
3. In the results pane, double-click an event category that you want to change the auditing policy settings for.
4. Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.
To complete this procedure, you must be logged on as a member of the Domain Admins group.
To define or modify auditing policy settings for an event category for a ___domain or organizational unit,
when you are on a member server or on a workstation that is joined to a ___domain
1. Open the Group Policy Management Console (GPMC ).
2. In the console tree, double-click Group Policy objects in the forest and ___domain containing the Default
Domain Policy Group Policy object (GPO ) that you want to edit.
3. Right-click the Default Domain Policy GPO, and then click Edit.
4. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click
Audit Policy.
5. In the results pane, double-click an event category that you want to change the auditing policy settings for.
6. If you are defining auditing policy settings for this event category for the first time, select the Define these
policy settings check box.
7. Do one or both of the following, and then click OK.
To audit successful attempts, select the Success check box.
To audit unsuccessful attempts, select the Failure check box.

Additional considerations
To audit object access, enable auditing of the object access event category by following the steps above. Then,
enable auditing on the specific object.
After your audit policy is configured, events will be recorded in the Security log. Open the Security log to view
these events.
The default auditing policy setting for ___domain controllers is No Auditing. This means that even if auditing is
enabled in the ___domain, the ___domain controllers do not inherit auditing policy locally. If you want ___domain auditing
policy to apply to ___domain controllers, you must modify this policy setting.
 Apply a basic audit policy on a file or folder
12/18/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
You can apply audit policies to individual files and folders on your computer by setting the permission type to
record successful access attempts or failed access attempts in the security log. To complete this procedure, you
must be logged on as a member of the built-in Administrators group or you must have been granted the Manage
auditing and security log right.
To apply or modify auditing policy settings for a local file or folder
1. Right-click the file or folder that you want to audit, click Properties, and then click the Security tab.
2. Click Advanced.
3. In the Advanced Security Settings dialog box, click the Auditing tab, and then click Continue.
4. Do one of the following:
To set up auditing for a new user or group, click Add. Click Select a principal, type the name of the user
or group that you want, and then click OK.
To remove auditing for an existing group or user, click the group or user name, click Remove, click OK,
and then skip the rest of this procedure.
To view or change auditing for an existing group or user, click its name, and then click Edit.
5. In the Type box, indicate what actions you want to audit by selecting the appropriate check boxes:
To audit successful events, click Success.
To audit failure events, click Fail.
To audit all events, click All.
6. In the Applies to box, select the object(s) that the audit of events will apply to. These include:
This folder only
This folder, subfolders and files
This folder and subfolders
This folder and files
Subfolders and files only
Subfolders only
Files only
7. By default, the selected Basic Permissions to audit are the following:
Read and execute
List folder contents
Read
Additionally, you can choose Full control, Modify, and/or Write permissions with your selected audit
combination.

Important: Before setting up auditing for files and folders, you must enable object access auditing by defining
auditing policy settings for the object access event category. If you do not enable object access auditing, you
 will receive an error message when you set up auditing for files and folders, and no files or folders will be
audited.

Additional considerations
After object access auditing is enabled, view the security log in Event Viewer to review the results of your
changes.
You can set up file and folder auditing only on NTFS drives.
Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the
amount of disk space that you want to devote to the security log. The maximum size for the security log is
defined in Event Viewer.
 View the security event log
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
The security log records each event as defined by the audit policies you set on each object.
To view the security log
1. Open Event Viewer.
2. In the console tree, expand Windows Logs, and then click Security. The results pane lists individual security
events.
3. If you want to see more details about a specific event, in the results pane, click the event.
 Basic security audit policy settings
9/11/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy.

In this section
TOPIC DESCRIPTION

Audit account logon events Determines whether to audit each instance of a user logging
on to or logging off from another device in which this device
is used to validate the account.

Audit account management Determines whether to audit each event of account

management on a device.

Audit directory service access Determines whether to audit the event of a user accessing an
Active Directory object that has its own system access control
list (SACL) specified.

Audit logon events Determines whether to audit each instance of a user logging
on to or logging off from a device.

Audit object access Determines whether to audit the event of a user accessing an
object--for example, a file, folder, registry key, printer, and so
forth--that has its own system access control list (SACL)
specified.

Audit policy change Determines whether to audit every incident of a change to

user rights assignment policies, audit policies, or trust policies.

Audit privilege use Determines whether to audit each instance of a user

exercising a user right.

Audit process tracking Determines whether to audit detailed tracking information for
events such as program activation, process exit, handle
duplication, and indirect object access.

Audit system events Determines whether to audit when a user restarts or shuts
down the computer or when an event occurs that affects
either the system security or the security log.

Related topics
Basic security audit policy settings
 Audit account logon events
9/11/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this
device is used to validate the account.
This security setting determines whether to audit each instance of a user logging on to or logging off from another
computer in which this computer is used to validate the account. Account logon events are generated when a
___domain user account is authenticated on a ___domain controller. The event is logged in the ___domain controller's
security log. Logon events are generated when a local user is authenticated on a local computer. The event is
logged in the local security log. Account logoff events are not generated.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits
generate an audit entry when an account logon attempt fails. To set this value to No auditing, in the Properties
dialog box for this policy setting, select the Define these policy settings check box and clear the Success and
Failure check boxes.
Default: Success

Configure this audit setting

You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy.

LOGON EVENTS DESCRIPTION

672 An authentication service (AS) ticket was successfully issued

and validated.

673 A ticket granting service (TGS) ticket was granted.

674 A security principal renewed an AS ticket or TGS ticket.

675 Preauthentication failed. This event is generated on a Key

Distribution Center (KDC) when a user types in an incorrect
password.

676 Authentication ticket request failed. This event is not

generated in Windows XP or in the Windows Server 2003
family.

677 A TGS ticket was not granted. This event is not generated in
Windows XP or in the Windows Server 2003 family.

678 An account was successfully mapped to a ___domain account.

 LOGON EVENTS DESCRIPTION

681 Logon failure. A ___domain account logon was attempted. This

event is not generated in Windows XP or in the Windows
Server 2003 family.

682 A user has reconnected to a disconnected terminal server

session.

683 A user disconnected a terminal server session without logging

off.

Related topics
Basic security audit policy settings
 Audit account management
9/11/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit each event of account management on a device.
Examples of account management events include:
A user account or group is created, changed, or deleted.
A user account is renamed, disabled, or enabled.
A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits
generate an audit entry when any account management event fails. To set this value to No auditing, in the
Properties dialog box for this policy setting, select the Define these policy settings check box and clear the
Success and Failure check boxes.
Default:
Success on ___domain controllers.
No auditing on member servers.

Configure this audit setting

You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy.

ACCOUNT MANAGEMENT EVENTS DESCRIPTION

624 A user account was created.

627 A user password was changed.

628 A user password was set.

630 A user account was deleted.

631 A global group was created.

632 A member was added to a global group.

633 A member was removed from a global group.

634 A global group was deleted.

635 A new local group was created.

ACCOUNT MANAGEMENT EVENTS DESCRIPTION

636 A member was added to a local group.

637 A member was removed from a local group.

638 A local group was deleted.

639 A local group account was changed.

641 A global group account was changed.

642 A user account was changed.

643 A ___domain policy was modified.

644 A user account was auto locked.

645 A computer account was created.

646 A computer account was changed.

647 A computer account was deleted.

648 A local security group with security disabled was created.

Note: SECURITY_DISABLED in the formal name means that
this group cannot be used to grant permissions in access
checks.

649 A local security group with security disabled was changed.

650 A member was added to a security-disabled local security

group.

651 A member was removed from a security-disabled local security

group.

652 A security-disabled local group was deleted.

653 A security-disabled global group was created.

645 A security-disabled global group was changed.

655 A member was added to a security-disabled global group.

656 A member was removed from a security-disabled global

group.

657 A security-disabled global group was deleted.

658 A security-enabled universal group was created.

659 A security-enabled universal group was changed.

 ACCOUNT MANAGEMENT EVENTS DESCRIPTION

660 A member was added to a security-enabled universal group.

661 A member was removed from a security-enabled universal

group.

662 A security-enabled universal group was deleted.

663 A security-disabled universal group was created.

664 A security-disabled universal group was changed.

665 A member was added to a security-disabled universal group.

666 A member was removed from a security-disabled universal

group.

667 A security-disabled universal group was deleted.

668 A group type was changed.

684 Set the security descriptor of members of administrative

groups.

685 Set the security descriptor of members of administrative

groups.
Note: Every 60 minutes on a ___domain controller a background
thread searches all members of administrative groups (such as
___domain, enterprise, and schema administrators) and applies a
fixed security descriptor on them. This event is logged.

Related topics
Basic security audit policy settings
 Audit directory service access
12/4/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit the event of a user accessing an Active Directory object that has its own system
access control list (SACL ) specified.
By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO ), and it
remains undefined for workstations and servers where it has no meaning.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that
has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an
Active Directory object that has a SACL specified. To set this value to No auditing, in the Properties dialog box
for this policy setting, select the Define these policy settings check box and clear the Success and Failure check
boxes.

Note: You can set a SACL on an Active Directory object by using the Security tab in that object's Properties
dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and
not to file system and registry objects.

Default:
Success on ___domain controllers.
Undefined for a member server.

Configure this audit setting

You can configure this security setting under Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy.
There is only one directory service access event, which is identical to the Object Access security event message
566.

DIRECTORY SERVICE ACCESS EVENTS DESCRIPTION

566 A generic object operation took place.

Related topics
Basic security audit policy settings
 Audit logon events
9/11/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit each instance of a user logging on to or logging off from a device.
Account logon events are generated on ___domain controllers for ___domain account activity and on local devices for
local account activity. If both account logon and logon audit policy categories are enabled, logons that use a
___domain account generate a logon or logoff event on the workstation or server, and they generate an account logon
event on the ___domain controller. Additionally, interactive logons to a member server or workstation that use a
___domain account generate a logon event on the ___domain controller as the logon scripts and policies are retrieved
when a user logs on. For more info about account logon events, see Audit account logon events.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit
entry when a logon attempt fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
For information about advanced security policy settings for logon events, see the Logon/logoff section in
Advanced security audit policy settings.

Configure this audit setting

You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy.

LOGON EVENTS DESCRIPTION

528 A user successfully logged on to a computer. For information

about the type of logon, see the Logon Types table below.

529 Logon failure. A logon attempt was made with an unknown

user name or a known user name with a bad password.

530 Logon failure. A logon attempt was made user account tried
to log on outside of the allowed time.

531 Logon failure. A logon attempt was made using a disabled

account.

532 Logon failure. A logon attempt was made using an expired

account.

533 Logon failure. A logon attempt was made by a user who is not
allowed to log on at this computer.
LOGON EVENTS DESCRIPTION

534 Logon failure. The user attempted to log on with a type that is
not allowed.

535 Logon failure. The password for the specified account has
expired.

536 Logon failure. The Net Logon service is not active.

537 Logon failure. The logon attempt failed for other reasons.

538 The logoff process was completed for a user.

539 Logon failure. The account was locked out at the time the
logon attempt was made.

540 A user successfully logged on to a network.

541 Main mode Internet Key Exchange (IKE) authentication was

completed between the local computer and the listed peer
identity (establishing a security association), or quick mode
has established a data channel.

542 A data channel was terminated.

543 Main mode was terminated.

544 Main mode authentication failed because the peer did not
provide a valid certificate or the signature was not validated.

545 Main mode authentication failed because of a Kerberos failure

or a password that is not valid.

546 IKE security association establishment failed because the peer

sent a proposal that is not valid. A packet was received that
contained data that is not valid.

547 A failure occurred during an IKE handshake.

548 Logon failure. The security ID (SID) from a trusted ___domain

does not match the account ___domain SID of the client.

549 Logon failure. All SIDs corresponding to untrusted

namespaces were filtered out during an authentication across
forests.

550 Notification message that could indicate a possible denial-of-

service attack.

551 A user initiated the logoff process.

552 A user successfully logged on to a computer using explicit

credentials while already logged on as a different user.
 LOGON EVENTS DESCRIPTION

682 A user has reconnected to a disconnected terminal server

session.

683 A user disconnected a terminal server session without logging

off.

When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon
type.

LOGON TYPE LOGON TITLE DESCRIPTION

2 Interactive A user logged on to this computer.

3 Network A user or computer logged on to this

computer from the network.

4 Batch Batch logon type is used by batch

servers, where processes may be
executing on behalf of a user without
their direct intervention.

5 Service A service was started by the Service

Control Manager.

7 Unlock This workstation was unlocked.

8 NetworkCleartext A user logged on to this computer from

the network. The user's password was
passed to the authentication package in
its unhashed form. The built-in
authentication packages all hash
credentials before sending them across
the network. The credentials do not
traverse the network in plaintext (also
called cleartext).

9 NewCredentials A caller cloned its current token and

specified new credentials for outbound
connections. The new logon session has
the same local identity, but uses
different credentials for other network
connections.

10 RemoteInteractive A user logged on to this computer

remotely using Terminal Services or
Remote Desktop.

11 CachedInteractive A user logged on to this computer with

network credentials that were stored
locally on the computer. The ___domain
controller was not contacted to verify
the credentials.

Related topics
Basic security audit policy settings
 Audit object access
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key,
printer, and so forth--that has its own system access control list (SACL ) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a user successfully accesses an object that has an
appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access
an object that has a SACL specified.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.

Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog
box.

Default: No auditing.

Configure this audit setting

You can configure this security setting by opening the appropriate policy under Computer
Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

OBJECT ACCESS EVENTS DESCRIPTION

560 Access was granted to an already existing object.

562 A handle to an object was closed.

563 An attempt was made to open an object with the intent to

delete it.
**Note: ** This is used by file systems when the
FILE_DELETE_ON_CLOSE flag is specified in Createfile().

564 A protected object was deleted.

565 Access was granted to an already existing object type.

567 A permission associated with a handle was used.

**Note: ** A handle is created with certain granted
permissions (Read, Write, and so on). When the handle is
used, up to one audit is generated for each of the permissions
that was used.

568 An attempt was made to create a hard link to a file that is

being audited.
OBJECT ACCESS EVENTS DESCRIPTION

569 The resource manager in Authorization Manager attempted

to create a client context.

570 A client attempted to access an object.

Note: An event will be generated for every attempted
operation on the object.

571 The client context was deleted by the Authorization Manager

application.

572 The administrator manager initialized the application.

772 The certificate manager denied a pending certificate request.

773 Certificate Services received a resubmitted certificate request.

774 Certificate Services revoked a certificate.

775 Certificate Services received a request to publish the

certificate revocation list (CRL).

776 Certificate Services published the certificate revocation list

(CRL).

777 A certificate request extension was made.

778 One or more certificate request attributes changed.

779 Certificate Services received a request to shutdown.

780 Certificate Services backup started.

781 Certificate Services backup completed

782 Certificate Services restore started.

783 Certificate Services restore completed.

784 Certificate Services started.

785 Certificate Services stopped.

786 The security permissions for Certificate Services changed.

787 Certificate Services retrieved an archived key.

788 Certificate Services imported a certificate into its database.

789 The audit filter for Certificate Services changed.

790 Certificate Services received a certificate request.

 OBJECT ACCESS EVENTS DESCRIPTION

791 Certificate Services approved a certificate request and issued a

certificate.

792 Certificate Services denied a certificate request.

793 Certificate Services set the status of a certificate request to

pending.

794 The certificate manager settings for Certificate Services

changed.

795 A configuration entry changed in Certificate Services.

796 A property of Certificate Services changed.

797 Certificate Services archived a key.

798 Certificate Services imported and archived a key.

799 Certificate Services published the CA certificate to Active

Directory.

800 One or more rows have been deleted from the certificate
database.

801 Role separation enabled.

Related topics
Basic security audit policy settings
 Audit policy change
9/11/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust
policies.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a change to user rights assignment policies, audit policies,
or trust policies is successful. Failure audits generate an audit entry when a change to user rights assignment
policies, audit policies, or trust policies fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
Default:
Success on ___domain controllers.
No auditing on member servers.

Configure this audit setting

You can configure this security setting under Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy.

POLICY CHANGE EVENTS DESCRIPTION

608 A user right was assigned.

609 A user right was removed.

610 A trust relationship with another ___domain was created.

611 A trust relationship with another ___domain was removed.

612 An audit policy was changed.

613 An Internet Protocol security (IPSec) policy agent started.

614 An IPSec policy agent was disabled.

615 An IPSec policy agent changed.

616 An IPSec policy agent encountered a potentially serious failure.

617 A Kerberos policy changed.

618 Encrypted Data Recovery policy changed.

POLICY CHANGE EVENTS DESCRIPTION

620 A trust relationship with another ___domain was modified.

621 System access was granted to an account.

622 System access was removed from an account.

623 Per user auditing policy was set for a user.

625 Per user audit policy was refreshed.

768 A collision was detected between a namespace element in one

forest and a namespace element in another forest.
Note When a namespace element in one forest overlaps a
namespace element in another forest, it can lead to ambiguity
in resolving a name belonging to one of the namespace
elements. This overlap is also called a collision. Not all
parameters are valid for each entry type. For example, fields
such as DNS name, NetBIOS name, and SID are not valid for
an entry of type 'TopLevelName'.

769 Trusted forest information was added.

Note: This event message is generated when forest trust
information is updated and one or more entries are added.
One event message is generated per added, deleted, or
modified entry. If multiple entries are added, deleted, or
modified in a single update of the forest trust information, all
the generated event messages have a single unique identifier
called an operation ID. This allows you to determine that the
multiple generated event messages are the result of a single
operation. Not all parameters are valid for each entry type. For
example, parameters such as DNS name, NetBIOS name and
SID are not valid for an entry of type "TopLevelName".

770 Trusted forest information was deleted.

Note: This event message is generated when forest trust
information is updated and one or more entries are added.
One event message is generated per added, deleted, or
modified entry. If multiple entries are added, deleted, or
modified in a single update of the forest trust information, all
the generated event messages have a single unique identifier
called an operation ID. This allows you to determine that the
multiple generated event messages are the result of a single
operation. Not all parameters are valid for each entry type. For
example, parameters such as DNS name, NetBIOS name and
SID are not valid for an entry of type "TopLevelName".

771 Trusted forest information was modified.

Note: This event message is generated when forest trust
information is updated and one or more entries are added.
One event message is generated per added, deleted, or
modified entry. If multiple entries are added, deleted, or
modified in a single update of the forest trust information, all
the generated event messages have a single unique identifier
called an operation ID. This allows you to determine that the
multiple generated event messages are the result of a single
operation. Not all parameters are valid for each entry type. For
example, parameters such as DNS name, NetBIOS name and
SID are not valid for an entry of type "TopLevelName".
 POLICY CHANGE EVENTS DESCRIPTION

805 The event log service read the security log configuration for a
session.

Related topics
Basic security audit policy settings
 Audit privilege use
9/11/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit each instance of a user exercising a user right.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of
event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits
generate an audit entry when the exercise of a user right fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Default: No auditing.
Audits are not generated for use of the following user rights, even if success audits or failure audits are specified
for Audit privilege use. Enabling auditing of these user rights tend to generate many events in the security log
which may impede your computer's performance. To audit the following user rights, enable the
FullPrivilegeAuditing registry key.
Bypass traverse checking
Debug programs
Create a token object
Replace process level token
Generate security audits
Back up files and directories
Restore files and directories

Configure this audit setting

You can configure this security setting under Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy.

PRIVILEGE USE EVENTS DESCRIPTION

576 Specified privileges were added to a user's access token.

Note: This event is generated when the user logs on.

577 A user attempted to perform a privileged system service

operation.

578 Privileges were used on an already open handle to a protected

object.

Related topics
Basic security audit policy settings
 Audit process tracking
9/11/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit,
handle duplication, and indirect object access.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when the process being tracked succeeds. Failure audits
generate an audit entry when the process being tracked fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy
settings check box and clear the Success and Failure check boxes.
Default: No auditing.

Configure this security setting

You can configure this security setting under Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy.

PROCESS TRACKING EVENTS DESCRIPTION

592 A new process was created.

593 A process exited.

594 A handle to an object was duplicated.

595 Indirect access to an object was obtained.

596 A data protection master key was backed up.

Note: The master key is used by the CryptProtectData and
CryptUnprotectData routines, and Encrypting File System
(EFS). The master key is backed up each time a new one is
created. (The default setting is 90 days.) The key is usually
backed up to a ___domain controller.

597 A data protection master key was recovered from a recovery

server.

598 Auditable data was protected.

599 Auditable data was unprotected.

600 A process was assigned a primary token.

601 A user attempted to install a service.

 PROCESS TRACKING EVENTS DESCRIPTION

602 A scheduler job was created.

Related topics
Basic security audit policy settings
 Audit system events
9/11/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that
affects either the system security or the security log.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event
type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit
entry when a logon attempt fails.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
Default:
Success on ___domain controllers.
No auditing on member servers.

Configure this audit setting

You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy.

LOGON EVENTS DESCRIPTION

512 Windows is starting up.

513 Windows is shutting down.

514 An authentication package was loaded by the Local Security

Authority.

515 A trusted logon process has registered with the Local Security
Authority.

516 Internal resources allocated for the queuing of security event

messages have been exhausted, leading to the loss of some
security event messages.

517 The audit log was cleared.

518 A notification package was loaded by the Security Accounts

Manager.

519 A process is using an invalid local procedure call (LPC) port in

an attempt to impersonate a client and reply or read from or
write to a client address space.
 LOGON EVENTS DESCRIPTION

520 The system time was changed.

Note: This audit normally appears twice.

Related topics
Basic security audit policy settings
 Advanced security audit policies
12/23/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Advanced security audit policy settings are found in Security Settings\Advanced Audit Policy
Configuration\System Audit Policies and appear to overlap with basic security audit policies, but they are
recorded and applied differently. When you apply basic audit policy settings to the local computer by using the
Local Security Policy snap-in, you are editing the effective audit policy, so changes made to basic audit policy
settings will appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies
can be controlled by using Group Policy.

In this section
TOPIC DESCRIPTION

Planning and deploying advanced security audit policies This topic for the IT professional explains the options that
security policy planners must consider and the tasks they
must complete to deploy an effective security audit policy in a
network that includes advanced security audit policies

Advanced security auditing FAQ This topic for the IT professional lists questions and answers
about understanding, deploying, and managing security audit
policies.

Using advanced security auditing options to monitor dynamic This guide explains the process of setting up advanced
access control objects security auditing capabilities that are made possible through
settings and events that were introduced in Windows 8 and
Windows Server 2012.

Advanced security audit policy settings This reference for IT professionals provides information about
the advanced audit policy settings that are available in
Windows and the audit events that they generate.
 Planning and deploying advanced security audit
policies
1/3/2020 • 35 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional explains the options that security policy planners must consider and the tasks
they must complete to deploy an effective security audit policy in a network that includes advanced security audit
policies.
Organizations invest a large portion of their information technology budgets on security applications and services,
such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software
you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on
your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to
track the effectiveness of your defenses and identify attempts to circumvent them.
To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most
important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also
provide absolute proof that IT operations comply with corporate and regulatory requirements.
Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you
do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and
activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that
an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could
cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an
organization as vulnerable as not enough monitoring.
Here are some features that can help you focus your effort:
Advanced audit policy settings. You can apply and manage detailed audit policy settings through Group
Policy.
"Reason for access" auditing. You can specify and identify the permissions that were used to generate a
particular object access security event.
Global object access auditing. You can define system access control lists (SACLs) for an entire computer file
system or registry.
To deploy these features and plan an effective security auditing strategy, you need to:
Identify your most critical resources and the most important activities that need to be tracked.
Identify the audit settings that can be used to track these activities.
Assess the advantages and potential costs associated with each.
Test these settings to validate your choices.
Develop plans for deploying and managing your audit policy.

About this guide

This document will guide you through the steps needed to plan a security auditing policy that uses Windows
auditing features. This policy must identify and address vital business needs, including:
 Network reliability
Regulatory requirements
Protection of the organization's data and intellectual property
Users, including employees, contractors, partners, and customers
Client computers and applications
Servers and the applications and services running on those servers
The audit policy also must identify processes for managing audit data after it has been logged, including:
Collecting, evaluating, and reviewing audit data
Storing and (if required) disposing of audit data
By carefully planning, designing, testing, and deploying a solution based on your organization's business
requirements, you can provide the standardized functionality, security, and management control that your
organization needs.

Understanding the security audit policy design process

The process of designing and deploying a Windows security audit policy involves the following tasks, which are
described in greater detail throughout this document:
Identifying your Windows security audit policy deployment goals
This section helps define the business objectives that will guide your Windows security audit policy. It also
helps you define the resources, users, and computers that will be the focus of your security auditing.
Mapping the security audit policy to groups of users, computers, and resources in your organization
This section explains how to integrate security audit policy settings with ___domain Group Policy settings for
different groups of users, computers, and resources. In addition, if your network includes multiple versions
of Windows client and server operating systems, it also explains when to use basic audit policy settings and
when to use advanced security audit policy settings.
Mapping your security auditing goals to a security audit policy configuration
This section explains the categories of Windows security auditing settings that are available. It also identifies
individual Windows security auditing policy settings that can be of particular value to address auditing
scenarios.
Planning for security audit monitoring and management
This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of
computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition,
this section explains how auditors can access and aggregate event data from multiple servers and desktop
computers. It also explains how to address storage requirements, including how much audit data to store
and how it must be stored.
Deploying the security audit policy
This section provides recommendations and guidelines for the effective deployment of a Windows security
audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help
you confirm that the settings you have selected will produce the type of audit data you need. However, only
a carefully staged pilot and incremental deployments based on your ___domain and organizational unit (OU )
structure will enable you to confirm that the audit data you generate can be monitored and that it meets
your organization's audit needs.
Identifying your Windows security audit policy deployment goals
A security audit policy must support and be a critical and integrated aspect of an organization's overall security
design and framework.
Every organization has a unique set of data and network assets (such as customer and financial data and trade
secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can
include various internal groups such as finance and marketing, and external groups such as partners, customers,
and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your
task is to identify which assets, resources, and users provide the strongest justification for the focus of a security
audit.
To create your Windows security audit plan, begin by identifying:
The overall network environment, including the domains, OUs, and security groups.
The resources on the network, the users of those resources, and how those resources are being used.
Regulatory requirements.
Network environment
An organization's ___domain and OU structure provide a fundamental starting point for thinking about how to apply
a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping
of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain
portions of your ___domain and OU structure already provide logical groups of users, resources, and activities that
justify the time and resources needed to audit them. For information about how to integrate a security audit policy
with your ___domain and OU structure, see Mapping security audit policy to groups of users, computers, and
resources in your organization later in this document.
In addition to your ___domain model, you should also find out whether your organization creates and maintains a
systematic threat model. A good threat model can help you identify threats to key components in your
infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and
counter those threats.

Important: Including auditing within your organization's security plan also makes it possible to budget your
resources on the areas where auditing can achieve the most positive results.

For additional details about how to complete each of these steps and how to prepare a detailed threat model,
download the IT Infrastructure Threat Modeling Guide.
Data and resources
For data and resource auditing, you need to identify the most important types of data and resources (such as
patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows
auditing can provide. Some of these data resources might already be monitored through auditing features in
products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows
auditing features can enhance the existing audit strategy. As with the ___domain and OU structure discussed
previously, security auditing should focus on your most critical resources. You also must consider how much audit
data you will be able to manage.
You can record if these resources have high business impact, medium business impact, or low business impact, the
cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access
can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different
levels of risk to an organization.
Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss
in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to
also document this information.
The following table provides an example of a resource analysis for an organization.

SECURITY OR
ORGANIZATIONAL REGULATORY
RESOURCE CLASS WHERE STORED UNIT BUSINESS IMPACT REQUIREMENTS

Payroll data Corp-Finance-1 Accounting: High Financial integrity and

Read/Write on Corp- employee privacy
Finance-1
Departmental Payroll
Managers: Write only
on Corp-Finance-1

Patient medical MedRec-2 Doctors and Nurses: High Strict legal and
records Read/Write on regulatory standards
Med/Rec-2
Lab Assistants: Write
only on MedRec-2
Accounting: Read only
on MedRec-2

Consumer health Web-Ext-1 Public Relations Web Low Public education and
information Content Creators: corporate image
Read/Write on Web-
Ext-1
Public: Read only on
Web-Ext-1

Users
Many organizations find it useful to classify the types of users they have and base permissions on this
classification. This same classification can help you identify which user activities should be the subject of security
auditing and the amount of audit data they will generate.
Organizations can create distinctions based on the type of rights and permissions needed by users to perform
their jobs. For example, under the classification Administrators, larger organizations might assign local
administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL
Server, or for an entire ___domain. Under Users, permissions and Group Policy settings can apply to as many as all
users in an organization or as few as a subset of the employees in a given department.
Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or
financial data may need to be audited to verify that you are complying with these requirements.
To effectively audit user activity, begin by listing the different types of users in your organization and the types of
data they need access to—in addition to the data they should not have access to.
Also, if external users can access any of your organization's data, be sure to identify them, including if they belong
to a business partner, customer, or general user, the data they have access to, and the permissions they have to
access that data.
The following table illustrates an analysis of users on a network. Although our example contains a single column
titled "Possible auditing considerations," you may want to create additional columns to differentiate between
different types of network activity, such as logon hours and permission use.

GROUPS DATA POSSIBLE AUDITING CONSIDERATIONS

 GROUPS DATA POSSIBLE AUDITING CONSIDERATIONS

Account administrators User accounts and security groups Account administrators have full
privileges to create new user accounts,
reset passwords, and modify security
group memberships. We need a
mechanism to monitor these changes.

Members of the Finance OU Financial records Users in Finance have Read/Write

access to critical financial records, but
no ability to change permissions on
these resources. These financial records
are subject to government regulatory
compliance requirements.

External partners Project Z Employees of partner organizations

have Read/Write access to certain
project data and servers relating to
Project Z, but not to other servers or
data on the network.

Computers
Security and auditing requirements and audit event volume can vary considerably for different types of computers
in an organization. These requirements can be based on:
If the computers are servers, desktop computers, or portable computers.
The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity
Manager.

Note: If the server applications (including Exchange Server and SQL Server) have audit settings. For
more information about auditing in Exchange Server, see the Exchange 2010 Security Guide. For more
information about auditing in SQL Server 2008, see Auditing (Database Engine). For SQL Server 2012,
see SQL Server Audit (Database Engine).

The operating system versions.

Note: The operating system version determines which auditing options are available and the volume
of audit event data.

The business value of the data.

For example, a web server that is accessed by external users requires different audit settings than a root
certification authority (CA) that is never exposed to the public Internet or even to regular users on the
organization's network.
The following table illustrates an analysis of computers in an organization.

TYPE OF COMPUTER AND APPLICATIONS OPERATING SYSTEM VERSION WHERE LOCATED

Servers hosting Exchange Server Windows Server 2008 R2 ExchangeSrv OU

File servers Windows Server 2012 Separate resource OUs by department

and (in some cases) by ___location
 TYPE OF COMPUTER AND APPLICATIONS OPERATING SYSTEM VERSION WHERE LOCATED

Portable computers Windows Vista and Windows 7 Separate portable computer OUs by
department and (in some cases) by
___location

Web servers Windows Server 2008 R2 WebSrv OU

Regulatory requirements
Many industries and locales have strict and specific requirements for network operations and how resources are
protected. In the health care and financial industries, for example, there are strict guidelines for who has access to
records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work
with your organization's legal department and other departments responsible for these requirements. Then
consider the security configuration and auditing options that can be used to comply with and verify compliance
with these regulations.
For more info, see the System Center Process Pack for IT GRC.

Mapping the security audit policy to groups of users, computers, and

resources in your organization
By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and
resources. To map a security auditing policy to these defined groups in your organization, you should understand
the following considerations for using Group Policy to apply security audit policy settings:
The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use
the Group Policy Management Console (GPMC ). By using the GPMC to link a GPO to selected Active
Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in
those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign
Group Policy settings.
For every policy setting that you select, you need to decide whether it should be enforced across the
organization, or whether it should apply only to selected users or computers. You can then combine these
audit policy settings into GPOs and link them to the appropriate Active Directory containers.
By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs
are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite
inherited policies.
For example, you might use a ___domain GPO to assign an organization-wide group of audit settings, but want
a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to
that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a
conflicting logon audit setting that is applied at the ___domain level (unless you have taken special steps to
apply Group Policy loopback processing).
Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to
computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified
resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a
security group that contains only the users you specify.
For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can
audit attempts by members of the Payroll Processors OU to delete objects from this folder. The Object
Access\Audit File System audit policy setting applies to Accounting Server 1, but because it requires a
corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data
folder generates audit events.
 Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and
can be applied to those operating systems and later. These advanced audit polices can only be applied by
using Group Policy.

Important: Whether you apply advanced audit policies by using Group Policy or by using logon
scripts, do not use both the basic audit policy settings under Local Policies\Audit Policy and the
advanced settings under Security Settings\Advanced Audit Policy Configuration. Using both
basic and advanced audit policy settings can cause unexpected results in audit reporting.

If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit
policies, be sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or
later) to override audit policy category settings policy setting under Local Policies\Security
Options. This will prevent conflicts between similar settings by forcing basic security auditing to be
ignored.
The following are examples of how audit policies can be applied to an organization's OU structure:
Apply data activity settings to an OU that contains file servers. If your organization has servers that contain
particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more
precise audit policy to these servers.
Apply user activity audit policies to an OU that contains all computers in the organization. If your organization
places users in OUs based on the department they work in, consider configuring and applying more detailed
security permissions on critical resources that are accessed by employees who work in more sensitive areas,
such as network administrators or the legal department.
Apply network and system activity audit policies to OUs that contain the organization's most critical servers,
such as ___domain controllers, CAs, email servers, or database servers.

Mapping your security auditing goals to a security audit policy

configuration
After you identify your security auditing goals, you can begin to map them to a security audit policy configuration.
This audit policy configuration must address your most critical security auditing goals, but it also must address
your organization's constraints, such as the number of computers that need to be monitored, the number of
activities that you want to audit, the number of audit events that your desired audit configuration will generate,
and the number of administrators available to analyze and act upon audit data.
To create your audit policy configuration, you need to:
1. Explore all of the audit policy settings that can be used to address your needs.
2. Choose the audit settings that will most effectively address the audit requirements identified in the previous
section.
3. Confirm that the settings you choose are compatible with the operating systems running on the computers that
you want to monitor.
4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit
settings.
5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of
volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production
environment to ensure that your estimates of how much audit data your audit plan will generate are realistic
and that you can manage this data.
Exploring audit policy options
Security audit policy settings in the supported versions of Windows can be viewed and configured in the following
locations:
 Security Settings\Local Policies\Audit Policy.
Security Settings\Local Policies\Security Options.
Security Settings\Advanced Audit Policy Configuration. For more information, see Advanced security
audit policy settings.
Choosing audit settings to use
Depending on your goals, different sets of audit settings may be of particular value to you. For example, some
settings under Security Settings\Advanced Audit Policy Configuration can be used to monitor the following
types of activity:
Data and resources
Users
Network

Important: Settings that are described in the Reference might also provide valuable information about
activity audited by another setting. For example, the settings used to monitor user activity and network activity
have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources
have huge implications for overall network status, and potentially for how well you are managing the activities
of users on the network.

Data and resource activity

For many organizations, compromising the organization's data resources can cause tremendous financial losses, in
addition to lost prestige and legal liability. If your organization has critical data resources that need to be protected
against any breach, the following settings can provide extremely valuable monitoring and forensic data:
Object Access\Audit File Share. This policy setting allows you to track what content was accessed, the
source (IP address and port) of the request, and the user account that was used for the access. The volume
of event data generated by this setting will vary depending on the number of client computers that attempt
to access the file share. On a file server or ___domain controller, volume may be high due to SYSVOL access by
client computers for policy processing. If you do not need to record routine access by client computers that
have permissions on the file share, you may want to log audit events only for failed attempts to access the
file share.
Object Access\Audit File System. This policy setting determines whether the operating system audits user
attempts to access file system objects. Audit events are only generated for objects (such as files and folders)
that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and
the account that is making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file
system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of
audit data generated by the Audit File System policy setting can vary considerably, depending on the
number of objects that have been configured to be monitored.

Note: To audit user attempts to access all file system objects on a computer, use the Global Object
Access Auditing settings Registry (Global Object Access Auditing) or File System (Global Object Access
Auditing).

Object Access\Audit Handle Manipulation. This policy setting determines whether the operating system
generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs
generate these events, and only if the attempted handle operation matches the SACL.
Event volume can be high, depending on how SACLs are configured. When used together with the Audit
File System or Audit Registry policy settings, the Audit Handle Manipulation policy setting can
 provide an administrator with useful "reason for access" audit data that details the precise permissions on
which the audit event is based. For example, if a file is configured as a Read-only resource but a user
attempts to save changes to the file, the audit event will log not only the event, but also the permissions that
were used (or attempted to be used) to save the file changes.
Global Object Access Auditing. A growing number of organizations are using security auditing to
comply with regulatory requirements that govern data security and privacy. But demonstrating that strict
controls are being enforced can be extremely difficult. To address this issue, the supported versions of
Windows include two Global Object Access Auditing policy settings, one for the registry and one for the
file system. When you configure these settings, they apply a global system access control SACL on all
objects of that class on a system, which cannot be overridden or circumvented.

Important: The Global Object Access Auditing policy settings must be configured and applied in
conjunction with the Audit File System and Audit Registry audit policy settings in the Object Access
category.

User activity
The settings in the previous section relate to activity involving the files, folders, and network shares that are stored
on a network, and the settings in this section focus on the users, including employees, partners, and customers,
who may try to access those resources.
In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available
to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that
they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on
a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate
activities. The following are a few important settings that you should evaluate to track user activity on your
network:
Account Logon\Audit Credential Validation. This is an extremely important policy setting because it enables
you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular,
a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no
longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts
will eventually be successful. These events occur on the computer that is authoritative for the credentials.
For ___domain accounts, the ___domain controller is authoritative. For local accounts, the local computer is
authoritative.
Detailed Tracking\Audit Process Creation and Detailed Tracking\Audit Process Termination. These policy
settings can enable you to monitor the applications that a user opens and closes on a computer.
DS Access\Audit Directory Service Access and DS Access\Audit Directory Service Changes. These policy
settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects
in Active Directory Domain Services (AD DS ). Only ___domain administrators have permissions to modify
AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In
addition, although ___domain administrators should be among an organization's most trusted employees, the
use of Audit Directory Service Access and Audit Directory Service Changes settings allow you to
monitor and verify that only approved changes are made to AD DS. These audit events are logged only on
___domain controllers.
Logon/Logoff\Audit Account Lockout. Another common security scenario occurs when a user attempts to
log on with an account that has been locked out. It is important to identify these events and to determine
whether the attempt to use an account that has been locked out is malicious.
Logon/Logoff\Audit Logoff and Logon/Logoff\Audit Logon. Logon and logoff events are essential to
tracking user activity and detecting potential attacks. Logon events are related to the creation of logon
sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated
 on the computer that was logged on to. For network logon, such as accessing a shared resource, events are
generated on the computer that hosts the resource that was accessed. Logoff events are generated when
logon sessions are terminated.

Note: There is no failure event for logoff activity because failed logoffs (such as when a system
abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For
example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is
not generated.

Logon/Logoff\Audit Special Logon. A special logon has administrator-equivalent rights and can be used to
elevate a process to a higher level. It is recommended to track these types of logons. For more information
about this feature, see article 947223 in the Microsoft Knowledge Base.
Object Access\Audit Certification Services. This policy setting allows you to track and monitor a wide
variety of activities on a computer that hosts Active Directory Certificate Services (AD CS ) role services to
ensure that only authorized users are performing or attempting to perform these tasks, and that only
authorized or desired tasks are being performed.
Object Access\Audit File System and Object Access\Audit File Share. These policy settings are described in
the previous section.
Object Access\Audit Handle Manipulation. This policy setting and its role in providing "reason for access"
audit data is described in the previous section.
Object Access\Audit Registry. Monitoring for changes to the registry is one of the most critical means that
an administrator has to ensure malicious users do not make changes to essential computer settings. Audit
events are only generated for objects that have configured SACLs, and only if the type of access that is
requested (such as Write, Read, or Modify) and the account making the request match the settings in the
SACL.

Important: On critical systems where all attempts to change registry settings need to be tracked, you
can combine the Audit Registry policy setting with the Global Object Access Auditing policy
settings to ensure that all attempts to modify registry settings on a computer are tracked.

Object Access\Audit SAM. The Security Accounts Manager (SAM ) is a database that is present on
computers running Windows that stores user accounts and security descriptors for users on the local
computer. Changes to user and group objects are tracked by the Account Management audit category.
However, user accounts with the proper user rights could potentially alter the files where the account and
password information is stored in the system, bypassing any Account Management events.
Privilege Use\Audit Sensitive Privilege Use. Privilege Use policy settings and audit events allow you to
track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is
generated when sensitive rights requests are made.
Network activity
The following network activity policy settings allow you to monitor security-related issues that are not necessarily
covered in the data or user activity categories, but that can be equally important for network status and protection.
Account Management. The policy settings in this category can be used to track attempts to create, delete,
or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities
complements the monitoring strategies you select in the user activity and data activity sections.
Account Logon\Audit Kerberos Authentication Service and Account Logon\Audit Kerberos Service Ticket
Operations. Audit policy settings in the Account Logon category monitor activities that relate to the use of
___domain account credentials. These policy settings complement the policy settings in the Logon/Logoff
 category. The Audit Kerberos Authentication Service policy setting allows you to monitor the status of
and potential threats to the Kerberos service. The Audit Kerberos Service Ticket Operations policy
setting allows you to monitor the use of Kerberos service tickets.

Note: Account Logon policy settings apply only to specific ___domain account activities, regardless of
the computer that is accessed, whereas Logon/Logoff policy settings apply to the computer that hosts
the resources being accessed.

Account Logon\Audit Other Account Logon Events. This policy setting can be used to track a number of
different network activities, including attempts to create Remote Desktop connections, wired network
connections, and wireless connections.
DS Access. Policy settings in this category allow you to monitor the AD DS role services, which provide
account data, validate logons, maintain network access permissions, and provide other services that are
critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and
modify the configuration of a ___domain controller can help an organization maintain a secure and reliable
network. In addition, one of the key tasks performed by AD DS is the replication of data between ___domain
controllers.
Logon/Logoff\Audit IPsec Extended Mode, Logon/Logoff\Audit IPsec Main Mode, and
Logon/Logoff\Audit IPsec Quick Mode. Many networks support large numbers of external users, including
remote employees and partners. Because these users are outside the organization's network boundaries,
IPsec is often used to help protect communications over the Internet by enabling network-level peer
authentication, data origin authentication, data integrity, data confidentiality (encryption), and protection
against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
Logon/Logoff\Audit Network Policy Server. Organizations that use RADIUS (IAS ) and Network Access
Protection (NAP ) to set and maintain security requirements for external users can use this policy setting to
monitor the effectiveness of these policies and to determine whether anyone is attempting to circumvent
these protections.
Policy Change. These policy settings and events allow you to track changes to important security policies
on a local computer or network. Because policies are typically established by administrators to help secure
network resources, any changes or attempts to change these policies can be an important aspect of security
management for a network.
Policy Change\Audit Audit Policy Change. This policy setting allows you to monitor changes to the audit
policy. If malicious users obtain ___domain administrator credentials, they can temporarily disable essential
security audit policy settings so that their other activities on the network cannot be detected.
Policy Change\Audit Filtering Platform Policy Change. This policy setting can be used to monitor a large
variety of changes to an organization's IPsec policies.
Policy Change\Audit MPSSVC Rule-Level Policy Change. This policy setting determines if the operating
system generates audit events when changes are made to policy rules for the Microsoft Protection Service
(MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for
understanding the security state of the computer and how well it is protected against network attacks.
Confirm operating system version compatibility
Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and
manage these settings. For more info, see Which editions of Windows support advanced audit policy
configuration.
The audit policy settings under Local Policies\Audit Policy overlap with audit policy settings under Security
Settings\Advanced Audit Policy Configuration. However, the advanced audit policy categories and
subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the
amount of audit data that is less important to your organization.
For example, Local Policies\Audit Policy contains a single setting called Audit account logon events. When this
setting is configured, it generates at least 10 types of audit events.
In comparison, the Account Logon category under Security Settings\Advanced Audit Policy Configuration
provides the following advanced settings, which allow you to focus your auditing:
Credential Validation
Kerberos Authentication Service
Kerberos Service Ticket Operations
Other Account Logon Events
These settings allow you to exercise much tighter control over which activities or events generate event data.
Some activities and events will be more important to your organization, so define the scope of your security audit
policy as narrowly as possible.
Success, failure, or both
Whichever event settings you include in your plan, you also have to decide whether you want to log an event when
the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the
answer will be based on the criticality of the event and the implications of the decision on event volume.
For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an
event only when an unsuccessful attempt to access data takes place, because this could be evidence of an
unauthorized or malicious user. And in this instance, logging successful attempts to access the server would
quickly fill the event log with benign events.
On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you
may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every
user who accessed the resource.

Planning for security audit monitoring and management

Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be
monitored. The number of client computers on the network can easily range into the tens or even hundreds of
thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an
administrator who is responsible for auditing security and performance issues has relatively few computers to
monitor, you need to decide how an administrator will obtain event data to review. Following are some options for
obtaining the event data.
Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the
administrator needs to have physical or remote access to the Event Viewer on each client computer or server,
and the remote access and firewall settings on each client computer or server need to be configured to enable
this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the
size of the audit log so that critical information is not deleted if the log reaches its maximum capacity.
Will you collect event data so that it can be reviewed from a central console? If so, there are a number of
computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012,
which can be used to collect and filter event data. Presumably this solution enables a single administrator to
review larger amounts of data than using the local storage option. But in some cases, this can make it more
difficult to detect clusters of related events that can occur on a single computer.
In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central
___location, you need to decide how large the log file should be and what should happen when the log reaches its
maximum size. To configure these options, open Event Viewer, expand Windows Logs, right-click Security, and
click Properties. You can configure the following properties:
 Overwrite events as needed (oldest events first). This is the default option, which is an acceptable solution
in most situations.
Archive the log when full, do not overwrite events. This option can be used when all log data needs to be
saved, but it also suggests that you may not be reviewing audit data frequently enough.
Do not overwrite events (Clear logs manually). This option stops the collection of audit data when the log
file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this
option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are
committed to reviewing data before the maximum log size is reached.
You can also configure the audit log size and other key management options by using Group Policy settings. You
can configure the event log settings in the following locations within the GPMC: Computer
Configuration\Administrative Templates\Windows Components\Event Log Service\Security. These
options include:
Maximum Log Size (KB ). This policy setting specifies the maximum size of the log files. The user
interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If
this setting is not configured, event logs have a default maximum size of 20 megabytes.
Log Access. This policy setting determines which user accounts have access to log files and what usage
rights are granted.
Retain old events. This policy setting controls event log behavior when the log file reaches its maximum
size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written
to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new
events overwrite old events.
Backup log automatically when full. This policy setting controls event log behavior when the log file
reaches its maximum size and takes effect only if the Retain old events policy setting is enabled. If you
enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file
is then started. If you disable or do not configure this policy setting and the Retain old events policy
setting is enabled, new events are discarded and the old events are retained.
In addition, a growing number of organizations are being required to store archived log files for a number of
years. You should consult with regulatory compliance officers in your organization to determine whether such
guidelines apply to your organization. For more information, see the IT Compliance Management Guide.

Deploying the security audit policy

Before deploying the audit policy in a production environment, it is critical that you determine the effects of the
policy settings that you have configured. The first step in assessing your audit policy deployment is to create a test
environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the
audit settings you have selected are configured correctly and generate the type of results you intend.
However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot
provide you with accurate information about the volume of audit data that the audit policy settings you selected
will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you
need to conduct one or more pilot deployments. These pilot deployments could involve:
A single OU that contains critical data servers or an OU that contains all desktop computers in a specified
___location.
A limited set of security audit policy settings, such as Logon/Logoff and Account Logon.
A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting
OU with Object Access policy settings.
After you have successfully completed one or more limited deployments, you should confirm that the audit data
that is collected is manageable with your management tools and administrators. When you have confirmed that
the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the
deployment to include additional OUs and sets of audit policy settings until the production deployment is
complete.
 Advanced security auditing FAQ
9/11/2019 • 14 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional lists questions and answers about understanding, deploying, and managing
security audit policies.
What is Windows security auditing and why might I want to use it?
What is the difference between audit policies located in Local Policies\Audit Policy and audit policies located in
Advanced Audit Policy Configuration?
What is the interaction between basic audit policy settings and advanced audit policy settings?
How are audit settings merged by Group Policy?
What is the difference between an object DACL and an object SACL?
Why are audit policies applied on a per-computer basis rather than per user?
What are the differences in auditing functionality between versions of Windows?
Can I use advanced audit policy from a ___domain controller running Windows Server 2003 or Windows 2000
Server?
What is the difference between success and failure events? Is something wrong if I get a failure audit?
How can I set an audit policy that affects all objects on a computer?
How do I figure out why someone was able to access a resource?
How do I know when changes are made to access control settings, by whom, and what the changes were?
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
How can I monitor if changes are made to audit policy settings?
How can I minimize the number of events that are generated?
What are the best tools to model and manage audit policy?
Where can I find information about all the possible events that I might receive?
Where can I find more detailed information?

What is Windows security auditing and why might I want to use it?
Security auditing is a methodical examination and review of activities that may affect the security of a system. In
the Windows operating systems, security auditing is more narrowly defined as the features and services that
enable an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks.
Monitoring these events can provide valuable information to help administrators troubleshoot and investigate
security-related activities.

What is the difference between audit policies located in Local

Policies\Audit Policy and audit policies located in Advanced Audit
Policy Configuration?
The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced
security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit
Policies appear to overlap, but they are recorded and applied differently. When you apply basic audit policy
settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective
audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
There are a number of additional differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and settings
under Advanced Audit Policy Configuration. The settings available in Security Settings\Advanced Audit
Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they
allow administrators to be more selective in the number and types of events to audit. For example, the basic audit
policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single
basic account logon setting would be the equivalent of setting all four advanced account logon settings. In
comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are
not interested in tracking.
In addition, if you enable success auditing for the basic Audit account logon events setting, only success events
will be logged for all account logon–related behaviors. In comparison, depending on the needs of your
organization, you can configure success auditing for one advanced account logon setting, failure auditing for a
second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or
no auditing.
The nine basic settings under Security Settings\Local Policies\Audit Policy were introduced in Windows 2000.
Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings
were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on
computers running Windows 7, Windows Server 2008, and later.

What is the interaction between basic audit policy settings and

advanced audit policy settings?
Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group
Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy
settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit
policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the
advanced audit policy settings.
Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy
Object (GPO ), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other
___domain GPOs or logon scripts. Both types of policies can be edited and applied by using ___domain GPOs, and these
settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded
in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain
in the effective audit policy. Policy changes that are applied by using local or ___domain Group Policy settings are
reflected as soon as the new policy is applied.

Important Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not
use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under
Security Settings\Advanced Audit Policy Configuration. Using both advanced and basic audit policy
settings can cause unexpected results in audit reporting.

If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be
sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override
audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts
between similar settings by forcing basic security auditing to be ignored.

How are audit settings merged by Group Policy?

By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and
OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is
linked at a lower level.
For example, you might use a ___domain GPO to assign an organization-wide group of audit settings, but want a
certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that
specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting
logon audit setting that is applied at the ___domain level (unless you have taken special steps to apply Group Policy
loopback processing).
The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy
settings. This means that audit policy settings configured in different GPOs will be merged if no policy settings
configured at a lower level exist. The following table illustrates this behavior.

SETTING CONFIGURED IN A
SETTING CONFIGURED IN AN DOMAIN GPO (LOWER RESULTING POLICY FOR THE
AUDITING SUBCATEGORY OU GPO (HIGHER PRIORITY) PRIORITY) TARGET COMPUTER

Detailed File Share Auditing Success Failure Success

Process Creation Auditing Disabled Success Disabled

Logon Auditing Failure Success Failure

What is the difference between an object DACL and an object SACL?

All objects in Active Directory Domain Services (AD DS ), and all securable objects on a local computer or on the
network, have security descriptors to help control access to the objects. Security descriptors include information
about who owns an object, who can access it and in what way, and what types of access are audited. Security
descriptors contain the access control list (ACL ) of an object, which includes all of the security permissions that
apply to that object. An object's security descriptor can contain two types of ACLs:
A discretionary access control list (DACL ) that identifies the users and groups who are allowed or denied access
A system access control list (SACL ) that controls how access is audited
The access control model that is used in Windows is administered at the object level by setting different levels of
access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a
DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security
subsystem audits attempts to access the object. However, auditing is not completely configured unless a SACL has
been configured for an object and a corresponding Object Access audit policy setting has been configured and
applied.

Why are audit policies applied on a per-computer basis rather than per
user?
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary
recipients of actions by clients including applications, other computers, and users. In a security breach, malicious
users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users
to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer
and the objects and resources on that computer.
In addition, because audit policy capabilities can vary between computers running different versions of Windows,
the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of
the user.
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish
this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the
users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1.
This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The Object
Access\Audit File System audit policy setting applies to Accounting Server 1, but because it requires a
corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder
generates audit events.

What are the differences in auditing functionality between versions of

Windows?
Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied
locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows
Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy
settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by
using local and ___domain Group Policy settings.

Can I use advanced audit policies from a ___domain controller running

Windows Server 2003 or Windows 2000 Server?
To use advanced audit policy settings, your ___domain controller must be installed on a computer running Windows
Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server
2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported.

What is the difference between success and failure events? Is

something wrong if I get a failure audit?
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully.
The appearance of failure audit events in the event log does not necessarily mean that something is wrong with
your system. For example, if you configure Audit Logon events, a failure event may simply mean that a user
mistyped his or her password.

How can I set an audit policy that affects all objects on a computer?
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a
system. This has been difficult to accomplish because the system access control lists (SACLs) that govern auditing
are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have
to check every object to be sure that no changes have been made—even temporarily to a single SACL. Introduced
in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access
auditing policies for the entire file system or for the registry on a computer. The specified SACL is then
automatically applied to every object of that type. This can be useful for verifying that all critical files, folders, and
registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a
file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object
access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or
folder SACL and the global object access auditing policy. This means that an audit event is generated if an activity
matches either the file or folder SACL or the global object access auditing policy.

How do I figure out why someone was able to access a resource?

Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to
know why the user was able to access this resource. You can obtain this forensic data by configuring the Audit
Handle Manipulation setting with the Audit File System or with the Audit Registry audit setting.

How do I know when changes are made to access control settings, by

whom, and what the changes were?
To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows
Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable
the following settings, which track changes to DACLs:
Audit File System subcategory: Enable for success, failure, or success and failure
Audit Authorization Policy Change setting: Enable for success, failure, or success and failure
A SACL with Write and Take ownership permissions: Apply to the object that you want to monitor
In Windows XP and Windows Server 2003, you need to use the Audit policy change subcategory.

How can I roll back security audit policies from the advanced audit
policy to the basic audit policy?
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you
subsequently change the advanced audit policy setting to Not configured, you need to complete the following
steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to Not configured.
2. Delete all audit.csv files from the %SYSVOL% folder on the ___domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings will not be restored.

How can I monitor if changes are made to audit policy settings?

Changes to security audit policies are critical security events. You can use the Audit Audit Policy Change setting
to determine if the operating system generates audit events when the following types of activities take place:
Permissions and audit settings on the audit policy object are changed
The system audit policy is changed
Security event sources are registered or unregistered
Per-user audit settings are changed
The value of CrashOnAuditFail is modified
Audit settings on a file or registry key are changed
A Special Groups list is changed

How can I minimize the number of events that are generated?

Finding the right balance between auditing enough network and computer activity and auditing too little network
and computer activity can be challenging. You can achieve this balance by identifying the most important
resources, critical activities, and users or groups of users. Then design a security audit policy that targets these
resources, activities, and users. Useful guidelines and recommendations for developing an effective security
auditing strategy can be found in Planning and deploying advanced security audit policies.

What are the best tools to model and manage audit policies?
The integration of advanced audit policy settings with ___domain Group Policy, introduced in Windows 7 and
Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies
in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a ___domain can also be
used to plan and deploy security audit policies. On an individual computer, the Auditpol command-line tool can be
used to complete a number of important audit policy–related management tasks.
In addition, there are a number of computer management products, such as the Audit Collection Services in the
Microsoft System Center Operations Manager products, which can be used to collect and filter event data.

Where can I find information about all the possible events that I might
receive?
Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit
events that are stored there (which can quickly number in the thousands) and by the structured information that is
included for each audit event. Additional information about these events, and the settings used to generate them,
can be obtained from the following resources:
Windows 8 and Windows Server 2012 Security Event Details
Security Audit Events for Windows 7 and Windows Server 2008 R2
Security Audit Events for Windows Server 2008 and Windows Vista
Advanced security audit policy settings

Where can I find more detailed information?

To learn more about security audit policies, see the following resources:
Planning and deploying advanced security audit policies
Security Monitoring and Attack Detection Planning Guide
Security Audit Events for Windows 7 and Windows Server 2008 R2
Security Audit Events for Windows Server 2008 and Windows Vista
 Which editions of Windows support advanced audit
policy configuration
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows
Vista. There is no difference in security auditing support between 32-bit and 64-bit versions. Windows editions
that cannot join a ___domain, such as Windows 10 Home edition, do not have access to these features.
 How to get a list of XML data name elements in
EventData
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
The Security log uses a manifest where you can get all of the event schema.
Run the following from an elevated PowerShell prompt:

$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"

The .events property is a collection of all of the events listed in the manifest on the local machine.
For each event, there is a .Template property for the XML template used for the event properties (if there are any).
For example:
 PS C:\WINDOWS\system32> $SecEvents.events[100]

Id : 4734
Version : 0
LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
Level : System.Diagnostics.Eventing.Reader.EventLevel
Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
Task : System.Diagnostics.Eventing.Reader.EventTask
Keywords : {}
Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>

Description : A security-enabled local group was deleted.

Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7

Group:
Security ID: %3
Group Name: %1
Group Domain: %2

Additional Information:
Privileges: %8

PS C:\WINDOWS\system32> $SecEvents.events[100].Template
<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>

Mapping data name elements to the names in an event description

You can use the <Template> and <Description> to map the data name elements that appear in XML view to the
names that appear in the event description.
The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the
<Template> is the source of the input parameters for the <Description>.
Using Security event 4734 as an example:
 Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
<data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="TargetSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
<data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
<data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
<data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
</template>

Description : A security-enabled local group was deleted.

Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7

Group:
Security ID: %3
Group Name: %1
Group Domain: %2

Additional Information:
Privileges: %8

For the Subject: Security Id: text element, it will use the fourth element in the Template, SubjectUserSid.
For Additional Information Privileges:, it would use the eighth element PrivilegeList.
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates
the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the
Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0,
1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating
events in the Security log. In any case, the Event Version where the Template is taken from should use the same
Event Version for the Description.
 Using advanced security auditing options to monitor
dynamic access control objects
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
This guide explains the process of setting up advanced security auditing capabilities that are made possible
through settings and events that were introduced in Windows 8 and Windows Server 2012.
These procedures can be deployed with the advanced security auditing capabilities described in Deploy Security
Auditing with Central Audit Policies (Demonstration Steps).

In this guide
Domain administrators can create and deploy expression-based security audit policies by using file classification
information (resource attributes), user claims, and device claims to target specific users and resources to monitor
potentially significant activities on one or more computers. These policies can be deployed centrally by using
Group Policy, or directly on a computer, in a folder, or in individual files.

In this section
TOPIC DESCRIPTION

Monitor the central access policies that apply on a file server This topic for the IT professional describes how to monitor
changes to the central access policies that apply to a file
server when using advanced security auditing options to
monitor dynamic access control objects. Central access
policies are created on a ___domain controller and then applied
to file servers through Group Policy management.

Monitor the use of removable storage devices This topic for the IT professional describes how to monitor
attempts to use removable storage devices to access network
resources. It describes how to use advanced security auditing
options to monitor dynamic access control objects.

Monitor resource attribute definitions This topic for the IT professional describes how to monitor
changes to resource attribute definitions when you are using
advanced security auditing options to monitor dynamic
access control objects.

Monitor central access policy and rule definitions This topic for the IT professional describes how to monitor
changes to central access policy and central access rule
definitions when you use advanced security auditing options
to monitor dynamic access control objects.

Monitor user and device claims during sign-in This topic for the IT professional describes how to monitor
user and device claims that are associated with a user’s
security token when you are using advanced security auditing
options to monitor dynamic access control objects.
 TOPIC DESCRIPTION

Monitor the resource attributes on files and folders This topic for the IT professional describes how to monitor
attempts to change settings to the resource attributes on files
when you are using advanced security auditing options to
monitor dynamic access control objects.

Monitor the central access policies associated with files and This topic for the IT professional describes how to monitor
folders changes to the central access policies that are associated with
files and folders when you are using advanced security
auditing options to monitor dynamic access control objects.

Monitor claim types This topic for the IT professional describes how to monitor
changes to claim types that are associated with dynamic
access control when you are using advanced security auditing
options.

Important: This procedure can be configured on computers running any of the supported Windows
operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic
access control deployment.

Related topics
Security auditing
 Monitor the central access policies that apply on a file
server
12/20/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file
server when using advanced security auditing options to monitor dynamic access control objects. Central access
policies are created on a ___domain controller and then applied to file servers through Group Policy management.
Use the following procedures to configure and verify security auditing settings that are used to monitor changes to
the set of central access policies on a file server. The following procedures assume that you have configured and
deployed dynamic access control, including central access policies, and claims in your network. If you have not yet
deployed dynamic access control in your network, see Deploy a Central Access Policy (Demonstration Steps).
To configure settings to monitor changes to central access policies
1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit
Policy Configuration, double-click Policy Change, and then double-click Other Policy Change Events.

Note: This policy setting monitors policy changes that might not be captured otherwise, such as central
access policy changes or trusted platform module configuration changes.

5. Select the Configure the following audit events check box, select the Success check box (and the
Failure check box, if desired), and then click OK.
After you modify the central access policies on the ___domain controller, verify that the changes have been applied to
the file server and that the proper events are logged.
To verify changes to the central access policies
1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. Open the Group Policy Management Console.
3. Right-click Default ___domain policy, and then click Edit.
4. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.
5. Double-click Security Settings, right-click File system, and then click Manage CAPs.
6. In the wizard that appears, follow the instructions to add a new central access policy (CAP ), and then click
OK.
7. Use local administrator credentials to sign in to the server that hosts resources that are subject to the central
access policies you changed.
 8. Press the Windows key + R, then type cmd to open a Command Prompt window.

Note: If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Yes.

9. Type gpupdate /force, and press ENTER.

10. In Server Manager, click Tools, and then click Event Viewer.
11. Expand Windows Logs, and then click Security. Verify that event 4819 appears in the security log.

Related resource
Using advanced security auditing options to monitor dynamic access control objects
 Monitor the use of removable storage devices
1/2/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access
network resources. It describes how to use advanced security auditing options to monitor dynamic access control
objects.
If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a
resource to a removable storage device.
Use the following procedures to monitor the use of removable storage devices and to verify that the devices are
being monitored.

Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.

To configure settings to monitor removable storage devices

1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Object on the ___domain controller, and then click
Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy
Configuration, double-click Object Access, and then double-click Audit Removable Storage.
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then click OK.
6. If you selected the Failure check box, double-click Audit Handle Manipulation, select the Configure the
following audit events check box, and then select Failure.
7. Click OK, and then close the Group Policy Management Editor.
After you configure the settings to monitor removable storage devices, use the following procedure to verify that
the settings are active.
To verify that removable storage devices are monitored
1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and
then type cmd to open a Command Prompt window.

Note: If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Yes.

2. Type gpupdate /force, and press ENTER.

3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected
with the Removable Storage Audit policy.
4. In Server Manager, click Tools, and then click Event Viewer.
5. Expand Windows Logs, and then click Security.
6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device.
Failures will log event 4656. Both events include Task Category = Removable Storage device.
Key information to look for includes the name and account ___domain of the user who attempted to access the
file, the object that the user is attempting to access, resource attributes of the resource, and the type of
access that was attempted.

Note: We do not recommend that you enable this category on a file server that hosts file shares on a
removable storage device. When Removable Storage Auditing is configured, any attempt to access the
removable storage device will generate an audit event.

Related resource
Using advanced security auditing options to monitor dynamic access control objects
 Monitor resource attribute definitions
1/2/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are
using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions
define the basic properties of resource attributes, such as what it means for a resource to be defined as “high
business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container.
Changes to these definitions could significantly change the protections that govern a resource, even if the resource
attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
For information about monitoring changes to the resource attributes that apply to files, see Monitor the resource
attributes on files and folders.
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS
and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access
Control, including central access policies, claims, and other components, in your network. If you have not yet
deployed Dynamic Access Control in your network, see Deploy a Central Access Policy (Demonstration Steps).

Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.

To configure settings to monitor changes to resource attributes

1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the Group Policy Object for the default ___domain controller, and then click Edit.
4. Double-click Computer Configuration, click Security Settings, expand Advanced Audit Policy
Configuration, expand System Audit Policies, click DS Access, and then double-click Audit directory
service changes.
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then click OK.
6. Close the Group Policy Management Editor.
7. Open the Active Directory Administrative Center.
8. Under Dynamic Access Control, right-click Resource Properties, and then click Properties.
9. Click the Security tab, click Advanced to open the Advanced Security Settings dialog box, and then click the
Auditing tab.
10. Click Add, add a security auditing setting for the container, and then close all Security properties dialog boxes.
After you configure settings to monitor changes to resource attributes in AD DS, verify that the changes are being
monitored.
To verify that changes to resource definitions are monitored
1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. Open the Active Directory Administrative Center.
3. Under Dynamic Access Control, click Resource Properties, and then double-click a resource attribute.
4. Make changes to this resource attribute.
5. Click OK, and then close the Active Directory Administrative Center.
6. In Server Manager, click Tools, and then click Event Viewer.
7. Expand Windows Logs, and then click Security. Verify that event 5137 appears in the security log.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
 Monitor central access policy and rule definitions
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to central access policy and central access rule
definitions when you use advanced security auditing options to monitor dynamic access control objects. Central
access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is
important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule
definitions reside in Active Directory Domain Services (AD DS ), and they can be monitored just like any other
object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control
deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than
other network objects. However, it is important to monitor these objects for potential changes in security auditing
and to verify that policies are being enforced.
Use the following procedures to configure settings to monitor changes to central access policy and central access
rule definitions and to verify the changes. These procedures assume that you have configured and deployed
Dynamic Access Control, including central access policies, claims, and other components, in your network. If you
have not yet deployed Dynamic Access Control in your network, see Deploy a Central Access Policy
(Demonstration Steps).

Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.

To configure settings to monitor changes to central access policy and rule definitions
1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the default ___domain controller Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, click Security Settings, expand Advanced Audit Policy
Configuration, expand System Audit Policies, click DS Access, and then double-click Audit directory
service changes.
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then click OK.
6. Close the Group Policy Management Editor.
7. Open the Active Directory Administrative Center.
8. Under Dynamic Access Control, right-click Central Access Policies, and then select Properties.
9. Click the Security tab, click Advanced to open the Advanced Security Settings dialog box, and then click the
Auditing tab.
10. Click Add, add a security auditing setting for the container, and then close all Security properties dialog boxes.
After you configure settings to monitor changes to central access policy and central access rule definitions, verify
that the changes are being monitored.
To verify that changes to central access policy and rule definitions are monitored
1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. Open the Active Directory Administrative Center.
3. Under Dynamic Access Control, right-click Central Access Policies, and then click Properties.
4. Click the Security tab, click Advanced to open the Advanced Security Settings dialog box, and then click the
Auditing tab.
5. Click Add, add a security auditing setting for the container, and then close all Security properties dialog boxes.
6. In the Central Access Policies container, add a new central access policy (or select one that exists), click
Properties in the Tasks pane, and then change one or more attributes.
7. Click OK, and then close the Active Directory Administrative Center.
8. In Server Manager, click Tools, and then click Event Viewer.
9. Expand Windows Logs, and then click Security. Verify that event 4819 appears in the security log.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
 Monitor user and device claims during sign-in
1/2/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s
security token when you are using advanced security auditing options to monitor dynamic access control objects.
Device claims are associated with the system that is used to access resources that are protected with Dynamic
Access Control. User claims are attributes that are associated with a user. User claims and device claims are
included in the user’s security token used at sign-on. For example, information about Department, Company,
Project, or Security clearances might be included in the token.
Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and
to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control,
including central access policies, claims, and other components, in your network. If you have not yet deployed
Dynamic Access Control in your network, see Deploy a Central Access Policy (Demonstration Steps).

Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.

To monitor user and device claims in user logon token

1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, click Security Settings, expand Advanced Audit Policy
Configuration, expand System Audit Policies, click Logon/Logoff, and then double-click Audit
User/Device claims.
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then click OK.
6. Close the Group Policy Management Editor.
After you configure settings to monitor user and device claims, verify that the changes are being monitored.
To verify that user and device claims in user logon token are monitored
1. With local administrator credentials, sign in to a file server that is subject to the flexible access Group Policy
Object.
2. Open an elevated command prompt, and run the following command:
gpupdate force

3. From a client computer, connect to a file share on the file server as a user who has access permissions to the
file server.
4. On the file server, open Event Viewer, expand Windows Logs, and select the Security log. Look for event
4626, and confirm that it contains information about user claims and device claims.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
 Monitor the resource attributes on files and folders
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes
on files when you are using advanced security auditing options to monitor dynamic access control objects.
If your organization has a carefully thought out authorization configuration for resources, changes to these
resource attributes can create potential security risks. Examples include:
Changing files that have been marked as high business value to low business value.
Changing the Retention attribute of files that have been marked for retention.
Changing the Department attribute of files that are marked as belonging to a particular department.
Use the following procedures to configure settings to monitor changes to resource attributes on files and folders.
These procedures assume that have configured and deployed central access policies in your network. For more
information about how to configure and deploy central access policies, see Dynamic Access Control: Scenario
Overview .

Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.

To monitor changes to resource attributes on files

1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit
Policy Configuration, double-click Policy Change, and then double-click Audit Authorization Policy
Change.
5. Select the Configure the following audit events check box, select the Success and Failure check boxes, and
then click OK.
After you configure settings to monitor resource attributes on files, verify that the changes are being monitored.
To verify that changes to resource attributes on files are monitored
1. Use administrator credentials to sign in to the server that hosts the resource you want to monitor.
2. From an elevated command prompt, type gpupdate /force, and then press ENTER.
3. Attempt to change resource properties on one or more files and folders.
4. In Server Manager, click Tools, and then click Event Viewer.
5. Expand Windows Logs, and then click Security.
6. Depending on which resource attributes you attempted to change, you should look for the following events:
Event 4911, which tracks changes to file attributes
Event 4913, which tracks changes to central access policies
 Key information to look for includes the name and account ___domain of the principal attempting to change the
resource attribute, the object that the principal is attempting to modify, and information about the changes
that are being attempted.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
 Monitor the central access policies associated with
files and folders
12/18/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to the central access policies that are
associated with files and folders when you are using advanced security auditing options to monitor dynamic access
control objects.
This security audit policy and the event that it records are generated when the central access policy that is
associated with a file or folder is changed. This security audit policy is useful when an administrator wants to
monitor potential changes on some, but not all, files and folders on a file server.
For info about monitoring potential central access policy changes for an entire file server, see Monitor the central
access policies that apply on a file server.
Use the following procedures to configure settings to monitor central access policies that are associated with files.
These procedures assume that you have configured and deployed Dynamic Access Control in your network. For
more information about how to configure and deploy Dynamic Access Control, see Dynamic Access Control:
Scenario Overview.

Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.

To configure settings to monitor central access policies associated with files or folders
1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy
Configuration, double-click Policy Change, and then double-click Audit Authorization Policy Change.
5. Select the Configure the following audit events check box, select the Success check box (and the Failure
check box, if desired), and then click OK.
6. Enable auditing for a file or folder as described in the following procedure.
To enable auditing for a file or folder
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that
you want to audit.
2. Right-click the file or folder, click Properties, and then click the Security tab.
3. Click Advanced, click the Auditing tab, and then click Continue.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and
then click Yes.
4. Click Add, click Select a principal, type a user name or group name in the format contoso\user1, and
then click OK.
5. In the Auditing Entry for dialog box, select the permissions that you want to audit, such as Full Control or
Delete.
6. Click OK four times to complete the configuration of the object SACL.
7. Open a File Explorer window and select or create a file or folder to audit.
8. Open an elevated command prompt, and run the following command:
gpupdate /force

After you configure settings to monitor changes to the central access policies that are associated with files and
folders, verify that the changes are being monitored.
To verify that changes to central access policies associated with files and folders are monitored
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that
you want to audit.
2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous
procedure.
3. Right-click the file or folder, click Properties, click the Security tab, and then click Advanced.
4. Click the Central Policy tab, click Change, and select a different central access policy (if one is available) or
select No Central Access Policy, and then click OK twice.

Note: You must select a setting that is different than your original setting to generate the audit event.

5. In Server Manager, click Tools, and then click Event Viewer.

6. Expand Windows Logs, and then click Security.
7. Look for event 4913, which is generated when the central access policy that is associated with a file or folder
is changed. This event includes the security identifiers (SIDs) of the old and new central access policies.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
 Monitor claim types
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic
access control when you are using advanced security auditing options.
Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes
such as the departments in an organization or the levels of security clearance that apply to classes of users. You can
use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures
assume that you have configured and deployed Dynamic Access Control, including central access policies, claims,
and other components, in your network. If you have not yet deployed Dynamic Access Control in your network,
see Deploy a Central Access Policy (Demonstration Steps).

Note: Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings.

To configure settings to monitor changes to claim types

1. Sign in to your ___domain controller by using ___domain administrator credential.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the default ___domain controller Group Policy Object, and then click Edit.
4. Double-click Computer Configuration, click Security Settings, expand Advanced Audit Policy
Configuration, expand System Audit Policies, click DS Access, and then double-click Audit directory
service changes.
5. Select the Configure the following audit events check box, select the Success check box (andthe Failure
check box, if desired), and then click OK.
After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being
monitored.
To verify that changes to claim types are monitored
1. Sign in to your ___domain controller by using ___domain administrator credentials.
2. Open the Active Directory Administrative Center.
3. Under Dynamic Access Control, right-click Claim Types, and then click Properties.
4. Click the Security tab, click Advanced to open the Advanced Security Settings dialog box, and then click
the Auditing tab.
5. Click Add, add a security auditing setting for the container, and then close all the Security properties dialog
boxes.
6. In the Claim Types container, add a new claim type or select an existing claim type. In the Tasks pane, click
Properties, and then change one or more attributes.
Click OK, and then close the Active Directory Administrative Center.
7. Open Event Viewer on this ___domain controller, expand Windows Logs, and select the Security log.
Look for event 5137. Key information to look for includes the name of the new attribute that was added, the
type of claim that was created, and the user who created the claim.
Related resource
Using advanced security auditing options to monitor dynamic access control objects
 Advanced security audit policy settings
12/4/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
This reference for IT professionals provides information about the advanced audit policy settings that are
available in Windows and the audit events that they generate.
The security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help
your organization audit compliance with important business-related and security-related rules by tracking
precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL ) is applied to every file and folder or registry key on a computer
or file share as a verifiable safeguard against undetected access.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local
computer or by using Group Policy.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can
exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive
number of log entries. In addition, because security audit policies can be applied by using ___domain Group Policy
Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative
simplicity. Audit policy settings under Security Settings\Advanced Audit Policy Configuration are available
in the following categories:

Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a
___domain controller or on a local Security Accounts Manager (SAM ). Unlike Logon and Logoff policy settings and
events, which track attempts to access a particular computer, settings and events in this category focus on the
account database that is used. This category includes the following subcategories:
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Logon/Logoff Events

Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts
and groups. This category includes the following subcategories:
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
 Audit User Account Management

Detailed Tracking
Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual
applications and users on that computer, and to understand how a computer is being used. This category includes
the following subcategories:
Audit DPAPI Activity
Audit PNP activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Credential Validation
Audit Token Right Adjusted

DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in
Active Directory Domain Services (AD DS ). These audit events are logged only on ___domain controllers. This
category includes the following subcategories:
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication

Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer
interactively or over a network. These events are particularly useful for tracking user activity and identifying
potential attacks on network resources. This category includes the following subcategories:
Audit Account Lockout
Audit User/Device Claims
Audit IPsec Extended Mode
Audit Group Membership
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon

Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of
objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object,
you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For
example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory
needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify
that the proper SACLs are set on all inherited objects. To address this issue, see Global Object Access Auditing.
This category includes the following subcategories:
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging

Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or
network. Because policies are typically established by administrators to help secure network resources,
monitoring changes or attempts to change these policies can be an important aspect of security management for
a network. This category includes the following subcategories:
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events

Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security
policy settings and audit events allow you to track the use of certain permissions on one or more systems. This
category includes the following subcategories:
Audit Non-Sensitive Privilege Use
Audit Sensitive Privilege Use
Audit Other Privilege Use Events

System
System security policy settings and audit events allow you to track system-level changes to a computer that are
not included in other categories and that have potential security implications. This category includes the following
subcategories:
Audit IPsec Driver
Audit Other System Events
 Audit Security State Change
Audit Security System Extension
Audit System Integrity

Global Object Access Auditing

Global Object Access Auditing policy settings allow administrators to define computer system access control lists
(SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to
every object of that type. Auditors will be able to prove that every resource in the system is protected by an audit
policy by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a
policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing
policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file
system or registry can help administrators quickly identify which object in a system is denying a user access.

Note: If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting
SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is
derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that
an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing
policy.

This category includes the following subcategories:

File System (Global Object Access Auditing)
Registry (Global Object Access Auditing)
 Audit Credential Validation
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Credential Validation determines whether the operating system generates audit events on credentials that
are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
For ___domain accounts, the ___domain controller is authoritative.
For local accounts, the local computer is authoritative.
Event volume:
High on ___domain controllers.
Low on member servers and workstations.
Because ___domain accounts are used much more frequently than local accounts in enterprise environments, most of
the Account Logon events in a ___domain environment occur on the ___domain controllers that are authoritative for the
___domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on
separate computers from Logon and Logoff events.
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for
___domain accounts, NTLM authentication in the ___domain. It is especially useful for monitoring unsuccessful attempts,
to find brute-force attacks, account enumeration, and potential account compromise events on ___domain controllers.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF Yes Yes Yes Expected volume

Controller of events is high
for ___domain
controllers,
because this
subcategory will
generate events
when an
authentication
attempt is made
using any
___domain account
and NTLM
authentication.
IF – We
recommend
Success auditing
to keep track of
___domain-account
authentication
events using the
NTLM protocol.
Expect a high
volume of events.
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections. Just
collecting Success
auditing events
in this
subcategory for
future use in case
of a security
incident is not
very useful,
because events in
this subcategory
are not always
informative.
We recommend
Failure auditing,
to collect
information
about failed
authentication
attempts using
___domain accounts
and the NTLM
authentication
protocol.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server Yes Yes Yes Yes Expected volume

of events is low
for member
servers, because
this subcategory
will generate
events when an
authentication
attempt is made
using a local
account, which
should not
happen too
often.
We recommend
Success auditing,
to keep track of
authentication
events by local
accounts.
We recommend
Failure auditing,
to collect
information
about failed
authentication
attempts by local
accounts.

Workstation Yes Yes Yes Yes Expected volume

of events is low
for workstations,
because this
subcategory will
generate events
when an
authentication
attempt is made
using a local
account, which
should not
happen too
often.
We recommend
Success auditing,
to keep track of
authentication
events by local
accounts.
We recommend
Failure auditing,
to collect
information
about failed
authentication
attempts by local
accounts.

Events List:
4774(S, F ): An account was mapped for logon.
4775(F ): An account could not be mapped for logon.
4776(S, F ): The computer attempted to validate the credentials for an account.
4777(F ): The ___domain controller failed to validate the credentials for an account.
 4774(S, F): An account was mapped for logon.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Success events do not appear to occur. Failure event has been reported.
Subcategory: Audit Credential Validation
Event Schema:
An account was mapped for logon.
Authentication Package:Schannel
Account UPN:<Acccount>@<Domain>
Mapped Name:<Account>
Required Server Roles: no information.
Minimum OS Version: no information.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 4775(F): An account could not be mapped for logon.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
It appears that this event never occurs.
Subcategory: Audit Credential Validation
Event Schema:
An account could not be mapped for logon.
Authentication Package:%1
Account Name:%2
Required Server Roles: no information.
Minimum OS Version: no information.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 4776(S, F): The computer attempted to validate the
credentials for an account.
5/31/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Credential Validation
Event Description:
This event generates every time that a
credential validation occurs using NTLM
authentication.
This event occurs only on the computer that
is authoritative for the provided credentials.
For ___domain accounts, the ___domain controller
is authoritative. For local accounts, the local
computer is authoritative.
It shows successful and unsuccessful
credential validation attempts.
It shows only the computer name (Source Workstation) from which the authentication attempt was performed
(authentication source). For example, if you authenticate from CLIENT-1 to SERVER -1 using a ___domain account
you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER -1)
is not presented in this event.
If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to
“0x0”.
The main advantage of this event is that on ___domain controllers you can see all authentication attempts for ___domain
accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged
on” because it contains more details and is more informative.
This event also generates when a workstation unlock event occurs.
This event does not generate when a ___domain account logs on locally to a ___domain controller.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-07-25T04:38:11.003163100Z" />
<EventRecordID>165437</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="PackageName">MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="Workstation">WIN81</Data>
<Data Name="Status">0xc0000234</Data>
</EventData>
</Event>

Required Server Roles: no specific requirements.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Authentication Package [Type = UnicodeString]: the name of Authentication Package which was used for
credential validation. It is always “MICROSOFT_AUTHENTICATION_PACKAGE_V1_0” for 4776 event.

Note Authentication package is a DLL that encapsulates the authentication logic used to determine
whether to permit a user to log on. Local Security Authority (LSA) authenticates a user logon by sending the
request to an authentication package. The authentication package then examines the logon information and
either authenticates or rejects the user logon attempt.

Logon Account [Type = UnicodeString]: the name of the account that had its credentials validated by the
Authentication Package. Can be user name, computer account name or well-known security principal
account name. Examples:
User example: dadmin
Computer account example: WIN81$
Local System account example: Local
Local Service account example: Local Service
Source Workstation [Type = UnicodeString]: the name of the computer from which the logon attempt
originated.
Error Code [Type = HexInt32]: contains error code for Failure events. For Success events this parameter
has “0x0” value. The table below contains most common error codes for this event:
 ERROR CODE DESCRIPTION

0xC0000064 The username you typed does not exist. Bad username.

0xC000006A Account logon with misspelled or bad password.

0xC000006D - Generic logon failure.

Some of the potential causes for this:
An invalid username and/or password was used
LAN Manager Authentication Level mismatch between the
source and target computers.

0xC000006F Account logon outside authorized hours.

0xC0000070 Account logon from unauthorized workstation.

0xC0000071 Account logon with expired password.

0xC0000072 Account logon to account disabled by administrator.

0xC0000193 Account logon with expired account.

0xC0000224 Account logon with "Change Password at Next Logon"

flagged.

0xC0000234 Account logon with account locked.

0xc0000371 The local account store does not contain secret material for
the specified account.

0x0 No errors.

Table 1. Winlogon Error Codes.

Security Monitoring Recommendations

For 4776(S, F ): The computer attempted to validate the credentials for an account.

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high-value ___domain or Monitor this event with the “Logon Account” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Logon Account” value (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours. To monitor activity of specific user accounts outside of
working hours, monitor the appropriate Logon Account +
Source Workstation pairs.
TYPE OF MONITORING REQUIRED RECOMMENDATION

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Logon Account” that should
or guest accounts, or other accounts that should never be never be used.
used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Logon Account” for accounts that are outside the
corresponding to particular events. whitelist.

Restricted-use computers: You might have certain Monitor the target Source Workstation for credential
computers from which certain people (accounts) should not validation requests from the “Logon Account” that you are
log on. concerned about.

Account naming conventions: Your organization might have Monitor “Logon Account” for names that don’t comply with
specific naming conventions for account names. naming conventions.

If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that
local logon will always use NTLM authentication if an account logs on to a device where its user account is
stored.
You can use this event to collect all NTLM authentication attempts in the ___domain, if needed. Don’t forget
that local logon will always use NTLM authentication if the account logs on to a device where its user
account is stored.
If a local account should be used only locally (for example, network logon or terminal services logon is not
allowed), you need to monitor for all events where Source Workstation and Computer (where the event
was generated and where the credentials are stored) have different values.
Consider tracking the following errors for the reasons listed:

ERROR TO TRACK WHAT THE ERROR MIGHT INDICATE

User logon with misspelled or bad user account For example, N events in the last N minutes can be an
indicator of an account enumeration attack, especially relevant
for highly critical accounts.

User logon with misspelled or bad password For example, N events in the last N minutes can be an
indicator of a brute-force password attack, especially relevant
for highly critical accounts.

User logon outside authorized hours Can indicate a compromised account; especially relevant for
highly critical accounts.

User logon from unauthorized workstation Can indicate a compromised account; especially relevant for
highly critical accounts.

User logon to account disabled by administrator For example, N events in last N minutes can be an indicator of
an account compromise attempt, especially relevant for highly
critical accounts.

User logon with expired account Can indicate an account compromise attempt; especially
relevant for highly critical accounts.

User logon with account locked Can indicate a brute-force password attack; especially relevant
for highly critical accounts.
 4777(F): The ___domain controller failed to validate the
credentials for an account.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4776
failure event is generated instead.
Subcategory: Audit Credential Validation
 Audit Kerberos Authentication Service
12/20/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication
ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
Event volume: High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed
Pre-Authentications, due to wrong user password or when the user’s password has expired.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes Yes Yes Yes We recommend

Controller Success auditing,
because you will
see all Kerberos
Authentication
requests (TGT
requests), which
are a part of
___domain account
logons. Also, you
can see the IP
address from
which this
account
requested a TGT,
when TGT was
requested, which
encryption type
was used and so
on.
We recommend
Failure auditing,
because you will
see all failed
requests with
wrong password,
username,
revoked
certificate, and so
on. You will also
be able to detect
Kerberos issues
or possible attack
attempts.
Expected volume
is high on
___domain
controllers.

Member Server No No No No This subcategory

makes sense only
on ___domain
controllers.

Workstation No No No No This subcategory

makes sense only
on ___domain
controllers.

Events List:
4768(S, F ): A Kerberos authentication ticket (TGT) was requested.
4771(F ): Kerberos pre-authentication failed.
4772(F ): A Kerberos authentication ticket request failed.
 4768(S, F): A Kerberos authentication ticket (TGT)
was requested.
7/8/2019 • 26 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos
Authentication Service
Event Description:
This event generates every
time Key Distribution Center
issues a Kerberos Ticket
Granting Ticket (TGT).
This event generates only on
___domain controllers.
If TGT issue fails then you will
see Failure event with Result
Code field not equal to “0x0”.
This event doesn't generate
for Result Codes: 0x10, 0x17
and 0x18. Event “4771:
Kerberos pre-authentication
failed.” generates instead.

Note For
recommendations, see
Security Monitoring
Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.074535600Z" />
<EventRecordID>166747</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49273</Data>
<Data Name="CertIssuerName">contoso-DC01-CA-1</Data>
<Data Name="CertSerialNumber">1D0000000D292FBE3C6CDDAFA200020000000D</Data>
<Data Name="CertThumbprint">564DFAEE99C71D62ABC553E695BD8DBC46669413</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Account Information:
Account Name [Type = UnicodeString]: the name of account, for which (TGT) ticket was requested.
Computer account name ends with $ character.
User account example: dadmin
Computer account example: WIN81$
Supplied Realm Name [Type = UnicodeString]: the name of the Kerberos Realm that Account Name
belongs to. This can appear in a variety of formats, including the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL

Note A Kerberos Realm is a set of managed nodes that share the same Kerberos database. The Kerberos
database resides on the Kerberos master computer system, which should be kept in a physically secure room.
Active Directory ___domain is the example of Kerberos Realm in the Microsoft Windows Active Directory world.
 User ID [Type = SID ]: SID of account for which (TGT) ticket was requested. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source
data in the event.
For example: CONTOSO\dadmin or CONTOSO\WIN81$.
NULL SID – this value shows in 4768 Failure events.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Service Information:
Service Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT
request was sent. Typically has value “krbtgt” for TGT requests, which means Ticket Granting Ticket
issuing service.
For Failure events Service Name typically has the following format: krbtgt/REALM_NAME. For
example: krbtgt/CONTOSO.
Service ID [Type = SID ]: SID of the service account in the Kerberos Realm to which TGT request was sent.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.
Domain controllers have a specific service account ( krbtgt) that is used by the Key Distribution Center
(KDC ) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S -1-5-
21-DOMAIN_IDENTIFIER -502.
NULL SID – this value shows in 4768 Failure events.
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGT request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGT request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options [Type = HexInt32]: this is a set of different ticket flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
 Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.

Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.

The most common values:

0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
0x40810000 - Forwardable, Renewable, Canonicalize
0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok

BIT FLAG NAME DESCRIPTION

0 Reserved -

1 Forwardable (TGT only). Tells the ticket-granting

service that it can issue a new TGT—
based on the presented TGT—with a
different network address based on the
presented TGT.

2 Forwarded Indicates either that a TGT has been

forwarded or that a ticket was issued
from a forwarded TGT.

3 Proxiable (TGT only). Tells the ticket-granting

service that it can issue tickets with a
network address that differs from the
one in the TGT.

4 Proxy Indicates that the network address in

the ticket is different from the one in
the TGT used to obtain the ticket.

5 Allow-postdate Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).

6 Postdated Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).

7 Invalid This flag indicates that a ticket is invalid,

and it must be validated by the KDC
before use. Application servers must
reject tickets which have this flag set.

8 Renewable Used in combination with the End Time

and Renew Till fields to cause tickets
with long life spans to be renewed at
the KDC periodically.
BIT FLAG NAME DESCRIPTION

9 Initial Indicates that a ticket was issued using

the authentication service (AS)
exchange and not issued based on a
TGT.

10 Pre-authent Indicates that the client was

authenticated by the KDC before a
ticket was issued. This flag usually
indicates the presence of an
authenticator in the ticket. It can also
flag the presence of credentials taken
from a smart card logon.

11 Opt-hardware-auth This flag was originally intended to

indicate that hardware-supported
authentication was used during pre-
authentication. This flag is no longer
recommended in the Kerberos V5
protocol. KDCs MUST NOT issue a
ticket with this flag set. KDCs SHOULD
NOT preserve this flag if it is set by
another KDC.

12 Transited-policy-checked KILE MUST NOT check for transited

domains on servers or a KDC.
Application servers MUST ignore the
TRANSITED-POLICY-CHECKED flag.

13 Ok-as-delegate The KDC MUST set the OK-AS-

DELEGATE flag if the service account is
trusted for delegation.

14 Request-anonymous KILE not use this flag.

15 Name-canonicalize In order to request referrals the

Kerberos client MUST explicitly request
the "canonicalize" KDC option for the
AS-REQ or TGS-REQ.

16-25 Unused -
BIT FLAG NAME DESCRIPTION

26 Disable-transited-check By default the KDC will check the

transited field of a TGT against the
policy of the local realm before it will
issue derivative tickets based on the
TGT. If this flag is set in the request,
checking of the transited field is
disabled. Tickets issued without the
performance of this check will be noted
by the reset (0) value of the
TRANSITED-POLICY-CHECKED flag,
indicating to the application server that
the transited field must be checked
locally. KDCs are encouraged but not
required to honor
the DISABLE-TRANSITED-CHECK
option.
Should not be in use, because
Transited-policy-checked flag is not
supported by KILE.

27 Renewable-ok The RENEWABLE-OK option indicates

that a renewable ticket will be
acceptable if a ticket with the requested
life cannot otherwise be provided, in
which case a renewable ticket may be
issued with a renew-till equal to the
requested end time. The value of the
renew-till field may still be limited by
local limits, or limits selected by the
individual principal or server.

28 Enc-tkt-in-skey No information.

29 Unused -

30 Renew The RENEW option indicates that the

present request is for a renewal. The
ticket provided is encrypted in the
secret key for the server on which it is
valid. This option will only be honored if
the ticket to be renewed has its
RENEWABLE flag set and if the time in
it’s renew-till field has not passed. The
ticket to be renewed is passed in the
padata field as part of the
authentication header.

31 Validate This option is used only by the ticket-

granting service. The VALIDATE option
indicates that the request is to validate
a postdated ticket. Should not be in
use, because postdated tickets are not
supported by KILE.

Table 2. Kerberos ticket flags.

Note KILE (Microsoft Kerberos Protocol Extension) – Kerberos protocol extensions used in Microsoft
operating systems. These extensions provide additional capability for authorization information including
group memberships, interactive logon information, and integrity levels.

Result Code [Type = HexInt32]: hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue
error codes.” contains the list of the most common error codes for this event.

CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x0 KDC_ERR_NONE No error No errors were found.

0x1 KDC_ERR_NAME_EXP Client's entry in KDC No information.

database has expired

0x2 KDC_ERR_SERVICE_EXP Server's entry in KDC No information.

database has expired

0x3 KDC_ERR_BAD_PVNO Requested Kerberos version No information.

number not supported

0x4 KDC_ERR_C_OLD_MAST_KV Client's key encrypted in old No information.

NO master key

0x5 KDC_ERR_S_OLD_MAST_KV Server's key encrypted in No information.

NO old master key

0x6 KDC_ERR_C_PRINCIPAL_UN Client not found in Kerberos The username doesn’t exist.
KNOWN database

0x7 KDC_ERR_S_PRINCIPAL_UN Server not found in This error can occur if the
KNOWN Kerberos database ___domain controller cannot
find the server’s name in
Active Directory. This error is
similar to
KDC_ERR_C_PRINCIPAL_UN
KNOWN except that it
occurs when the server
name cannot be found.

0x8 KDC_ERR_PRINCIPAL_NOT_ Multiple principal entries in This error occurs if duplicate

UNIQUE KDC database principal names exist.
Unique principal names are
crucial for ensuring mutual
authentication. Thus,
duplicate principal names
are strictly forbidden, even
across multiple realms.
Without unique principal
names, the client has no
way of ensuring that the
server it is communicating
with is the correct one.

0x9 KDC_ERR_NULL_KEY The client or server has a No master key was found
null key (master key) for client or server. Usually it
means that administrator
should reset the password
on the account.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0xA KDC_ERR_CANNOT_POSTD Ticket (TGT) not eligible for This error can occur if a
ATE postdating client requests postdating of
a Kerberos ticket. Postdating
is the act of requesting that
a ticket’s start time be set
into the future.
It also can occur if there is a
time difference between the
client and the KDC.

0xB KDC_ERR_NEVER_VALID Requested start time is later There is a time difference

than end time between the KDC and the
client.

0xC KDC_ERR_POLICY Requested start time is later This error is usually the
than end time result of logon restrictions in
place on a user’s account.
For example workstation
restriction, smart card
authentication requirement
or logon time restriction.

0xD KDC_ERR_BADOPTION KDC cannot accommodate Impending expiration of a

requested option TGT.
The SPN to which the client
is attempting to delegate
credentials is not in its
Allowed-to-delegate-to list

0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for In general, this error occurs
encryption type when the KDC or a client
receives a packet that it
cannot decrypt.

0xF KDC_ERR_SUMTYPE_NOSUP KDC has no support for The KDC, server, or client
P checksum type receives a packet for which it
does not have a key of the
appropriate encryption type.
The result is that the
computer is unable to
decrypt the ticket.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x10 KDC_ERR_PADATA_TYPE_N KDC has no support for Smart card logon is being
OSUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be located.
This can happen because
the wrong certification
authority (CA) is being
queried or the proper CA
cannot be contacted.
It can also happen when a
___domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.

0x11 KDC_ERR_TRTYPE_NO_SUPP KDC has no support for No information.

transited type

0x12 KDC_ERR_CLIENT_REVOKED Client’s credentials have This might be because of an

been revoked explicit disabling or because
of other restrictions in place
on the account. For
example: account disabled,
expired, or locked out.

0x13 KDC_ERR_SERVICE_REVOKE Credentials for server have No information.

D been revoked

0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may
change its PKCROSS key
while there are PKCROSS
tickets still active, it
SHOULD cache the old
PKCROSS keys until the last
issued PKCROSS ticket
expires. Otherwise, the
remote KDC will respond to
a client with a KRB-ERROR
message of type
KDC_ERR_TGT_REVOKED.
See RFC1510 for more
details.

0x15 KDC_ERR_CLIENT_NOTYET Client not yet valid—try No information.

again later

0x16 KDC_ERR_SERVICE_NOTYET Server not yet valid—try No information.

again later
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x17 KDC_ERR_KEY_EXPIRED Password has expired— The user’s password has

change password to reset expired.
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.

0x18 KDC_ERR_PREAUTH_FAILED Pre-authentication The wrong password was

information was invalid provided.
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.

0x19 KDC_ERR_PREAUTH_REQUIR Additional pre- This error often occurs in

ED authentication required UNIX interoperability
scenarios. MIT-Kerberos
clients do not request pre-
authentication when they
send a KRB_AS_REQ
message. If pre-
authentication is required
(the default), Windows
systems will send this error.
Most MIT-Kerberos clients
will respond to this error by
giving the pre-
authentication, in which case
the error can be ignored,
but some clients might not
respond in this way.

0x1A KDC_ERR_SERVER_NOMATC KDC does not know about No information.

H the requested server

0x1D KDC_ERR_SVC_UNAVAILABL KDC is unavailable No information.

E

0x1F KRB_AP_ERR_BAD_INTEGRIT Integrity check on The authenticator was

Y decrypted field failed encrypted with something
other than the session key.
The result is that the client
cannot decrypt the resulting
message. The modification
of the message could be the
result of an attack or it
could be because of network
noise.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the
“Maximum lifetime for user
ticket” Kerberos policy
setting, the more likely it is
that this error will occur.
Because ticket renewal is
automatic, you should not
have to do anything if you
get this message.

0x21 KRB_AP_ERR_TKT_NYV The ticket is not yet valid The ticket presented to the
server is not yet valid (in
relationship to the server
time). The most probable
cause is that the clocks on
the KDC and the client are
not synchronized.
If cross-realm Kerberos
authentication is being
attempted, then you should
verify time synchronization
between the KDC in the
target realm and the KDC in
the client realm, as well.

0x22 KRB_AP_ERR_REPEAT The request is a replay This error indicates that a

specific authenticator
showed up twice — the KDC
has detected that this
session ticket duplicates one
that it has already received.

0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a
ticket that was meant for a
different realm.

0x24 KRB_AP_ERR_BADMATCH The ticket and authenticator The KRB_TGS_REQ is being

do not match sent to the wrong KDC.
There is an account
mismatch during protocol
transition.

0x25 KRB_AP_ERR_SKEW The clock skew is too great This error is logged if a client
computer sends a
timestamp whose value
differs from that of the
server’s timestamp by more
than the number of minutes
found in the “Maximum
tolerance for computer clock
synchronization” setting in
Kerberos policy.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x26 KRB_AP_ERR_BADADDR Network address in network Session tickets MAY include

layer header doesn't match the addresses from which
address inside ticket they are valid. This error can
occur if the address of the
computer sending the ticket
is different from the valid
address in the ticket. A
possible cause of this could
be an Internet Protocol (IP)
address change. Another
possible cause is when a
ticket is passed through a
proxy server or NAT. The
client is unaware of the
address scheme used by the
proxy server, so unless the
program caused the client
to request a proxy server
ticket with the proxy server's
source address, the ticket
could be invalid.

0x27 KRB_AP_ERR_BADVERSION Protocol version numbers When an application

don't match (PVNO) receives a KRB_SAFE
message, it verifies it. If any
error occurs, an error code is
reported for use by the
application.
The message is first checked
by verifying that the
protocol version and type
fields match the current
version and KRB_SAFE,
respectively. A mismatch
generates a
KRB_AP_ERR_BADVERSION.
See RFC4120 for more
details.

0x28 KRB_AP_ERR_MSG_TYPE Message type is This message is generated

unsupported when target server finds
that message format is
wrong. This applies to
KRB_AP_REQ, KRB_SAFE,
KRB_PRIV and KRB_CRED
messages.
This error also generated if
use of UDP protocol is being
attempted with User-to-
User authentication.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x29 KRB_AP_ERR_MODIFIED Message stream modified The authentication data was

and checksum didn't match encrypted with the wrong
key for the intended server.
The authentication data was
modified in transit by a
hardware or software error,
or by an attacker.
The client sent the
authentication data to the
wrong server because
incorrect DNS data caused
the client to send the
request to the wrong server.
The client sent the
authentication data to the
wrong server because DNS
data was out-of-date on the
client.

0x2A KRB_AP_ERR_BADORDER Message out of order This event generates for

(possible tampering) KRB_SAFE and KRB_PRIV
messages if an incorrect
sequence number is
included, or if a sequence
number is expected but not
present. See RFC4120 for
more details.

0x2C KRB_AP_ERR_BADKEYVER Specified version of key is This error might be

not available generated on server side
during receipt of invalid
KRB_AP_REQ message. If the
key version indicated by the
Ticket in the KRB_AP_REQ is
not one the server can use
(e.g., it indicates an old key,
and the server no longer
possesses a copy of the old
key), the
KRB_AP_ERR_BADKEYVER
error is returned.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x2D KRB_AP_ERR_NOKEY Service key not available This error might be

generated on server side
during receipt of invalid
KRB_AP_REQ message.
Because it is possible for the
server to be registered in
multiple realms, with
different keys in each, the
realm field in the
unencrypted portion of the
ticket in the KRB_AP_REQ is
used to specify which secret
key the server should use to
decrypt that ticket. The
KRB_AP_ERR_NOKEY error
code is returned if the
server doesn't have the
proper key to decipher the
ticket.

0x2E KRB_AP_ERR_MUT_FAIL Mutual authentication failed No information.

0x2F KRB_AP_ERR_BADDIRECTIO Incorrect message direction No information.

N

0x30 KRB_AP_ERR_METHOD Alternative authentication According RFC4120 this

method required error message is obsolete.

0x31 KRB_AP_ERR_BADSEQ Incorrect sequence number No information.

in message

0x32 KRB_AP_ERR_INAPP_CKSUM Inappropriate type of When KDC receives

checksum in message KRB_TGS_REQ message it
(checksum may be decrypts it, and after that,
unsupported) the user-supplied checksum
in the Authenticator MUST
be verified against the
contents of the request. The
message MUST be rejected
either if the checksums do
not match (with an error
code of
KRB_AP_ERR_MODIFIED) or
if the checksum is not
collision-proof (with an error
code of
KRB_AP_ERR_INAPP_CKSUM
).

0x33 KRB_AP_PATH_NOT_ACCEPT Desired path is unreachable No information.

ED
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x34 KRB_ERR_RESPONSE_TOO_B Too much data The size of a ticket is too

IG large to be transmitted
reliably via UDP. In a
Windows environment, this
message is purely
informational. A computer
running a Windows
operating system will
automatically try TCP if UDP
fails.

0x3C KRB_ERR_GENERIC Generic error Group membership has

overloaded the PAC.
Multiple recent password
changes have not
propagated.
Crypto subsystem error
caused by running out of
memory.
SPN too long.
SPN has too many parts.

0x3D KRB_ERR_FIELD_TOOLONG Field is too long for this Each request

implementation (KRB_KDC_REQ) and
response (KRB_KDC_REP or
KRB_ERROR) sent over the
TCP stream is preceded by
the length of the request as
4 octets in network byte
order. The high bit of the
length is reserved for future
expansion and MUST
currently be set to zero. If a
KDC that does not
understand how to interpret
a set high bit of the length
encoding receives a request
with the high order bit of
the length set, it MUST
return a KRB-ERROR
message with the error
KRB_ERR_FIELD_TOOLONG
and MUST close the TCP
stream.

0x3E KDC_ERR_CLIENT_NOT_TRU The client trust failed or is This typically happens when
STED not implemented user’s smart-card certificate
is revoked or the root
Certification Authority that
issued the smart card
certificate (in a chain) is not
trusted by the ___domain
controller.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x3F KDC_ERR_KDC_NOT_TRUSTE The KDC server trust failed The trustedCertifiers field
D or could not be verified contains a list of certification
authorities trusted by the
client, in the case that the
client does not possess the
KDC's public key certificate.
If the KDC has no certificate
signed by any of the
trustedCertifiers, then it
returns an error of type
KDC_ERR_KDC_NOT_TRUSTE
D. See RFC1510 for more
details.

0x40 KDC_ERR_INVALID_SIG The signature is invalid This error is related to

PKINIT. If a PKI trust
relationship exists, the KDC
then verifies the client's
signature on AuthPack (TGT
request signature). If that
fails, the KDC returns an
error message of type
KDC_ERR_INVALID_SIG.

0x41 KDC_ERR_KEY_TOO_WEAK A higher encryption level is If the clientPublicValue field

needed is filled in, indicating that the
client wishes to use Diffie-
Hellman key agreement,
then the KDC checks to see
that the parameters satisfy
its policy. If they do not (e.g.,
the prime size is insufficient
for the expected encryption
type), then the KDC sends
back an error message of
type
KDC_ERR_KEY_TOO_WEAK.

0x42 KRB_AP_ERR_USER_TO_USE User-to-user authorization In the case that the client

R_REQUIRED is required application doesn't know
that a service requires user-
to-user authentication, and
requests and receives a
conventional KRB_AP_REP,
the client will send the
KRB_AP_REP request, and
the server will respond with
a KRB_ERROR token as
described in RFC1964, with
a msg-type of
KRB_AP_ERR_USER_TO_USE
R_REQUIRED.

0x43 KRB_AP_ERR_NO_TGT No TGT was presented or In user-to-user

available authentication if the service
does not possess a ticket
granting ticket, it should
return the error
KRB_AP_ERR_NO_TGT.
 CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x44 KDC_ERR_WRONG_REALM Incorrect ___domain or Although this error rarely

principal occurs, it occurs when a
client presents a cross-realm
TGT to a realm other than
the one specified in the TGT.
Typically, this results from
incorrectly configured DNS.

Table 3. TGT/TGS issue error codes.

Ticket Encryption Type [Type = HexInt32]: the cryptographic suite that was used for issued TGT.
## Table 4. Kerberos encryption types

TYPE TYPE NAME DESCRIPTION

0x1 DES-CBC-CRC Disabled by default starting from

Windows 7 and Windows Server 2008
R2.

0x3 DES-CBC-MD5 Disabled by default starting from

Windows 7 and Windows Server 2008
R2.

0x11 AES128-CTS-HMAC-SHA1-96 Supported starting from Windows

Server 2008 and Windows Vista.

0x12 AES256-CTS-HMAC-SHA1-96 Supported starting from Windows

Server 2008 and Windows Vista.

0x17 RC4-HMAC Default suite for operating systems

before Windows Server 2008 and
Windows Vista.

0x18 RC4-HMAC-EXP Default suite for operating systems

before Windows Server 2008 and
Windows Vista.

0xFFFFFFFF or 0xffffffff - This type shows in Audit Failure events.

Pre-Authentication Type [Type = UnicodeString]: the code number of pre-Authentication type which was
used in TGT request.
## Table 5. Kerberos Pre-Authentication types.

TYPE TYPE NAME DESCRIPTION

0 - Logon without Pre-Authentication.

2 PA-ENC-TIMESTAMP This is a normal type for standard

password authentication.
 TYPE TYPE NAME DESCRIPTION

11 PA-ETYPE-INFO The ETYPE-INFO pre-authentication

type is sent by the KDC in a KRB-
ERROR indicating a requirement for
additional pre-authentication. It is
usually used to notify a client of which
key to use for the encryption of an
encrypted timestamp for the purposes
of sending a PA-ENC-TIMESTAMP pre-
authentication value.
Never saw this Pre-Authentication Type
in Microsoft Active Directory
environment.

15 PA-PK-AS-REP_OLD Used for Smart Card logon

authentication.

17 PA-PK-AS-REP This type should also be used for Smart

Card authentication, but in certain
Active Directory environments, it is
never seen.

19 PA-ETYPE-INFO2 The ETYPE-INFO2 pre-authentication

type is sent by the KDC in a KRB-
ERROR indicating a requirement for
additional pre-authentication. It is
usually used to notify a client of which
key to use for the encryption of an
encrypted timestamp for the purposes
of sending a PA-ENC-TIMESTAMP pre-
authentication value.
Never saw this Pre-Authentication Type
in Microsoft Active Directory
environment.

20 PA-SVR-REFERRAL-INFO Used in KDC Referrals tickets.

138 PA-ENCRYPTED-CHALLENGE Logon using Kerberos Armoring (FAST).

Supported starting from Windows
Server 2012 ___domain controllers and
Windows 8 clients.

- This type shows in Audit Failure events.

Certificate Information:
Certificate Issuer Name [Type = UnicodeString]: the name of the Certification Authority that issued the
smart card certificate. Populated in Issued by field in certificate.
Certificate Serial Number [Type = UnicodeString]: smart card certificate’s serial number. Can be found
in Serial number field in the certificate.
Certificate Thumbprint [Type = UnicodeString]: smart card certificate’s thumbprint. Can be found in
Thumbprint field in the certificate.

Security Monitoring Recommendations

For 4768(S, F ): A Kerberos authentication ticket (TGT) was requested.
TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high-value ___domain or Monitor this event with the “User ID” that corresponds to
local accounts for which you need to monitor each action. the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “User ID” (with other information) to monitor how or when a
malicious actions. For example, you might need to monitor particular account is being used.
for use of an account outside of working hours.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “User ID” that corresponds to
or guest accounts, or other accounts that should never be the accounts that should never be used.
used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “User ID” for accounts that are outside the whitelist.
corresponding to particular events.

External accounts: You might be monitoring accounts from Monitor this event for the “Supplied Realm Name”
another ___domain, or “external” accounts that are not allowed corresponding to another ___domain or “external” ___location.
to perform certain actions (represented by certain specific
events).

Account naming conventions: Your organization might Monitor “User ID” for names that don’t comply with naming
have specific naming conventions for account names. conventions.

You can track all 4768 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be used only from known list of IP addresses, track all Client
Address values for this Account Name in 4768 events. If Client Address is not from the whitelist,
generate the alert.
All Client Address = ::1 means local authentication. If you know the list of accounts which should log on
to the ___domain controllers, then you need to monitor for all possible violations, where Client Address = ::1
and Account Name is not allowed to log on to any ___domain controller.
All 4768 events with Client Port field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Also consider monitoring the fields shown in the following table, to discover the issues listed:

FIELD ISSUE TO DISCOVER

Certificate Issuer Name Certification authority name is not from your PKI
infrastructure.

Certificate Issuer Name Certification authority name is not authorized to issue smart
card authentication certificates.

Pre-Authentication Type Value is 0, which means that pre-authentication was not

used. All accounts should use Pre-Authentication, except
accounts configured with “Do not require Kerberos
preauthentication,” which is a security risk. For more
information, see Table 5. Kerberos Pre-Authentication types.
FIELD ISSUE TO DISCOVER

Pre-Authentication Type Value is not 15 when account must use a smart card for
authentication. For more information, see Table 5. Kerberos
Pre-Authentication types.

Pre-Authentication Type Value is not 2 when only standard password authentication is

in use in the organization. For more information, see Table 5.
Kerberos Pre-Authentication types.

Pre-Authentication Type Value is not 138 when Kerberos Armoring is enabled for all
Kerberos communications in the organization. For more
information, see Table 5. Kerberos Pre-Authentication types.

Ticket Encryption Type Value is 0x1 or 0x3, which means the DES algorithm was
used. DES should not be in use, because of low security and
known vulnerabilities. It is disabled by default starting from
Windows 7 and Windows Server 2008 R2. For more
information, see Table 4. Kerberos encryption types.

Ticket Encryption Type Starting with Windows Vista and Windows Server 2008,
monitor for values other than 0x11 and 0x12. These are the
expected values, starting with these operating systems, and
represent AES-family algorithms. For more information, see
Table 4. Kerberos encryption types.

Result Code 0x6 (The username doesn't exist), if you see, for example N
events in last N minutes. This can be an indicator of account
enumeration attack, especially for highly critical accounts.

Result Code 0x7 (Server not found in Kerberos database). This error can
occur if the ___domain controller cannot find the server's name
in Active Directory.

Result Code 0x8 (Multiple principal entries in KDC database). This will help
you to find duplicate SPNs faster.

Result Code 0x9 (The client or server has a null key (master key)). This
error can help you to identify problems with Kerberos
authentication faster.

Result Code 0xA (Ticket (TGT) not eligible for postdating). Microsoft
systems should not request postdated tickets. These events
could help identify anomaly activity.

Result Code 0xC (Requested start time is later than end time), if you see,
for example N events in last N minutes. This can be an
indicator of an account compromise attempt, especially for
highly critical accounts.
FIELD ISSUE TO DISCOVER

Result Code 0xE (KDC has no support for encryption type). In general,
this error occurs when the KDC or a client receives a packet
that it cannot decrypt. Monitor for these events because this
should not happen in a standard Active Directory
environment.

Result Code 0xF (KDC has no support for checksum type). Monitor for
these events because this should not happen in a standard
Active Directory environment.

Result Code 0x12 (Client's credentials have been revoked), if you see, for
example N events in last N minutes. This can be an indicator
of anomaly activity or brute-force attack, especially for highly
critical accounts.

Result Code 0x1F (Integrity check on decrypted field failed). The

authenticator was encrypted with something other than the
session key. The result is that the KDC cannot decrypt the
TGT. The modification of the message could be the result of
an attack or it could be because of network noise.

Result Code 0x22 (The request is a replay). This error indicates that a
specific authenticator showed up twice—the KDC has
detected that this session ticket duplicates one that it has
already received. It could be a sign of attack attempt.

Result Code 0x29 (Message stream modified and checksum didn't match).
The authentication data was encrypted with the wrong key
for the intended server. The authentication data was modified
in transit by a hardware or software error, or by an attacker.
Monitor for these events because this should not happen in a
standard Active Directory environment.

Result Code 0x3C (Generic error). This error can help you more quickly
identify problems with Kerberos authentication.

Result Code 0x3E (The client trust failed or is not implemented). This error
helps you identify logon attempts with revoked certificates
and the situations when the root Certification Authority that
issued the smart card certificate (through a chain) is not
trusted by a ___domain controller.

Result Code 0x3F, 0x40, 0x41 errors. These errors can help you more
quickly identify smart-card related problems with Kerberos
authentication.
 4771(F): Kerberos pre-authentication failed.
6/6/2019 • 10 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos
Authentication Service
Event Description:
This event generates every time the
Key Distribution Center fails to issue a
Kerberos Ticket Granting Ticket (TGT).
This can occur when a ___domain
controller doesn’t have a certificate
installed for smart card authentication
(for example, with a “Domain
Controller” or “Domain Controller
Authentication” template), the user’s
password has expired, or the wrong
password was provided.
This event generates only on ___domain
controllers.
This event is not generated if “Do not
require Kerberos preauthentication”
option is set for the account.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:10:21.495462300Z" />
<EventRecordID>166708</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x10</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49254</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Account Information:
Security ID [Type = SID ]: SID of account object for which (TGT) ticket was requested. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.
For example: CONTOSO\dadmin or CONTOSO\WIN81$.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used
as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
For more information about SIDs, see Security identifiers.

Account Name: [Type = UnicodeString]: the name of account, for which (TGT) ticket was requested.
Computer account name ends with $ character.
User account example: dadmin
Computer account example: WIN81$
Service Information:
Service Name [Type = UnicodeString]: the name of the service in the Kerberos Realm to which TGT
request was sent. Typically has one of the following formats:
krbtgt/DOMAIN_NETBIOS_NAME. Example: krbtgt/CONTOSO
krbtgt/DOMAIN_FULL_NAME. Example: krbtgt/CONTOSO.LOCAL
Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGT request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGT request
connection).
0 for local (localhost) requests.
Additional Information:
Ticket Options: [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.

Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.

The most common values:

0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
0x40810000 - Forwardable, Renewable, Canonicalize
0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok

BIT FLAG NAME DESCRIPTION

0 Reserved -

1 Forwardable (TGT only). Tells the ticket-granting

service that it can issue a new TGT—
based on the presented TGT—with a
different network address based on the
presented TGT.
BIT FLAG NAME DESCRIPTION

2 Forwarded Indicates either that a TGT has been

forwarded or that a ticket was issued
from a forwarded TGT.

3 Proxiable (TGT only). Tells the ticket-granting

service that it can issue tickets with a
network address that differs from the
one in the TGT.

4 Proxy Indicates that the network address in

the ticket is different from the one in
the TGT used to obtain the ticket.

5 Allow-postdate Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).

6 Postdated Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).

7 Invalid This flag indicates that a ticket is

invalid, and it must be validated by the
KDC before use. Application servers
must reject tickets which have this flag
set.

8 Renewable Used in combination with the End Time

and Renew Till fields to cause tickets
with long life spans to be renewed at
the KDC periodically.

9 Initial Indicates that a ticket was issued using

the authentication service (AS)
exchange and not issued based on a
TGT.

10 Pre-authent Indicates that the client was

authenticated by the KDC before a
ticket was issued. This flag usually
indicates the presence of an
authenticator in the ticket. It can also
flag the presence of credentials taken
from a smart card logon.

11 Opt-hardware-auth This flag was originally intended to

indicate that hardware-supported
authentication was used during pre-
authentication. This flag is no longer
recommended in the Kerberos V5
protocol. KDCs MUST NOT issue a
ticket with this flag set. KDCs SHOULD
NOT preserve this flag if it is set by
another KDC.
BIT FLAG NAME DESCRIPTION

12 Transited-policy-checked KILE MUST NOT check for transited

domains on servers or a KDC.
Application servers MUST ignore the
TRANSITED-POLICY-CHECKED flag.

13 Ok-as-delegate The KDC MUST set the OK-AS-

DELEGATE flag if the service account is
trusted for delegation.

14 Request-anonymous KILE not use this flag.

15 Name-canonicalize In order to request referrals the

Kerberos client MUST explicitly request
the "canonicalize" KDC option for the
AS-REQ or TGS-REQ.

16-25 Unused -

26 Disable-transited-check By default the KDC will check the

transited field of a TGT against the
policy of the local realm before it will
issue derivative tickets based on the
TGT. If this flag is set in the request,
checking of the transited field is
disabled. Tickets issued without the
performance of this check will be noted
by the reset (0) value of the
TRANSITED-POLICY-CHECKED flag,
indicating to the application server that
the transited field must be checked
locally. KDCs are encouraged but not
required to honor
the DISABLE-TRANSITED-CHECK
option.
Should not be in use, because
Transited-policy-checked flag is not
supported by KILE.

27 Renewable-ok The RENEWABLE-OK option indicates

that a renewable ticket will be
acceptable if a ticket with the
requested life cannot otherwise be
provided, in which case a renewable
ticket may be issued with a renew-till
equal to the requested end time. The
value of the renew-till field may still be
limited by local limits, or limits selected
by the individual principal or server.

28 Enc-tkt-in-skey No information.

29 Unused -
 BIT FLAG NAME DESCRIPTION

30 Renew The RENEW option indicates that the

present request is for a renewal. The
ticket provided is encrypted in the
secret key for the server on which it is
valid. This option will only be honored
if the ticket to be renewed has its
RENEWABLE flag set and if the time in
its renew-till field has not passed. The
ticket to be renewed is passed in the
padata field as part of the
authentication header.

31 Validate This option is used only by the ticket-

granting service. The VALIDATE option
indicates that the request is to validate
a postdated ticket. Should not be in
use, because postdated tickets are not
supported by KILE.

Table 6. Kerberos ticket flags.

Failure Code [Type = HexInt32]: hexadecimal failure code of failed TGT issue operation. The table below
contains the list of the most common error codes for this event:

CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x10 KDC_ERR_PADATA_TYPE_N KDC has no support for Smart card logon is being
OSUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be
located. This can happen
because the wrong
certification authority (CA) is
being queried or the proper
CA cannot be contacted in
order to get Domain
Controller or Domain
Controller Authentication
certificates for the ___domain
controller.
It can also happen when a
___domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).

0x17 KDC_ERR_KEY_EXPIRED Password has expired— The user’s password has

change password to reset expired.

0x18 KDC_ERR_PREAUTH_FAILED Pre-authentication The wrong password was

information was invalid provided.

Pre-Authentication Type [Type = UnicodeString]: the code of pre-Authentication type which was used in
TGT request.
## Table 5. Kerberos Pre-Authentication types.
 TYPE TYPE NAME DESCRIPTION

0 - Logon without Pre-Authentication.

2 PA-ENC-TIMESTAMP This is a normal type for standard

password authentication.

11 PA-ETYPE-INFO The ETYPE-INFO pre-authentication

type is sent by the KDC in a KRB-
ERROR indicating a requirement for
additional pre-authentication. It is
usually used to notify a client of which
key to use for the encryption of an
encrypted timestamp for the purposes
of sending a PA-ENC-TIMESTAMP pre-
authentication value.
Never saw this Pre-Authentication
Type in Microsoft Active Directory
environment.

15 PA-PK-AS-REP_OLD Used for Smart Card logon

authentication.

17 PA-PK-AS-REP This type should also be used for Smart

Card authentication, but in certain
Active Directory environments, it is
never seen.

19 PA-ETYPE-INFO2 The ETYPE-INFO2 pre-authentication

type is sent by the KDC in a KRB-
ERROR indicating a requirement for
additional pre-authentication. It is
usually used to notify a client of which
key to use for the encryption of an
encrypted timestamp for the purposes
of sending a PA-ENC-TIMESTAMP pre-
authentication value.
Never saw this Pre-Authentication
Type in Microsoft Active Directory
environment.

20 PA-SVR-REFERRAL-INFO Used in KDC Referrals tickets.

138 PA-ENCRYPTED-CHALLENGE Logon using Kerberos Armoring (FAST).

Supported starting from Windows
Server 2012 ___domain controllers and
Windows 8 clients.

- This type shows in Audit Failure events.

Certificate Information:
Certificate Issuer Name [Type = UnicodeString]: the name of Certification Authority which issued
smart card certificate. Populated in Issued by field in certificate. Always empty for 4771 events.
Certificate Serial Number [Type = UnicodeString]: smart card certificate’s serial number. Can be found
in Serial number field in the certificate. Always empty for 4771 events.
Certificate Thumbprint [Type = UnicodeString]: smart card certificate’s thumbprint. Can be found in
 Thumbprint field in the certificate. Always empty for 4771 events.

Security Monitoring Recommendations

For 4771(F ): Kerberos pre-authentication failed.

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high-value ___domain Monitor this event with the “Security ID” that corresponds
or local accounts for which you need to monitor each action. to the high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator account, ___domain
administrators, service accounts, ___domain controller accounts
and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use
requirements for detecting anomalies or monitoring the “Security ID” (with other information) to monitor how
potential malicious actions. For example, you might need to or when a particular account is being used.
monitor for use of an account outside of working hours.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Security ID” that corresponds
or guest accounts, or other accounts that should never be to the accounts that should never be used.
used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Security ID” for accounts that are outside the whitelist.
corresponding to particular events.

Account naming conventions: Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.

You can track all 4771 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be used only from known list of IP addresses, track all Client
Address values for this Account Name in 4771 events. If Client Address is not from the whitelist,
generate the alert.
All Client Address = ::1 means local authentication. If you know the list of accounts which should log on
to the ___domain controllers, then you need to monitor for all possible violations, where Client Address =
::1 and Account Name is not allowed to log on to any ___domain controller.
All 4771 events with Client Port field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Also monitor the fields shown in the following table, to discover the issues listed:

FIELD ISSUE TO DISCOVER

Pre-Authentication Type Value is not 15 when account must use a smart card for
authentication. For more information, see Table 5. Kerberos
Pre-Authentication types.

Pre-Authentication Type Value is not 2 when only standard password authentication

is in use in the organization. For more information, see Table
5. Kerberos Pre-Authentication types.
FIELD ISSUE TO DISCOVER

Pre-Authentication Type Value is not 138 when Kerberos Armoring is enabled for all
Kerberos communications in the organization. For more
information, see Table 5. Kerberos Pre-Authentication types.

Result Code 0x10 (KDC has no support for PADATA type (pre-
authentication data)). This error can help you to more quickly
identify smart-card related problems with Kerberos
authentication.

Result Code 0x18 ((Pre-authentication information was invalid), if you see,

for example N events in last N minutes. This can be an
indicator of brute-force attack on the account password,
especially for highly critical accounts.
 4772(F): A Kerberos authentication ticket request
failed.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4768
failure event is generated instead.
Subcategory: Audit Kerberos Authentication Service
 Audit Kerberos Service Ticket Operations
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit
events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network
resource. Kerberos service ticket operation audit events can be used to track user activity.
Event volume: Very High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGSs and failed TGS requests.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF Yes Yes Yes Expected volume

Controller is very high on
___domain
controllers.

IF - We
recommend
Success auditing,
because you will
see all Kerberos
Service Ticket
requests (TGS
requests), which
are part of
service use and
access requests
by specific
accounts. Also,
you can see the
IP address from
which this
account
requested TGS,
when TGS was
requested, which
encryption type
was used, and so
on. For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
We recommend
Failure auditing,
because you will
see all failed
requests and be
able to
investigate the
reason for failure.
You will also be
able to detect
Kerberos issues
or possible attack
attempts.

Member Server No No No No This subcategory

makes sense only
on ___domain
controllers.

Workstation No No No No This subcategory

makes sense only
on ___domain
controllers.
Events List:
4769(S, F ): A Kerberos service ticket was requested.
4770(S ): A Kerberos service ticket was renewed.
4773(F ): A Kerberos service ticket request failed.
 4769(S, F): A Kerberos service ticket was requested.
6/6/2019 • 22 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos
Service Ticket Operations
Event Description:
This event generates every time Key
Distribution Center gets a Kerberos
Ticket Granting Service (TGS ) ticket
request.
This event generates only on ___domain
controllers.
If TGS issue fails then you will see
Failure event with Failure Code
field not equal to “0x0”.
You will typically see many Failure
events with Failure Code “0x20”,
which simply means that a TGS
ticket has expired. These are
informational messages and have
little to no security relevance.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4769</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:13:46.043256100Z" />
<EventRecordID>166746</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1496" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">[email protected]</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">WIN2008R2$</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-2102</Data>
<Data Name="TicketOptions">0x40810000</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49272</Data>
<Data Name="Status">0x0</Data>
<Data Name="LogonGuid">{F85C455E-C66E-205C-6B39-F6C60A7FE453}</Data>
<Data Name="TransmittedServices">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Account Information:
Account Name [Type = UnicodeString]: the user name of the account that requested the ticket in the User
Principal Name (UPN ) syntax. Computer account name ends with $ character in the user name part. This
field typically has the following value format: user_account_name@FULL\_DOMAIN\_NAME.
User account example: [email protected]
Computer account example: [email protected]

Note Although this field is in the UPN format, this is not the attribute value of
"UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built
from the user SamAccountName and the Active Directory ___domain name.

This parameter in this event is optional and can be empty in some cases.
Account Domain [Type = UnicodeString]: the name of the Kerberos Realm that Account Name belongs
to. This can appear in a variety of formats, including the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
This parameter in this event is optional and can be empty in some cases.
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event (on a ___domain controller) with
other events (on the target computer for which the TGS was issued) that can contain the same Logon
GUID. These events are “4624: An account was successfully logged on”, “4648(S ): A logon was attempted
using explicit credentials” and “4964(S ): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Service Information:
Service Name [Type = UnicodeString]: the name of the account or computer for which the TGS ticket was
requested.
This parameter in this event is optional and can be empty in some cases.
Service ID [Type = SID ]: SID of the account or computer object for which the TGS ticket was requested.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.
NULL SID – this value shows in Failure events.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGS request was
received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGS request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options: [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
 Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable,
Canonicalize, Renewable-ok.

Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.

The most common values:

0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
0x40810000 - Forwardable, Renewable, Canonicalize
0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok

BIT FLAG NAME DESCRIPTION

0 Reserved -

1 Forwardable (TGT only). Tells the ticket-granting

service that it can issue a new TGT—
based on the presented TGT—with a
different network address based on the
presented TGT.

2 Forwarded Indicates either that a TGT has been

forwarded or that a ticket was issued
from a forwarded TGT.

3 Proxiable (TGT only). Tells the ticket-granting

service that it can issue tickets with a
network address that differs from the
one in the TGT.

4 Proxy Indicates that the network address in

the ticket is different from the one in
the TGT used to obtain the ticket.

5 Allow-postdate Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).

6 Postdated Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).

7 Invalid This flag indicates that a ticket is invalid,

and it must be validated by the KDC
before use. Application servers must
reject tickets which have this flag set.
BIT FLAG NAME DESCRIPTION

8 Renewable Used in combination with the End Time

and Renew Till fields to cause tickets
with long life spans to be renewed at
the KDC periodically.

9 Initial Indicates that a ticket was issued using

the authentication service (AS)
exchange and not issued based on a
TGT.

10 Pre-authent Indicates that the client was

authenticated by the KDC before a
ticket was issued. This flag usually
indicates the presence of an
authenticator in the ticket. It can also
flag the presence of credentials taken
from a smart card logon.

11 Opt-hardware-auth This flag was originally intended to

indicate that hardware-supported
authentication was used during pre-
authentication. This flag is no longer
recommended in the Kerberos V5
protocol. KDCs MUST NOT issue a
ticket with this flag set. KDCs SHOULD
NOT preserve this flag if it is set by
another KDC.

12 Transited-policy-checked KILE MUST NOT check for transited

domains on servers or a KDC.
Application servers MUST ignore the
TRANSITED-POLICY-CHECKED flag.

13 Ok-as-delegate The KDC MUST set the OK-AS-

DELEGATE flag if the service account is
trusted for delegation.

14 Request-anonymous KILE not use this flag.

15 Name-canonicalize In order to request referrals the

Kerberos client MUST explicitly request
the “canonicalize” KDC option for the
AS-REQ or TGS-REQ.

16-25 Unused -
BIT FLAG NAME DESCRIPTION

26 Disable-transited-check By default the KDC will check the

transited field of a TGT against the
policy of the local realm before it will
issue derivative tickets based on the
TGT. If this flag is set in the request,
checking of the transited field is
disabled. Tickets issued without the
performance of this check will be noted
by the reset (0) value of the
TRANSITED-POLICY-CHECKED flag,
indicating to the application server that
the transited field must be checked
locally. KDCs are encouraged but not
required to honor
the DISABLE-TRANSITED-CHECK
option.
Should not be in use, because
Transited-policy-checked flag is not
supported by KILE.

27 Renewable-ok The RENEWABLE-OK option indicates

that a renewable ticket will be
acceptable if a ticket with the requested
life cannot otherwise be provided, in
which case a renewable ticket may be
issued with a renew-till equal to the
requested end time. The value of the
renew-till field may still be limited by
local limits, or limits selected by the
individual principal or server.

28 Enc-tkt-in-skey No information.

29 Unused -

30 Renew The RENEW option indicates that the

present request is for a renewal. The
ticket provided is encrypted in the
secret key for the server on which it is
valid. This option will only be honored if
the ticket to be renewed has its
RENEWABLE flag set and if the time in
its renew-till field has not passed. The
ticket to be renewed is passed in the
padata field as part of the
authentication header.

31 Validate This option is used only by the ticket-

granting service. The VALIDATE option
indicates that the request is to validate
a postdated ticket. Should not be in
use, because postdated tickets are not
supported by KILE.

## Table 4. Kerberos encryption types

Ticket Encryption Type: [Type = HexInt32]: the cryptographic suite that was used for issued TGS.
TYPE TYPE NAME DESCRIPTION

0x1 DES-CBC-CRC Disabled by default starting from

Windows 7 and Windows Server 2008
R2.

0x3 DES-CBC-MD5 Disabled by default starting from

Windows 7 and Windows Server 2008
R2.

0x11 AES128-CTS-HMAC-SHA1-96 Supported starting from Windows

Server 2008 and Windows Vista.

0x12 AES256-CTS-HMAC-SHA1-96 Supported starting from Windows

Server 2008 and Windows Vista.

0x17 RC4-HMAC Default suite for operating systems

before Windows Server 2008 and
Windows Vista.

0x18 RC4-HMAC-EXP Default suite for operating systems

before Windows Server 2008 and
Windows Vista.

0xFFFFFFFF or 0xffffffff - This type shows in Audit Failure events.

Failure Code [Type = HexInt32]: hexadecimal result code of TGS issue operation. The table below contains
the list of the most common error codes for this event:

CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x0 KDC_ERR_NONE No error No errors were found.

0x1 KDC_ERR_NAME_EXP Client's entry in KDC No information.

database has expired

0x2 KDC_ERR_SERVICE_EXP Server's entry in KDC No information.

database has expired

0x3 KDC_ERR_BAD_PVNO Requested Kerberos version No information.

number not supported

0x4 KDC_ERR_C_OLD_MAST_KV Client's key encrypted in old No information.

NO master key

0x5 KDC_ERR_S_OLD_MAST_KV Server's key encrypted in No information.

NO old master key

0x6 KDC_ERR_C_PRINCIPAL_UN Client not found in Kerberos The username doesn’t exist.
KNOWN database
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x7 KDC_ERR_S_PRINCIPAL_UN Server not found in This error can occur if the
KNOWN Kerberos database ___domain controller cannot
find the server’s name in
Active Directory. This error is
similar to
KDC_ERR_C_PRINCIPAL_UN
KNOWN except that it
occurs when the server
name cannot be found.

0x8 KDC_ERR_PRINCIPAL_NOT_ Multiple principal entries in This error occurs if duplicate

UNIQUE KDC database principal names exist.
Unique principal names are
crucial for ensuring mutual
authentication. Thus,
duplicate principal names
are strictly forbidden, even
across multiple realms.
Without unique principal
names, the client has no way
of ensuring that the server it
is communicating with is the
correct one.

0x9 KDC_ERR_NULL_KEY The client or server has a No master key was found
null key (master key) for client or server. Usually it
means that administrator
should reset the password
on the account.

0xA KDC_ERR_CANNOT_POSTD Ticket (TGT) not eligible for This error can occur if a
ATE postdating client requests postdating of
a Kerberos ticket. Postdating
is the act of requesting that
a ticket’s start time be set
into the future.
It also can occur if there is a
time difference between the
client and the KDC.

0xB KDC_ERR_NEVER_VALID Requested start time is later There is a time difference

than end time between the KDC and the
client.

0xC KDC_ERR_POLICY Requested start time is later This error is usually the
than end time result of logon restrictions in
place on a user’s account.
For example workstation
restriction, smart card
authentication requirement
or logon time restriction.

0xD KDC_ERR_BADOPTION KDC cannot accommodate Impending expiration of a

requested option TGT.
The SPN to which the client
is attempting to delegate
credentials is not in its
Allowed-to-delegate-to list
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0xE KDC_ERR_ETYPE_NOTSUPP KDC has no support for In general, this error occurs
encryption type when the KDC or a client
receives a packet that it
cannot decrypt.

0xF KDC_ERR_SUMTYPE_NOSUP KDC has no support for The KDC, server, or client
P checksum type receives a packet for which it
does not have a key of the
appropriate encryption type.
The result is that the
computer is unable to
decrypt the ticket.

0x10 KDC_ERR_PADATA_TYPE_N KDC has no support for Smart card logon is being
OSUPP PADATA type (pre- attempted and the proper
authentication data) certificate cannot be located.
This can happen because the
wrong certification authority
(CA) is being queried or the
proper CA cannot be
contacted.
It can also happen when a
___domain controller doesn’t
have a certificate installed
for smart cards (Domain
Controller or Domain
Controller Authentication
templates).
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.

0x11 KDC_ERR_TRTYPE_NO_SUPP KDC has no support for No information.

transited type

0x12 KDC_ERR_CLIENT_REVOKED Client’s credentials have This might be because of an

been revoked explicit disabling or because
of other restrictions in place
on the account. For example:
account disabled, expired, or
locked out.

0x13 KDC_ERR_SERVICE_REVOKE Credentials for server have No information.

D been revoked
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x14 KDC_ERR_TGT_REVOKED TGT has been revoked Since the remote KDC may
change its PKCROSS key
while there are PKCROSS
tickets still active, it SHOULD
cache the old PKCROSS keys
until the last issued
PKCROSS ticket expires.
Otherwise, the remote KDC
will respond to a client with
a KRB-ERROR message of
type
KDC_ERR_TGT_REVOKED.
See RFC1510 for more
details.

0x15 KDC_ERR_CLIENT_NOTYET Client not yet valid—try No information.

again later

0x16 KDC_ERR_SERVICE_NOTYET Server not yet valid—try No information.

again later

0x17 KDC_ERR_KEY_EXPIRED Password has expired— The user’s password has

change password to reset expired.
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.

0x18 KDC_ERR_PREAUTH_FAILED Pre-authentication The wrong password was

information was invalid provided.
This error code cannot occur
in event “4768. A Kerberos
authentication ticket (TGT)
was requested”. It occurs in
“4771. Kerberos pre-
authentication failed” event.

0x19 KDC_ERR_PREAUTH_REQUIR Additional pre- This error often occurs in

ED authentication required UNIX interoperability
scenarios. MIT-Kerberos
clients do not request pre-
authentication when they
send a KRB_AS_REQ
message. If pre-
authentication is required
(the default), Windows
systems will send this error.
Most MIT-Kerberos clients
will respond to this error by
giving the pre-
authentication, in which case
the error can be ignored,
but some clients might not
respond in this way.

0x1A KDC_ERR_SERVER_NOMATC KDC does not know about No information.

H the requested server
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x1B KDC_ERR_MUST_USE_USER2 Server principal valid for This error occurs because
USER user2user only the service is missing an
SPN.

0x1F KRB_AP_ERR_BAD_INTEGRIT Integrity check on The authenticator was

Y decrypted field failed encrypted with something
other than the session key.
The result is that the client
cannot decrypt the resulting
message. The modification
of the message could be the
result of an attack or it could
be because of network
noise.

0x20 KRB_AP_ERR_TKT_EXPIRED The ticket has expired The smaller the value for the
“Maximum lifetime for user
ticket” Kerberos policy
setting, the more likely it is
that this error will occur.
Because ticket renewal is
automatic, you should not
have to do anything if you
get this message.

0x21 KRB_AP_ERR_TKT_NYV The ticket is not yet valid The ticket presented to the
server is not yet valid (in
relationship to the server
time). The most probable
cause is that the clocks on
the KDC and the client are
not synchronized.
If cross-realm Kerberos
authentication is being
attempted, then you should
verify time synchronization
between the KDC in the
target realm and the KDC in
the client realm, as well.

0x22 KRB_AP_ERR_REPEAT The request is a replay This error indicates that a

specific authenticator
showed up twice — the KDC
has detected that this
session ticket duplicates one
that it has already received.

0x23 KRB_AP_ERR_NOT_US The ticket is not for us The server has received a
ticket that was meant for a
different realm.

0x24 KRB_AP_ERR_BADMATCH The ticket and authenticator The KRB_TGS_REQ is being

do not match sent to the wrong KDC.
There is an account
mismatch during protocol
transition.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x25 KRB_AP_ERR_SKEW The clock skew is too great This error is logged if a client
computer sends a
timestamp whose value
differs from that of the
server’s timestamp by more
than the number of minutes
found in the “Maximum
tolerance for computer clock
synchronization” setting in
Kerberos policy.

0x26 KRB_AP_ERR_BADADDR Network address in network Session tickets MAY include

layer header doesn't match the addresses from which
address inside ticket they are valid. This error can
occur if the address of the
computer sending the ticket
is different from the valid
address in the ticket. A
possible cause of this could
be an Internet Protocol (IP)
address change. Another
possible cause is when a
ticket is passed through a
proxy server or NAT. The
client is unaware of the
address scheme used by the
proxy server, so unless the
program caused the client to
request a proxy server ticket
with the proxy server's
source address, the ticket
could be invalid.

0x27 KRB_AP_ERR_BADVERSION Protocol version numbers When an application

don't match (PVNO) receives a KRB_SAFE
message, it verifies it. If any
error occurs, an error code is
reported for use by the
application.
The message is first checked
by verifying that the
protocol version and type
fields match the current
version and KRB_SAFE,
respectively. A mismatch
generates a
KRB_AP_ERR_BADVERSION.
See RFC4120 for more
details.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x28 KRB_AP_ERR_MSG_TYPE Message type is This message is generated

unsupported when target server finds
that message format is
wrong. This applies to
KRB_AP_REQ, KRB_SAFE,
KRB_PRIV and KRB_CRED
messages.
This error also generated if
use of UDP protocol is being
attempted with User-to-
User authentication.

0x29 KRB_AP_ERR_MODIFIED Message stream modified The authentication data was

and checksum didn't match encrypted with the wrong
key for the intended server.
The authentication data was
modified in transit by a
hardware or software error,
or by an attacker.
The client sent the
authentication data to the
wrong server because
incorrect DNS data caused
the client to send the
request to the wrong server.
The client sent the
authentication data to the
wrong server because DNS
data was out-of-date on the
client.

0x2A KRB_AP_ERR_BADORDER Message out of order This event generates for

(possible tampering) KRB_SAFE and KRB_PRIV
messages if an incorrect
sequence number is
included, or if a sequence
number is expected but not
present. See RFC4120 for
more details.

0x2C KRB_AP_ERR_BADKEYVER Specified version of key is This error might be

not available generated on server side
during receipt of invalid
KRB_AP_REQ message. If the
key version indicated by the
Ticket in the KRB_AP_REQ is
not one the server can use
(e.g., it indicates an old key,
and the server no longer
possesses a copy of the old
key), the
KRB_AP_ERR_BADKEYVER
error is returned.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x2D KRB_AP_ERR_NOKEY Service key not available This error might be

generated on server side
during receipt of invalid
KRB_AP_REQ message.
Because it is possible for the
server to be registered in
multiple realms, with
different keys in each, the
realm field in the
unencrypted portion of the
ticket in the KRB_AP_REQ is
used to specify which secret
key the server should use to
decrypt that ticket. The
KRB_AP_ERR_NOKEY error
code is returned if the server
doesn't have the proper key
to decipher the ticket.

0x2E KRB_AP_ERR_MUT_FAIL Mutual authentication failed No information.

0x2F KRB_AP_ERR_BADDIRECTIO Incorrect message direction No information.

N

0x30 KRB_AP_ERR_METHOD Alternative authentication According RFC4120 this

method required error message is obsolete.

0x31 KRB_AP_ERR_BADSEQ Incorrect sequence number No information.

in message

0x32 KRB_AP_ERR_INAPP_CKSUM Inappropriate type of When KDC receives

checksum in message KRB_TGS_REQ message it
(checksum may be decrypts it, and after the
unsupported) user-supplied checksum in
the Authenticator MUST be
verified against the contents
of the request, and the
message MUST be rejected if
the checksums do not
match (with an error code of
KRB_AP_ERR_MODIFIED) or
if the checksum is not
collision-proof (with an error
code of
KRB_AP_ERR_INAPP_CKSUM
).

0x33 KRB_AP_PATH_NOT_ACCEPT Desired path is unreachable No information.

ED
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x34 KRB_ERR_RESPONSE_TOO_B Too much data The size of a ticket is too

IG large to be transmitted
reliably via UDP. In a
Windows environment, this
message is purely
informational. A computer
running a Windows
operating system will
automatically try TCP if UDP
fails.

0x3C KRB_ERR_GENERIC Generic error Group membership has

overloaded the PAC.
Multiple recent password
changes have not
propagated.
Crypto subsystem error
caused by running out of
memory.
SPN too long.
SPN has too many parts.

0x3D KRB_ERR_FIELD_TOOLONG Field is too long for this Each request

implementation (KRB_KDC_REQ) and
response (KRB_KDC_REP or
KRB_ERROR) sent over the
TCP stream is preceded by
the length of the request as
4 octets in network byte
order. The high bit of the
length is reserved for future
expansion and MUST
currently be set to zero. If a
KDC that does not
understand how to interpret
a set high bit of the length
encoding receives a request
with the high order bit of
the length set, it MUST
return a KRB-ERROR
message with the error
KRB_ERR_FIELD_TOOLONG
and MUST close the TCP
stream.

0x3E KDC_ERR_CLIENT_NOT_TRU The client trust failed or is This typically happens when
STED not implemented user’s smart-card certificate
is revoked or the root
Certification Authority that
issued the smart card
certificate (in a chain) is not
trusted by the ___domain
controller.
CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x3F KDC_ERR_KDC_NOT_TRUSTE The KDC server trust failed The trustedCertifiers field
D or could not be verified contains a list of certification
authorities trusted by the
client, in the case that the
client does not possess the
KDC's public key certificate.
If the KDC has no certificate
signed by any of the
trustedCertifiers, then it
returns an error of type
KDC_ERR_KDC_NOT_TRUSTE
D. See RFC1510 for more
details.

0x40 KDC_ERR_INVALID_SIG The signature is invalid This error is related to

PKINIT. If a PKI trust
relationship exists, the KDC
then verifies the client's
signature on AuthPack (TGT
request signature). If that
fails, the KDC returns an
error message of type
KDC_ERR_INVALID_SIG.

0x41 KDC_ERR_KEY_TOO_WEAK A higher encryption level is If the clientPublicValue field

needed is filled in, indicating that the
client wishes to use Diffie-
Hellman key agreement,
then the KDC checks to see
that the parameters satisfy
its policy. If they do not (e.g.,
the prime size is insufficient
for the expected encryption
type), then the KDC sends
back an error message of
type
KDC_ERR_KEY_TOO_WEAK.

0x42 KRB_AP_ERR_USER_TO_USE User-to-user authorization In the case that the client

R_REQUIRED is required application doesn't know
that a service requires user-
to-user authentication, and
requests and receives a
conventional KRB_AP_REP,
the client will send the
KRB_AP_REP request, and
the server will respond with
a KRB_ERROR token as
described in RFC1964, with
a msg-type of
KRB_AP_ERR_USER_TO_USER
_REQUIRED.

0x43 KRB_AP_ERR_NO_TGT No TGT was presented or In user-to-user

available authentication if the service
does not possess a ticket
granting ticket, it should
return the error
KRB_AP_ERR_NO_TGT.
 CODE CODE NAME DESCRIPTION POSSIBLE CAUSES

0x44 KDC_ERR_WRONG_REALM Incorrect ___domain or Although this error rarely

principal occurs, it occurs when a
client presents a cross-realm
TGT to a realm other than
the one specified in the TGT.
Typically, this results from
incorrectly configured DNS.

Transited Services [Type = UnicodeString]: this field contains list of SPNs which were requested if Kerberos
delegation was used.

Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Security Monitoring Recommendations

For 4769(S, F ): A Kerberos service ticket was requested.

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high-value ___domain or Monitor this event with the “Account Information\Account
local accounts for which you need to monitor each action. Name” that corresponds to the high-value account or
Examples of high-value accounts are database administrators, accounts.
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Account Information\Account Name” (with other
malicious actions. For example, you might need to monitor information) to monitor how or when a particular account is
for use of an account outside of working hours. being used.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Account Information\Account
or guest accounts, or other accounts that should never be Name” that corresponds to the accounts that should never
used. be used.

External accounts: You might be monitoring accounts from Monitor this event for the “Account Information\Account
another ___domain, or “external” accounts that are not allowed Domain” corresponding to another ___domain or “external”
to perform certain actions (represented by certain specific ___location.
events).

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Account Information\Account
people (accounts) should not typically perform any actions. Name” that you are concerned about.

Account naming conventions: Your organization might Monitor “User ID” for names that don’t comply with naming
have specific naming conventions for account names. conventions.

If you know that Account Name should never request any tickets for (that is, never get access to) a
particular computer account or service account, monitor for 4769 events with the corresponding Account
Name and Service ID fields.
You can track all 4769 events where the Client Address is not from your internal IP range or not from
private IP ranges.
If you know that Account Name should be able to request tickets (should be used) only from a known
whitelist of IP addresses, track all Client Address values for this Account Name in 4769 events. If Client
Address is not from your whitelist of IP addresses, generate the alert.
All Client Address = ::1 means local TGS requests, which means that the Account Name logged on to a
___domain controller before making the TGS request. If you have a whitelist of accounts allowed to log on to
___domain controllers, monitor events with Client Address = ::1 and any Account Name outside the
whitelist.
All 4769 events with Client Port field value > 0 and < 1024 should be examined, because a well-known
port was used for outbound connection.
Monitor for a Ticket Encryption Type of 0x1 or 0x3, which means the DES algorithm was used. DES
should not be in use, because of low security and known vulnerabilities. It is disabled by default starting
from Windows 7 and Windows Server 2008 R2.
Starting with Windows Vista and Windows Server 2008, monitor for a Ticket Encryption Type other
than 0x11 and 0x12. These are the expected values, starting with these operating systems, and represent
AES -family algorithms.
If you have a list of important Failure Codes, monitor for these codes.
 4770(S): A Kerberos service ticket was renewed.
6/6/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Kerberos Service Ticket
Operations
Event Description:
This event generates for every Ticket Granting
Service (TGS ) ticket renewal.
This event generates only on ___domain
controllers.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4770</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14337</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T03:26:23.466552900Z" />
<EventRecordID>166481</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">[email protected]</Data>
<Data Name="TargetDomainName">CONTOSO.LOCAL</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-3457937927-2839227994-823803824-502</Data>
<Data Name="TicketOptions">0x2</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49964</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Account Information:
Account Name [Type = UnicodeString]: the User Principal Name (UPN ) of the account that requested
ticket renewal. Computer account name ends with $ character in UPN. This field typically has the following
value format: user_account_name@FULL\_DOMAIN\_NAME.
User account example: [email protected]
Computer account example: [email protected]
This parameter in this event is optional and can be empty in some cases.
Account Domain [Type = UnicodeString]: the name of the Kerberos Realm that Account Name belongs
to. This can appear in a variety of formats, including the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
This parameter in this event is optional and can be empty in some cases.
Service Information:
Service Name [Type = UnicodeString]: the name of the account or computer for which the TGS ticket was
renewed.
 This parameter in this event is optional and can be empty in some cases.
Service ID [Type = SID ]: SID of the account or computer object for which the TGS ticket was renewed.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved,
you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Network Information:
Client Address [Type = UnicodeString]: IP address of the computer from which the TGS renewal request
was received. Formats vary, and include the following:
IPv6 or IPv4 address.
::ffff:IPv4_address.
::1 - localhost.
Client Port [Type = UnicodeString]: source port number of client network connection (TGS renewal request
connection).
0 for local (localhost) requests.
Additional information:
Ticket Options: [Type = HexInt32]: this is a set of different Ticket Flags in hexadecimal format.
Example:
Ticket Options: 0x40810010
Binary view: 01000000100000010000000000010000
Using MSB 0 bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize,
Renewable-ok.

Note In the table below “MSB 0” bit numbering is used, because RFC documents use this style. In “MSB 0”
style bit numbering begins from left.

The most common values:

0x40810010 - Forwardable, Renewable, Canonicalize, Renewable-ok
0x40810000 - Forwardable, Renewable, Canonicalize
0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
BIT FLAG NAME DESCRIPTION

0 Reserved -

1 Forwardable (TGT only). Tells the ticket-granting

service that it can issue a new TGT—
based on the presented TGT—with a
different network address based on the
presented TGT.

2 Forwarded Indicates either that a TGT has been

forwarded or that a ticket was issued
from a forwarded TGT.

3 Proxiable (TGT only). Tells the ticket-granting

service that it can issue tickets with a
network address that differs from the
one in the TGT.

4 Proxy Indicates that the network address in

the ticket is different from the one in
the TGT used to obtain the ticket.

5 Allow-postdate Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).

6 Postdated Postdated tickets SHOULD NOT be

supported in KILE (Microsoft Kerberos
Protocol Extension).

7 Invalid This flag indicates that a ticket is invalid,

and it must be validated by the KDC
before use. Application servers must
reject tickets which have this flag set.

8 Renewable Used in combination with the End Time

and Renew Till fields to cause tickets
with long life spans to be renewed at
the KDC periodically.

9 Initial Indicates that a ticket was issued using

the authentication service (AS)
exchange and not issued based on a
TGT.

10 Pre-authent Indicates that the client was

authenticated by the KDC before a
ticket was issued. This flag usually
indicates the presence of an
authenticator in the ticket. It can also
flag the presence of credentials taken
from a smart card logon.
BIT FLAG NAME DESCRIPTION

11 Opt-hardware-auth This flag was originally intended to

indicate that hardware-supported
authentication was used during pre-
authentication. This flag is no longer
recommended in the Kerberos V5
protocol. KDCs MUST NOT issue a ticket
with this flag set. KDCs SHOULD NOT
preserve this flag if it is set by another
KDC.

12 Transited-policy-checked KILE MUST NOT check for transited

domains on servers or a KDC.
Application servers MUST ignore the
TRANSITED-POLICY-CHECKED flag.

13 Ok-as-delegate The KDC MUST set the OK-AS-

DELEGATE flag if the service account is
trusted for delegation.

14 Request-anonymous KILE not use this flag.

15 Name-canonicalize In order to request referrals the

Kerberos client MUST explicitly request
the "canonicalize" KDC option for the
AS-REQ or TGS-REQ.

16-25 Unused -

26 Disable-transited-check By default the KDC will check the

transited field of a TGT against the
policy of the local realm before it will
issue derivative tickets based on the
TGT. If this flag is set in the request,
checking of the transited field is
disabled. Tickets issued without the
performance of this check will be noted
by the reset (0) value of the
TRANSITED-POLICY-CHECKED flag,
indicating to the application server that
the transited field must be checked
locally. KDCs are encouraged but not
required to honor
the DISABLE-TRANSITED-CHECK
option.
Should not be in use, because
Transited-policy-checked flag is not
supported by KILE.

27 Renewable-ok The RENEWABLE-OK option indicates

that a renewable ticket will be
acceptable if a ticket with the requested
life cannot otherwise be provided, in
which case a renewable ticket may be
issued with a renew-till equal to the
requested end time. The value of the
renew-till field may still be limited by
local limits, or limits selected by the
individual principal or server.
 BIT FLAG NAME DESCRIPTION

28 Enc-tkt-in-skey No information.

29 Unused -

30 Renew The RENEW option indicates that the

present request is for a renewal. The
ticket provided is encrypted in the
secret key for the server on which it is
valid. This option will only be honored if
the ticket to be renewed has its
RENEWABLE flag set and if the time in
it’s renew-till field has not passed. The
ticket to be renewed is passed in the
padata field as part of the
authentication header.

31 Validate This option is used only by the ticket-

granting service. The VALIDATE option
indicates that the request is to validate
a postdated ticket. Should not be in use,
because postdated tickets are not
supported by KILE.

Ticket Encryption Type: [Type = HexInt32]: the cryptographic suite that was used in renewed TGS.

TYPE TYPE NAME DESCRIPTION

0x1 DES-CBC-CRC Disabled by default starting from

Windows 7 and Windows Server 2008
R2.

0x3 DES-CBC-MD5 Disabled by default starting from

Windows 7 and Windows Server 2008
R2.

0x11 AES128-CTS-HMAC-SHA1-96 Supported starting from Windows

Server 2008 and Windows Vista.

0x12 AES256-CTS-HMAC-SHA1-96 Supported starting from Windows

Server 2008 and Windows Vista.

0x17 RC4-HMAC Default suite for operating systems

before Windows Server 2008 and
Windows Vista.

0x18 RC4-HMAC-EXP Default suite for operating systems

before Windows Server 2008 and
Windows Vista.

0xFFFFFFFF or 0xffffffff - This type shows in Audit Failure events.

Security Monitoring Recommendations

For 4770(S ): A Kerberos service ticket was renewed.
This event typically has informational only purpose.
 4773(F): A Kerberos service ticket request failed.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. 4769
failure event is generated instead.
Subcategory: Audit Kerberos Service Ticket Operations
 Audit Other Account Logon Events
12/24/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
General Subcategory Information:
This auditing subcategory does not contain any events. It is intended for future use.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No No No This auditing

Controller subcategory does
not contain any
events. It is
intended for
future use, and
there is no
reason to enable
it.

Member Server No No No No This auditing

subcategory does
not contain any
events. It is
intended for
future use, and
there is no
reason to enable
it.

Workstation No No No No This auditing

subcategory does
not contain any
events. It is
intended for
future use, and
there is no
reason to enable
it.
 Audit Application Group Management
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Application Group Management generates events for actions related to application groups, such as group
creation, modification, addition or removal of group member and some other actions.
Application groups are used by Authorization Manager.
Audit Application Group Management subcategory is out of scope of this document, because Authorization
Manager is very rarely in use and it is deprecated starting from Windows Server 2012.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain - - - - This subcategory

Controller is outside the
scope of this
document.

Member Server - - - - This subcategory

is outside the
scope of this
document.

Workstation - - - - This subcategory

is outside the
scope of this
document.

4783(S ): A basic application group was created.

4784(S ): A basic application group was changed.
4785(S ): A member was added to a basic application group.
4786(S ): A member was removed from a basic application group.
4787(S ): A non-member was added to a basic application group.
4788(S ): A non-member was removed from a basic application group.
4789(S ): A basic application group was deleted.
4790(S ): An LDAP query group was created.
4791(S ): An LDAP query group was changed.
4792(S ): An LDAP query group was deleted.
 Audit Computer Account Management
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Computer Account Management determines whether the operating system generates audit events when a
computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a ___domain.
Event volume: Low on ___domain controllers.
This subcategory allows you to audit events generated by changes to computer accounts such as when a
computer account is created, changed, or deleted.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No We recommend

Controller monitoring
changes to critical
computer objects
in Active
Directory, such as
___domain
controllers,
administrative
workstations, and
critical servers.
It's especially
important to be
informed if any
critical computer
account objects
are deleted.
Additionally,
events in this
subcategory will
give you
information
about who
deleted, created,
or modified a
computer object,
and when the
action was taken.
Typically volume
of these events is
low on ___domain
controllers.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Member Server No No No No This subcategory

generates events
only on ___domain
controllers.

Workstation No No No No This subcategory

generates events
only on ___domain
controllers.

Events List:
4741(S ): A computer account was created.
4742(S ): A computer account was changed.
4743(S ): A computer account was deleted.
 4741(S): A computer account was created.
6/6/2019 • 25 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer Account
Management
Event Description:
This event generates every time a new
computer object is created.
This event generates only on ___domain
controllers.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4741</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-12T18:41:39.201898100Z" />
<EventRecordID>170254</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1096" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">WIN81$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xc88b2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">WIN81$</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">8/12/2015 11:41:39 AM</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">515</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x80</Data>
<Data Name="UserAccountControl">%%2087</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1793</Data>
<Data Name="DnsHostName">Win81.contoso.local</Data>
<Data Name="ServicePrincipalNames">HOST/Win81.contoso.local RestrictedKrbHost/Win81.contoso.local HOST/WIN81
RestrictedKrbHost/WIN81</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create Computer object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
 principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “create Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Computer Account:
Security ID [Type = SID ]: SID of created computer account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was created. For example:
WIN81$
Account Domain [Type = UnicodeString]: ___domain name of created computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName
attribute of new computer object. For example: WIN81$.
Display Name [Type = UnicodeString]: the value of displayName attribute of new computer object. It is a
name displayed in the address book for a particular account (typically – user account). This is usually the
combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and
typically is not set. You can change this attribute by using Active Directory Users and Computers, or through
a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. This parameter
contains the value of userPrincipalName attribute of new computer object. For computer objects, it is
optional, and typically is not set. You can change this attribute by using Active Directory Users and
Computers, or through a script, for example. This parameter might not be captured in the event, and in that
case appears as “-”.
 Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new computer
object. For computer objects, it is optional, and typically is not set. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. This parameter might not be
captured in the event, and in that case appears as “-”.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. This parameter contains the value of homeDrive attribute of new computer object. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”.
Script Path [Type = UnicodeString]: specifies the path of the account's logon script. This parameter contains
the value of scriptPath attribute of new computer object. For computer objects, it is optional, and typically is
not set. You can change this attribute by using Active Directory Users and Computers, or through a script,
for example. This parameter might not be captured in the event, and in that case appears as “-”.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new
computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by
using Active Directory Users and Computers, or through a script, for example. This parameter might not be
captured in the event, and in that case appears as “-”.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. This parameter contains the value of
userWorkstations attribute of new computer object. For computer objects, it is optional, and typically is not
set. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually
created computer account, using Active Directory Users and Computers snap-in, this field typically has value
“<never>”. For computer account created during standard ___domain join procedure this field will contains
time when computer object was created, because password creates during ___domain join procedure. For
example: 8/12/2015 11:41:39 AM. This parameter contains the value of pwdLastSet attribute of new
computer object.
Account Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the
value of accountExpires attribute of new computer object. For computer objects, it is optional, and typically
is not set. You can change this attribute by using Active Directory Users and Computers, or through a script,
for example. This parameter might not be captured in the event, and in that case appears as “-”.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of computer’s object primary group.

Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
___domain.

Typically, Primary Group field for new computer accounts has the following values:
516 (Domain Controllers) – for ___domain controllers.
521 (Read-only Domain Controllers) – for read-only ___domain controllers (RODC ).
 515 (Domain Computers) – for member servers and workstations.
See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the
value of primaryGroupID attribute of new computer object.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present delegated
credentials. Can be changed using Active Directory Users and Computers management console in Delegation
tab of computer account. Typically it is set to “-“ for new computer objects. This parameter contains the value of
AllowedToDelegateTo attribute of new computer object. See description of AllowedToDelegateTo field for
“4742: A computer account was changed” event for more details.

Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.

Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. Old UAC value always “0x0” for new
computer accounts. This parameter contains the previous value of userAccountControl attribute of
computer object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. This parameter contains the value of
userAccountControl attribute of new computer object.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to
the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
 User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. For new computer accounts, when the object for this account was
created, the userAccountControl value was considered to be “0x0”, and then it was changed from “0x0” to
the real value for the account's userAccountControl attribute. See possible values in the table below. In the
“User Account Control field text” column, you can see the text that will be displayed in the User Account
Control field in 4741 event.

USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT

FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T

SCRIPT 0x0001 1 The logon script will Changes of this flag

be run. do not show in 4741
events.

ACCOUNTDISABLE 0x0002 2 The user account is Account Disabled

disabled. Account Enabled

Undeclared 0x0004 4 This flag is undeclared. Changes of this flag

do not show in 4741
events.

HOMEDIR_REQUIRED 0x0008 8 The home folder is 'Home Directory

required. Required' - Enabled
'Home Directory
Required' - Disabled

LOCKOUT 0x0010 16 Changes of this flag

do not show in 4741
events.

PASSWD_NOTREQD 0x0020 32 No password is 'Password Not

required. Required' - Enabled
'Password Not
Required' - Disabled

PASSWD_CANT_CHA 0x0040 64 The user cannot Changes of this flag

NGE change the password. do not show in 4741
This is a permission events.
on the user's object.

ENCRYPTED_TEXT_PW 0x0080 128 The user can send an 'Encrypted Text

D_ALLOWED encrypted password. Password Allowed' -
Can be set using Disabled
“Store password using 'Encrypted Text
reversible encryption” Password Allowed' -
checkbox. Enabled

TEMP_DUPLICATE_AC 0x0100 256 This is an account for Cannot be set for

COUNT users whose primary computer account.
account is in another
___domain. This account
provides user access
to this ___domain, but
not to any ___domain
that trusts this
___domain. This is
sometimes referred to
as a local user
account.
 USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT
FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T

NORMAL_ACCOUNT 0x0200 512 This is a default 'Normal Account' -

account type that Disabled
represents a typical 'Normal Account' -
user. Enabled

INTERDOMAIN_TRUS 0x0800 2048 This is a permit to Cannot be set for

T_ACCOUNT trust an account for a computer account.
system ___domain that
trusts other domains.

WORKSTATION_TRUS 0x1000 4096 This is a computer 'Workstation Trust

T_ACCOUNT account for a Account' - Disabled
computer that is 'Workstation Trust
running Microsoft Account' - Enabled
Windows NT 4.0
Workstation,
Microsoft Windows
NT 4.0 Server,
Microsoft Windows
2000 Professional, or
Windows 2000 Server
and is a member of
this ___domain.

SERVER_TRUST_ACCO 0x2000 8192 This is a computer 'Server Trust Account'

UNT account for a ___domain - Enabled
controller that is a 'Server Trust Account'
member of this - Disabled
___domain.

DONT_EXPIRE_PASSW 0x10000 65536 Represents the 'Don't Expire

ORD password, which Password' - Disabled
should never expire 'Don't Expire
on the account. Password' - Enabled
Can be set using
“Password never
expires” checkbox.

MNS_LOGON_ACCO 0x20000 131072 This is an MNS logon 'MNS Logon Account'

UNT account. - Disabled
'MNS Logon Account'
- Enabled

SMARTCARD_REQUIR 0x40000 262144 When this flag is set, 'Smartcard Required' -

ED it forces the user to Disabled
log on by using a 'Smartcard Required' -
smart card. Enabled
 USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT
FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T

TRUSTED_FOR_DELEG 0x80000 524288 When this flag is set, 'Trusted For

ATION the service account Delegation' - Enabled
(the user or computer 'Trusted For
account) under which Delegation' - Disabled
a service runs is
trusted for Kerberos
delegation. Any such
service can
impersonate a client
requesting the
service. To enable a
service for Kerberos
delegation, you must
set this flag on the
userAccountControl
property of the
service account.
If you enable Kerberos
constraint or
unconstraint
delegation or disable
these types of
delegation in
Delegation tab you
will get this flag
changed.

NOT_DELEGATED 0x100000 1048576 When this flag is set, 'Not Delegated' -

the security context of Disabled
the user is not 'Not Delegated' -
delegated to a service Enabled
even if the service
account is set as
trusted for Kerberos
delegation.
Can be set using
“Account is sensitive
and cannot be
delegated” checkbox.

USE_DES_KEY_ONLY 0x200000 2097152 Restrict this principal 'Use DES Key Only' -
to use only Data Disabled
Encryption Standard 'Use DES Key Only' -
(DES) encryption Enabled
types for keys.
Can be set using “Use
Kerberos DES
encryption types for
this account”
checkbox.

DONT_REQ_PREAUTH 0x400000 4194304 This account does not 'Don't Require

require Kerberos pre- Preauth' - Disabled
authentication for 'Don't Require
logging on. Preauth' - Enabled
Can be set using “Do
not require Kerberos
preauthentication”
checkbox.
 USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT
FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T

PASSWORD_EXPIRED 0x800000 8388608 The user's password Changes of this flag

has expired. do not show in 4741
events.

TRUSTED_TO_AUTH_F 0x1000000 16777216 The account is 'Trusted To

OR_DELEGATION enabled for Authenticate For
delegation. This is a Delegation' - Disabled
security-sensitive 'Trusted To
setting. Accounts that Authenticate For
have this option Delegation' - Enabled
enabled should be
tightly controlled. This
setting lets a service
that runs under the
account assume a
client's identity and
authenticate as that
user to other remote
servers on the
network.
If you enable Kerberos
protocol transition
delegation or disable
this type of delegation
in Delegation tab you
will get this flag
changed.

PARTIAL_SECRETS_AC 0x04000000 67108864 The account is a read- No information.

COUNT only ___domain
controller (RODC).
This is a security-
sensitive setting.
Removing this setting
from an RODC
compromises security
on that server.

Table 7. User’s or Computer’s account UAC flags.

User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of computer’s account properties, then you will see <value
changed, but not displayed> in this field in “4742(S ): A computer account was changed.” This parameter
might not be captured in the event, and in that case appears as “-”.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another ___domain. Whenever an object is moved from one ___domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the
value of sIDHistory attribute of new computer object. This parameter might not be captured in the event,
and in that case appears as “-”.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the ___domain. The value
of logonHours attribute of new computer object. For computer objects, it is optional, and typically is not set.
You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. You will see <value not set> value for new created computer accounts in event 4741.
 DNS Host Name [Type = UnicodeString]: name of computer account as registered in DNS. The value of
dNSHostName attribute of new computer object. For manually created computer account objects this field
has value “-“.
Service Principal Names [Type = UnicodeString]: The list of SPNs, registered for computer account. For
new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of
servicePrincipalName attribute of new computer object. For manually created computer objects it is
typically equals “-“. This is an example of Service Principal Names field for new ___domain joined
workstation:
HOST/Win81.contoso.local
RestrictedKrbHost/Win81.contoso.local
HOST/WIN81
RestrictedKrbHost/WIN81
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in the table below:

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token of

a process.
With this privilege, the user can initiate
a process to replace the default token
associated with a started subprocess.

SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.

SeBackupPrivilege Back up files and directories - Required to perform backup

operations.
With this privilege, the user can bypass
file and directory, registry, and other
persistent object permissions for the
purposes of backing up the system.
This privilege causes the system to
grant all read access control to any file,
regardless of the access control list
(ACL) specified for the file. Any access
request other than read is still evaluated
with the ACL. The following access
rights are granted if this privilege is
held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of

changes to files or directories. This
privilege also causes the system to skip
all traversal access checks.
With this privilege, the user can traverse
directory trees even though the user
may not have permissions on the
traversed directory. This privilege does
not allow the user to list the contents of
a directory, only to traverse directories.

SeCreateGlobalPrivilege Create global objects Required to create named file mapping

objects in the global namespace during
Terminal Services sessions.

SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.

SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent object.

This privilege is useful to kernel-mode
components that extend the object
namespace. Components that are
running in kernel mode already have
this privilege inherently; it is not
necessary to assign them the privilege.

SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.

SeCreateTokenPrivilege Create a token object Allows a process to create a token

which it can then use to get access to
any local resources when the process
uses NtCreateToken() or other token-
creation APIs.
When a process requires this privilege,
we recommend using the LocalSystem
account (which already includes the
privilege), rather than creating a
separate user account and assigning
this privilege to it.

SeDebugPrivilege Debug programs Required to debug and adjust the

memory of a process owned by another
account.
With this privilege, the user can attach a
debugger to any process or to the
kernel. Developers who are debugging
their own applications do not need this
user right. Developers who are
debugging new system components
need this user right. This user right
provides complete access to sensitive
and critical operating system
components.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.

SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.

SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority of

a process.
With this privilege, the user can use a
process with Write property access to
another process to increase the
execution priority assigned to the other
process. A user with this privilege can
change the scheduling priority of a
process through the Task Manager user
interface.

SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.

SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.

SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in

memory.
With this privilege, the user can use a
process to keep data in physical
memory, which prevents the system
from paging the data to virtual memory
on disk. Exercising this privilege could
significantly affect system performance
by decreasing the amount of available
random access memory (RAM).

SeMachineAccountPrivilege Add workstations to ___domain With this privilege, the user can create a
computer account.
This privilege is valid only on ___domain
controllers.

SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on a

volume, such as remote
defragmentation.

SeProfileSingleProcessPrivilege Profile single process Required to gather profiling information

for a single process.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of non-
system processes.

SeRelabelPrivilege Modify an object label Required to modify the mandatory

integrity level of an object.

SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.

SeRestorePrivilege Restore files and directories Required to perform restore operations.

This privilege causes the system to
grant all write access control to any file,
regardless of the ACL specified for the
file. Any access request other than write
is still evaluated with the ACL.
Additionally, this privilege enables you
to set any valid user or group SID as
the owner of a file. The following access
rights are granted if this privilege is
held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can bypass
file, directory, registry, and other
persistent objects permissions when
restoring backed up files and directories
and determines which users can set any
valid security principal as the owner of
an object.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeSecurityPrivilege Manage auditing and security log Required to perform a number of

security-related functions, such as
controlling and viewing audit events in
security event log.
With this privilege, the user can specify
object access auditing options for
individual resources, such as files, Active
Directory objects, and registry keys.
A user with this privilege can also view
and clear the security log.

SeShutdownPrivilege Shut down the system Required to shut down a local system.

SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on ___domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.

SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.

SeSystemProfilePrivilege Profile system performance Required to gather profiling information

for the entire system.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of system
processes.

SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.

SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
 PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.

SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.

SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted Required to access Credential Manager

caller as a trusted caller.

SeUndockPrivilege Remove computer from docking station Required to undock a laptop.

With this privilege, the user can undock
a portable computer from its docking
station without logging on.

SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input from

a terminal device.

Table 8. User Privileges.

Security Monitoring Recommendations

For 4741(S ): A computer account was created.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If your information security monitoring policy requires you to monitor computer account creation, monitor
this event.
Consider whether to track the following fields and values:

FIELD AND VALUE TO TRACK REASON TO TRACK

SAM Account Name: empty or - This field must contain the computer account name. If it is
empty or -, it might indicate an anomaly.

Display Name is not - Typically these fields are - for new computer accounts. Other
User Principal Name is not - values might indicate an anomaly and should be monitored.
Home Directory is not -
Home Drive is not -
Script Path is not -
Profile Path is not -
User Workstations is not -
AllowedToDelegateTo is not -

Password Last Set is <never> This typically means this is a manually created computer
account, which you might need to monitor.
FIELD AND VALUE TO TRACK REASON TO TRACK

Account Expires is not <never> Typically this field is <never> for new computer accounts.
Other values might indicate an anomaly and should be
monitored.

Primary Group ID is any value other than 515. Typically, the Primary Group ID value is one of the following:
516 for ___domain controllers
521 for read only ___domain controllers (RODCs)
515 for servers and workstations (___domain computers)
If the Primary Group ID is 516 or 521, it is a new ___domain
controller or RODC, and the event should be monitored.
If the value is not 516, 521, or 515, it is not a typical value and
should be monitored.

Old UAC Value is not 0x0 Typically this field is 0x0 for new computer accounts. Other
values might indicate an anomaly and should be monitored.

SID History is not - This field will always be set to - unless the account was
migrated from another ___domain.

Logon Hours value other than <value not set> This should always be <value not set> for new computer
accounts.

Consider whether to track the following account control flags:

USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG

'Encrypted Text Password Allowed' – Enabled Should not be set for computer accounts. By default, it will not
be set, and it cannot be set in the account properties in Active
Directory Users and Computers.

'Server Trust Account' – Enabled Should be enabled only for ___domain controllers.

'Don't Expire Password' – Enabled Should not be enabled for new computer accounts, because
the password automatically changes every 30 days by default.
For computer accounts, this flag cannot be set in the account
properties in Active Directory Users and Computers.

'Smartcard Required' – Enabled Should not be enabled for new computer accounts.

'Trusted For Delegation' – Enabled Should not be enabled for new member servers and
workstations. It is enabled by default for new ___domain
controllers.

'Not Delegated' – Enabled Should not be enabled for new computer accounts.

'Use DES Key Only' – Enabled Should not be enabled for new computer accounts. For
computer accounts, it cannot be set in the account properties
in Active Directory Users and Computers.

'Don't Require Preauth' – Enabled Should not be enabled for new computer accounts. For
computer accounts, it cannot be set in the account properties
in Active Directory Users and Computers.

'Trusted To Authenticate For Delegation' – Enabled Should not be enabled for new computer accounts by default.
 4742(S): A computer account was changed.
8/10/2019 • 16 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer Account
Management
Event Description:
This event generates every time a computer
object is changed.
This event generates only on ___domain
controllers.
You might see the same values for
Subject\Security ID and Computer
Account That Was Changed\Security ID in
this event. This usually happens when you
reboot a computer after adding it to the
___domain (the change takes effect after the
reboot).
For each change, a separate 4742 event will be
generated.
Some changes do not invoke a 4742 event, for
example, changes made using Active Directory
Users and Computers management console in
Managed By tab in computer account
properties.
You might see this event without any changes
inside, that is, where all Changed Attributes
apear as “-“. This usually happens when a
change is made to an attribute that is not listed
in the event. In this case there is no way to
determine which attribute was changed. For
example, this would happen if you change the
Description of a group object using the Active Directory Users and Computers administrative console. Also, if the
discretionary access control list (DACL ) is changed, a 4742 event will generate, but all attributes will be “-“.
Important: If you manually change any user-related setting or attribute, for example if you set the
SMARTCARD_REQUIRED flag in userAccountControl for the computer account, then the sAMAccountType
of the computer account will be changed to NORMAL_USER_ACCOUNT and you will get “4738: A user account
was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user
account. For NORMAL_USER_ACCOUNT you will always get events from Audit User Account Management
subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer
objects.
 Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4742</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T02:35:01.252397000Z" />
<EventRecordID>171754</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ComputerAccountChange">-</Data>
<Data Name="TargetUserName">WIN81$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6116</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x2e80c</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">%%1793</Data>
<Data Name="OldUacValue">0x80</Data>
<Data Name="NewUacValue">0x2080</Data>
<Data Name="UserAccountControl">%%2093</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
<Data Name="DnsHostName">-</Data>
<Data Name="ServicePrincipalNames">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
 Security ID [Type = SID ]: SID of account that requested the “change Computer object” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Computer Account That Was Changed:
Security ID [Type = SID ]: SID of changed computer account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was changed. For
example: WIN81$
Account Domain [Type = UnicodeString]: ___domain name of changed computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Changed Attributes:

Note If attribute was not changed it will have “-“ value.

SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName
attribute of computer object was changed, you will see the new value here. For example: WIN8$.
Display Name [Type = UnicodeString]: it is a name displayed in the address book for a particular account
(typically – user account). This is usually the combination of the user's first name, middle initial, and last
name. For computer objects, it is optional, and typically is not set. You can change this attribute by using
 Active Directory Users and Computers, or through a script, for example. If the value of displayName
attribute of computer object was changed, you will see the new value here.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. If the value of
userPrincipalName attribute of computer object was changed, you will see the new value here. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and
specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the
form \\Server\Share\Directory. If the value of homeDirectory attribute of computer object was changed,
you will see the new value here. For computer objects, it is optional, and typically is not set. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. If the value of homeDrive attribute of computer object was changed, you will see the new
value here. For computer objects, it is optional, and typically is not set. You can change this attribute by
using Active Directory Users and Computers, or through a script, for example.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of
scriptPath attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. If the value of profilePath attribute of computer object was changed,
you will see the new value here. For computer objects, it is optional, and typically is not set. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. If the value of userWorkstations attribute of
computer object was changed, you will see the new value here. For computer objects, it is optional, and
typically is not set. You can change this attribute by using Active Directory Users and Computers, or
through a script, for example.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of
pwdLastSet attribute of computer object was changed, you will see the new value here. For example:
8/12/2015 11:41:39 AM. This value will be changed, for example, after manual computer account reset
action or automatically every 30 days by default for computer objects.
Account Expires [Type = UnicodeString]: the date when the account expires. If the value of
accountExpires attribute of computer object was changed, you will see the new value here. For computer
objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of computer’s object primary group.

Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
___domain.

This field will contain some value if computer’s object primary group was changed. You can change computer’s
primary group using Active Directory Users and Computers management console in the Member Of tab of
computer object properties. You will see a RID of new primary group as a field value. For example, 515 (Domain
Computers) for workstations, is a default primary group.
Typical Primary Group values for computer accounts:
516 (Domain Controllers) – for ___domain controllers.
521 (Read-only Domain Controllers) – read-only ___domain controllers (RODC ).
515 (Domain Computers) – servers and workstations.
See this article https://support.microsoft.com/kb/243330 for more information. If the value of
primaryGroupID attribute of computer object was changed, you will see the new value here.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present
delegated credentials. Can be changed using Active Directory Users and Computers management console
in Delegation tab of computer account. If the SPNs list on Delegation tab of a computer account was
changed, you will see the new SPNs list in AllowedToDelegateTo field (note that you will see the new list
instead of changes) of this event. This is an example of AllowedToDelegateTo:
dcom/WIN2012
dcom/WIN2012.contoso.local
If the value of msDS -AllowedToDelegateTo attribute of computer object was changed, you will
see the new value here.
The value can be <value not set>, for example, if delegation was disabled.

Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. This parameter contains the previous value of
userAccountControl attribute of computer object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user or computer account. If the value of userAccountControl attribute
of computer object was changed, you will see the new value here.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on
to the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account
UAC flags.”. In the “User Account Control field text” column, you can see text that will be displayed in the User
Account Control field in 4742 event.
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of computer’s account properties, then you will see <value
changed, but not displayed> in this field.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another ___domain. Whenever an object is moved from one ___domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of sIDHistory
attribute of computer object was changed, you will see the new value here.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the ___domain. If the
value of logonHours attribute of computer object was changed, you will see the new value here. For
computer objects, it is optional, and typically is not set. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example.
DNS Host Name [Type = UnicodeString]: name of computer account as registered in DNS. If the value of
dNSHostName attribute of computer object was changed, you will see the new value here.
Service Principal Names [Type = UnicodeString]: The list of SPNs, registered for computer account. If
the SPN list of a computer account changed, you will see the new SPN list in Service Principal Names
field (note that you will see the new list instead of changes). If the value of servicePrincipalName attribute
of computer object was changed, you will see the new value here.
Here is an example of Service Principal Names field for new ___domain joined workstation in event 4742 on
___domain controller, after workstation reboots:
HOST/Win81.contoso.local
RestrictedKrbHost/Win81.contoso.local
HOST/WIN81
RestrictedKrbHost/WIN81
TERMSRV/Win81.contoso.local
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Security Monitoring Recommendations
For 4742(S ): A computer account was changed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have critical ___domain computer accounts (database servers, ___domain controllers, administration
workstations, and so on) for which you need to monitor each change, monitor this event with the
“Computer Account That Was Changed\Security ID” that corresponds to the high-value account or
accounts.
If you have computer accounts for which any change in the services list on the Delegation tab should be
monitored, monitor this event when AllowedToDelegateTo is not -. This value means the services list was
changed.
Consider whether to track the following fields and values:

FIELD AND VALUE TO TRACK REASON TO TRACK

Display Name is not - Typically these fields are - for computer accounts. Other
User Principal Name is not - values might indicate an anomaly and should be monitored.
Home Directory is not -
Home Drive is not -
Script Path is not -
Profile Path is not -
User Workstations is not -
Account Expires is not -
Logon Hours is not -

Password Last Set changes occur more often than usual Changes that are more frequent than the default (typically
once a month) might indicate an anomaly or attack.

Primary Group ID is not 516, 521, or 515 Typically, the Primary Group ID value is one of the following:
516 for ___domain controllers
521 for read only ___domain controllers (RODCs)
515 for servers and workstations (___domain computers)
Other values should be monitored.

For computer accounts for which the services list (on the If AllowedToDelegateTo is marked <value not set> on
Delegation tab) should not be empty: computers that previously had a services list (on the
AllowedToDelegateTo is marked <value not set> Delegation tab), it means the list was cleared.

SID History is not - This field will always be set to - unless the account was
migrated from another ___domain.

Consider whether to track the following account control flags:

USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG

'Password Not Required' – Enabled Should not be set for computer accounts. Computer accounts
typically require a password by default, except manually
created computer objects.

'Encrypted Text Password Allowed' – Enabled Should not be set for computer accounts. By default, it will not
be set, and it cannot be set in the account properties in Active
Directory Users and Computers.
USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG

'Server Trust Account' – Enabled Should be enabled only for ___domain controllers.

'Server Trust Account' – Disabled Should not be disabled for ___domain controllers.

'Don't Expire Password' – Enabled Should not be enabled for computer accounts, because the
password automatically changes every 30 days by default. For
computer accounts, this flag cannot be set in the account
properties in Active Directory Users and Computers.

'Smartcard Required' – Enabled Should not be enabled for computer accounts.

'Trusted For Delegation' – Enabled Means that Kerberos Constraint or Unconstraint delegation
was enabled for the computer account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.

'Trusted For Delegation' – Disabled Means that Kerberos Constraint or Unconstraint delegation
was disabled for the computer account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which
delegation is critical and should not be disabled, monitor this
for those accounts.

'Trusted To Authenticate For Delegation' – Enabled Means that Protocol Transition delegation was enabled for the
computer account. We recommend monitoring this to
discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.

'Trusted To Authenticate For Delegation' – Disabled Means that Protocol Transition delegation was disabled for
the computer account. We recommend monitoring this to
discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which
delegation is critical and should not be disabled, monitor this
for those accounts.

'Not Delegated' – Enabled Means that Account is sensitive and cannot be delegated
was selected for the computer account. For computer
accounts, this flag cannot be set using the graphical interface.
We recommend monitoring this to discover whether it is an
approved action (done by an administrator), a mistake, or a
malicious action.

'Use DES Key Only' – Enabled Should not be enabled for computer accounts. For computer
accounts, it cannot be set in the account properties in Active
Directory Users and Computers.

'Don't Require Preauth' - Enabled Should not be enabled for computer accounts. For computer
accounts, it cannot be set in the account properties in Active
Directory Users and Computers.
 4743(S): A computer account was deleted.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Computer
Account Management
Event Description:
This event generates every time a
computer object is deleted.
This event generates only on ___domain
controllers.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4743</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13825</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T15:57:08.104214100Z" />
<EventRecordID>172103</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">COMPUTERACCOUNT$</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6118</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete Computer object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete Computer
object” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Computer:
Security ID [Type = SID ]: SID of deleted computer account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the computer account that was deleted. For example:
WIN81$
Account Domain [Type = UnicodeString]: ___domain name of deleted computer account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4743(S ): A computer account was deleted.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have critical ___domain computer accounts (database servers, ___domain controllers, administration
workstations, and so on) for which you need to monitor each action (especially deletion), monitor this event with
the “Target Computer\Security ID” or “Target Computer\Account Name” that corresponds to the high-
value account or accounts.
 Audit Distribution Group Management
12/23/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Distribution Group Management determines whether the operating system generates audit events for
specific distribution-group management tasks.
This subcategory generates events only on ___domain controllers.
Event volume: Low on ___domain controllers.
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
Distribution group is created, changed, or deleted.
Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “4764: A group’s type was changed.”
“Audit Security Group Management” subcategory success auditing must be enabled.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF No IF No IF - Typically,
Controller actions related to
distribution
groups have low
security
relevance. It is
much more
important to
monitor Security
Group changes.
However, if you
want to monitor
for critical
distribution
groups changes,
such as if a
member was
added to internal
critical
distribution
group
(executives,
administrative
group, for
example), you
need to enable
this subcategory
for Success
auditing.
Typically, volume
of these events is
low on ___domain
controllers.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Member Server No No No No This subcategory

generates events
only on ___domain
controllers.

Workstation No No No No This subcategory

generates events
only on ___domain
controllers.

Events List:
4749(S ): A security-disabled global group was created.
4750(S ): A security-disabled global group was changed.
4751(S ): A member was added to a security-disabled global group.
4752(S ): A member was removed from a security-disabled global group.
4753(S ): A security-disabled global group was deleted.
4759(S ): A security-disabled universal group was created. See event 4749: A security-disabled global group
was created. Event 4759 is the same, except it is generated for a universal distribution group instead of a
global distribution group. All event fields, XML, and recommendations are the same. The type of group is
the only difference.
4760(S ): A security-disabled universal group was changed. See event 4750: A security-disabled global
group was changed. Event 4760 is the same, except it is generated for a universal distribution group
instead of a global distribution group. All event fields, XML, and recommendations are the same. The type
of group is the only difference.
4761(S ): A member was added to a security-disabled universal group. See event 4751: A member was
added to a security-disabled global group. Event 4761 is the same, except it is generated for a universal
distribution group instead of a global distribution group. All event fields, XML, and recommendations are
the same. The type of group is the only difference.
4762(S ): A member was removed from a security-disabled universal group. See event 4752: A member
was removed from a security-disabled global group. Event 4762 is the same, except it is generated for a
universal distribution group instead of a global distribution group. All event fields, XML, and
recommendations are the same. The type of group is the only difference.
4763(S ): A security-disabled universal group was deleted. See event 4753: A security-disabled global group
was deleted. Event 4763 is the same, except it is generated for a universal distribution group instead of a
global distribution group. All event fields, XML, and recommendations are the same. The type of group is
the only difference.
4744(S ): A security-disabled local group was created. See event 4749: A security-disabled global group was
created. Event 4744 is the same, except it is generated for a local distribution group instead of a global
distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
4745(S ): A security-disabled local group was changed. See event 4750: A security-disabled global group
was changed. Event 4745 is the same, except it is generated for a local distribution group instead of a
global distribution group. All event fields, XML, and recommendations are the same. The type of group is
the only difference.
4746(S ): A member was added to a security-disabled local group. See event 4751: A member was added to
a security-disabled global group. Event 4746 is the same, except it is generated for a local distribution
group instead of a global distribution group. All event fields, XML, and recommendations are the same.
The type of group is the only difference.
4747(S ): A member was removed from a security-disabled local group. See event 4752: A member was
removed from a security-disabled global group. Event 4747 is the same, except it is generated for a local
distribution group instead of a global distribution group. All event fields, XML, and recommendations are
the same. The type of group is the only difference.
4748(S ): A security-disabled local group was deleted. See event 4753: A security-disabled global group was
deleted. Event 4748 is the same, except it is generated for a local distribution group instead of a global
distribution group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.
 4749(S): A security-disabled global group was
created.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time a new
security-disabled (distribution) global group
was created.
This event generates only on ___domain
controllers.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4749</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T16:16:35.568878700Z" />
<EventRecordID>172181</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDesk</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ServiceDesk</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create group” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “create group”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of created group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was created. For example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain name of created group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Attributes:
SAM Account Name [Type = UnicodeString]: This is a name of new group used to support clients and
servers from previous versions of Windows (pre-Windows 2000 logon name). The value of
sAMAccountName attribute of new group object. For example: ServiceDesk
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another ___domain. Whenever an object is moved from one ___domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the
value of sIDHistory attribute of new group object. This parameter might not be captured in the event, and
in that case appears as “-”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4749(S ): A security-disabled global group was created.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you need to monitor each time a new distribution group is created, to see who created the group and
when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
 4750(S): A security-disabled global group was
changed.
6/6/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time security-
disabled (distribution) global group is
changed.
This event generates only on ___domain
controllers.
Some changes do not invoke a 4750 event, for
example, changes made using the Active
Directory Users and Computers management
console in Managed By tab in group account
properties.
If you change the name of the group (SAM
Account Name), you also get “4781: The name
of an account was changed” if “Audit User
Account Management” subcategory success
auditing is enabled.
If you change the group type, you get a change event from the new group type auditing subcategory instead of
4750. If you need to monitor for group type changes, it is better to monitor for “4764: A group’s type was
changed.” These events are generated for any group type when group type is changed. “Audit Security Group
Management” subcategory success auditing must be enabled.
From 4750 event you can get information about changes of sAMAccountName and sIDHistory attributes or
you will see that something changed, but will not be able to see what exactly changed.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4750</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-14T16:38:37.902710700Z" />
<EventRecordID>172188</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDeskMain</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ServiceDeskMain</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change group” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change group”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.

Note Sometimes you can see the Group\Security ID field contains an old group name in Event Viewer (as
you can see in the event example). That happens because Event Viewer caches names for SIDs that it has
already resolved for the current session.
Note Security ID field has the same value as new group name (Changed Attributes>SAM Account
Name). That is happens because event is generated after name was changed and SID resolves to the new
name. It is always better to use SID instead of group names for queries or filtering of events, because you will
know for sure that this the right object you are looking for or want to monitor.

Group Name [Type = UnicodeString]: the name of the group that was changed. For example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain name of changed group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Changed Attributes:

Note If attribute was not changed it will have “-“ value.

Note You might see a 4750 event without any changes inside, that is, where all Changed Attributes appear
as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case
there is no way to determine which attribute was changed. For example, this would happen if you change the
Description of a group object using the Active Directory Users and Computers administrative console. Also, if
the discretionary access control list (DACL ) is changed, a 4750 event will generate, but all attributes will be “-“.

SAM Account Name [Type = UnicodeString]: This is a new name of changed group used to support
clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of
sAMAccountName attribute of group object was changed, you will see the new value here. For example:
ServiceDesk.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another ___domain. Whenever an object is moved from one ___domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of sIDHistory
attribute of group object was changed, you will see the new value here.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
 example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4750(S ): A security-disabled global group was changed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a list of critical distribution groups in the organization, and need to specifically monitor these
groups for any change, monitor events with the “Group\Group Name” values that correspond to the
critical distribution groups.
If you need to monitor each time a member is added to a distribution group, to see who added the member
and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if
needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
 4751(S): A member was added to a security-disabled
global group.
6/6/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time a new
member was added to a security-disabled
(distribution) global group.
This event generates only on ___domain
controllers.
For every added member you will get separate
4751 event.
You will typically see “4750: A security-
disabled global group was changed.” event
without any changes in it prior to 4751 event.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4751</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:01:10.821144700Z" />
<EventRecordID>172221</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add member to the group” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “add member to the
group” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that
might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was added to the group. Event Viewer automatically tries to
resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For
example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some well-known security principals, such
as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Group:
Security ID [Type = SID ]: SID of the group to which new member was added. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group to which new member was added. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain name of the group to which new member was added.
Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.
Security Monitoring Recommendations
For 4751(S ): A member was added to a security-disabled global group.

TYPE OF MONITORING REQUIRED RECOMMENDATION

Addition of members to distribution groups: You might If you need to monitor each time a member is added to a
need to monitor the addition of members to distribution distribution group, to see who added the member and when,
groups. monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.

High-value distribution groups: You might have a list of Monitor this event with the “Group\Group Name” values
critical distribution groups in the organization, and need to that correspond to the high-value distribution groups.
specifically monitor these groups for the addition of new
members (or for other changes).

High-value accounts: You might have high-value ___domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.

Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or ___domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.

External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another ___domain, or “external” accounts that are not allowed to corresponding to accounts from another ___domain or “external”
perform certain actions (represented by certain specific accounts.
events).

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.

Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
 4752(S): A member was removed from a security-
disabled global group.
6/6/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time member was
removed from the security-disabled
(distribution) global group.
This event generates only on ___domain
controllers.
For every removed member you will get
separate 4752 event.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4752</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:20:57.315863900Z" />
<EventRecordID>172229</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1108" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “remove member from the group” operation.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved,
you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “remove member
from the group” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was removed from the group. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Account Name [Type = UnicodeString]: distinguished name of account that was removed from the group.
For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some well-known security principals,
such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Group:
Security ID [Type = SID ]: SID of the group from which the member was removed. Event Viewer
automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the
source data in the event.
Group Name [Type = UnicodeString]: the name of the group from which the member was removed. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain name of the group from which the member was removed.
Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4752(S ): A member was removed from a security-disabled global group.

TYPE OF MONITORING REQUIRED RECOMMENDATION

Removal of members from distribution groups: You If you need to monitor each time a member is removed from
might need to monitor the removal of members from a distribution group, to see who removed the member and
distribution groups. when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.

High-value distribution groups: You might have a list of Monitor this event with the “Group\Group Name” values
critical distribution groups in the organization, and need to that correspond to the high-value distribution groups.
specifically monitor these groups for the removal of members
(or for other changes).

Distribution groups with required members: You might Monitor this event with the “Group\Group Name” that
need to ensure that for certain distribution groups, particular corresponds to the group of interest, and the
members are never removed. “Member\Security ID” of the members who should not be
removed.

High-value accounts: You might have high-value ___domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.

Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or ___domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.

External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another ___domain, or “external” accounts that are not allowed to corresponding to accounts from another ___domain or “external”
perform certain actions (represented by certain specific accounts.
events).

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.

Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.
 4753(S): A security-disabled global group was
deleted.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Distribution Group
Management
Event Description:
This event generates every time security-
disabled (distribution) global group is deleted.
This event generates only on ___domain
controllers.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4753</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13827</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-15T00:59:33.621155200Z" />
<EventRecordID>172230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1504" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ServiceDeskSecond</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6119</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3007b</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete group” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete group”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of deleted group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was deleted. For example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain name of deleted group. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4753(S ): A security-disabled global group was deleted.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a list of critical distribution groups in the organization, and need to specifically monitor these
groups for any change, especially group deletion, monitor events with the “Group\Group Name” values
that correspond to the critical distribution groups.
If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor
this event. Typically, this event is used as an informational event, to be reviewed if needed.
 Audit Other Account Management Events
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Other Account Management Events determines whether the operating system generates user account
management audit events.
Event volume: Typically Low on all types of computers.
This subcategory allows you to audit next events:
The password hash of a user account was accessed. This happens during an Active Directory Management
Tool password migration.
The Password Policy Checking API was called. Password Policy Checking API allows an application to check
password compliance against an application-provided account database or single account and verify that
passwords meet the complexity, aging, minimum length, and history reuse requirements of a password
policy.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No The only reason

Controller to enable Success
auditing on
___domain
controllers is to
monitor “4782(S):
The password
hash of an
account was
accessed.”
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No No No No The only event

which is
generated on
Member Servers
is “4793(S): The
Password Policy
Checking API was
called.”, this event
is a typical
information event
with little to no
security
relevance.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Workstation No No No No The only event

which is
generated on
Workstations is
“4793(S): The
Password Policy
Checking API was
called.”, this event
is a typical
information event
with little to no
security
relevance.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
4782(S ): The password hash of an account was accessed.
4793(S ): The Password Policy Checking API was called.
 4782(S): The password hash of an account was
accessed.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Account
Management Events
Event Description:
This event generates on ___domain controllers
during password migration of an account
using Active Directory Migration Toolkit.
Typically “Subject\Security ID” is the
SYSTEM account.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4782</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13829</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T21:23:46.435367800Z" />
<EventRecordID>174829</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1232" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Andrei</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested hash migration operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested hash migration operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For ANONYMOUS LOGON you will see NT AUTHORITY value for this field.
 Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Account Name [Type = UnicodeString]: the name of the account for which the password hash was
migrated. For example: ServiceDesk
User account example: Andrei
Computer account example: DC01$
Account Domain [Type = UnicodeString]: ___domain name of the account for which the password hash was
migrated. Formats vary, and include the following:
Domain NETBIOS name example: FABRIKAM
Lowercase full ___domain name: fabrikam.local
Uppercase full ___domain name: FABRIKAM.LOCAL

Security Monitoring Recommendations

For 4782(S ): The password hash of an account was accessed.
Monitor for all events of this type, because any actions with account’s password hashes should be planned. If
this action was not planned, investigate the reason for the change.
 4793(S): The Password Policy Checking API was
called.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Account
Management Events
Event Description:
This event generates each time the Password
Policy Checking API is called.
The Password Policy Checking API allows an
application to check password compliance
against an application-provided account
database or single account and verify that
passwords meet the complexity, aging,
minimum length, and history reuse
requirements of a password policy.
This event, for example, generates during
Directory Services Restore Mode (DSRM )
account password reset procedure to check
new DSRM password.
This event generates on the computer where Password Policy Checking API was called.
Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many
4793 events on a SQL Server.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4793</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13829</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:37:46.322424300Z" />
<EventRecordID>172342</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested Password Policy Checking API operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested Password Policy Checking
API operation.
Account Domain [Type = UnicodeString]: subject’s ___domain name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Additional Information:
Caller Workstation [Type = UnicodeString]: name of the computer from which the Password Policy
Checking API was called. Typically, this is the same computer where this event was generated, for example,
DC01. Computer name here does not contain $ symbol at the end. It also can be an IP address or the DNS
name of the computer.
Provided Account Name (unauthenticated) [Type = UnicodeString]: the name of account, which
password was provided/requested for validation. This parameter might not be captured in the event, and in
that case appears as “-”.
Status Code [Type = HexInt32]: typically has “0x0” value. Status code is “0x0”, no matter meets password
___domain Password Policy or not.

Security Monitoring Recommendations

For 4793(S ): The Password Policy Checking API was called.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Typically this is an informational event, and can give you information about when Password Policy Checking
APIs were invoked, and who invoked them. The Provided Account Name does not always have a value—
sometimes it’s not really possible to determine for which account the password policy check was performed.
 Audit Security Group Management
12/20/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Security Group Management determines whether the operating system generates audit events when
specific security group management tasks are performed.
Event volume: Low.
This subcategory allows you to audit events generated by changes to security groups such as the following:
Security group is created, changed, or deleted.
Member is added or removed from a security group.
Group type is changed.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No We recommend

Controller Success auditing
of security
groups, to see
new group
creation events,
changes and
deletion of critical
groups. Also you
will get
information
about new
members of
security groups,
when a member
was removed
from a group and
when security
group
membership was
enumerated.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server Yes No Yes No We recommend

Success auditing
of security
groups, to see
new group
creation events,
changes and
deletion of critical
groups. Also you
will get
information
about new
members of
security groups,
when a member
was removed
from a group and
when security
group
membership was
enumerated.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Workstation Yes No Yes No We recommend

Success auditing
of security
groups, to see
new group
creation events,
changes and
deletion of critical
groups. Also you
will get
information
about new
members of
security groups,
when a member
was removed
from a group and
when security
group
membership was
enumerated.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
Events List:
4731(S ): A security-enabled local group was created.
4732(S ): A member was added to a security-enabled local group.
4733(S ): A member was removed from a security-enabled local group.
4734(S ): A security-enabled local group was deleted.
4735(S ): A security-enabled local group was changed.
4764(S ): A group’s type was changed.
4799(S ): A security-enabled local group membership was enumerated.
4727(S ): A security-enabled global group was created. See event 4731: A security-enabled local group was
created. Event 4727 is the same, but it is generated for a global security group instead of a local security
group. All event fields, XML, and recommendations are the same. The type of group is the only difference.

IMPORTANT
Event 4727(S) generates only for ___domain groups, so the Local sections in event 4731 do not apply.

4737(S ): A security-enabled global group was changed. See event 4735: A security-enabled local group
was changed. Event 4737 is the same, but it is generated for a global security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.

IMPORTANT
Event 4737(S) generates only for ___domain groups, so the Local sections in event 4735 do not apply.

4728(S ): A member was added to a security-enabled global group. See event 4732: A member was added
to a security-enabled local group. Event 4728 is the same, but it is generated for a global security group
instead of a local security group. All event fields, XML, and recommendations are the same. The type of
group is the only difference.

IMPORTANT
Event 4728(S) generates only for ___domain groups, so the Local sections in event 4732 do not apply.

4729(S ): A member was removed from a security-enabled global group. See event 4733: A member was
removed from a security-enabled local group. Event 4729 is the same, but it is generated for a global
security group instead of a local security group. All event fields, XML, and recommendations are the same.
The type of group is the only difference.

IMPORTANT
Event 4729(S) generates only for ___domain groups, so the Local sections in event 4733 do not apply.

4730(S ): A security-enabled global group was deleted. See event 4734: A security-enabled local group was
deleted. Event 4730 is the same, but it is generated for a global security group instead of a local security
group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
 IMPORTANT
Event 4730(S) generates only for ___domain groups, so the Local sections in event 4734 do not apply.

4754(S ): A security-enabled universal group was created. See event 4731: A security-enabled local group
was created. Event 4754 is the same, but it is generated for a universal security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.

IMPORTANT
Event 4754(S) generates only for ___domain groups, so the Local sections in event 4731 do not apply.

4755(S ): A security-enabled universal group was changed. See event 4735: A security-enabled local group
was changed. Event 4737 is the same, but it is generated for a universal security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.

IMPORTANT
Event 4755(S) generates only for ___domain groups, so the Local sections in event 4735 do not apply.

4756(S ): A member was added to a security-enabled universal group. See event 4732: A member was
added to a security-enabled local group. Event 4756 is the same, but it is generated for a universal
security group instead of a local security group. All event fields, XML, and recommendations are the same.
The type of group is the only difference.

IMPORTANT
Event 4756(S) generates only for ___domain groups, so the Local sections in event 4732 do not apply.

4757(S ): A member was removed from a security-enabled universal group. See event 4733: A member
was removed from a security-enabled local group. Event 4757 is the same, but it is generated for a
universal security group instead of a local security group. All event fields, XML, and recommendations
are the same. The type of group is the only difference.

IMPORTANT
Event 4757(S) generates only for ___domain groups, so the Local sections in event 4733 do not apply.

4758(S ): A security-enabled universal group was deleted. See event 4734: A security-enabled local group
was deleted. Event 4758 is the same, but it is generated for a universal security group instead of a local
security group. All event fields, XML, and recommendations are the same. The type of group is the only
difference.

IMPORTANT
Event 4758(S) generates only for ___domain groups, so the Local sections in event 4734 do not apply.
 4731(S): A security-enabled local group was created.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time a new
security-enabled (security) local group was
created.
This event generates on ___domain controllers,
member servers, and workstations.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4731</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T01:01:50.646049700Z" />
<EventRecordID>174849</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">AccountOperators</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create group” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “create group”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Group:
Security ID [Type = SID ]: SID of created group. Event Viewer automatically tries to resolve SIDs and
show the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was created. For example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain or computer name of the created group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Attributes:
SAM Account Name [Type = UnicodeString]: This is a name of new group used to support clients and
servers from previous versions of Windows (pre-Windows 2000 logon name). The value of
sAMAccountName attribute of new group object. For example: ServiceDesk. For local groups it is simply
a name of new group.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another ___domain. Whenever an object is moved from one ___domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains
the value of sIDHistory attribute of new group object. This parameter might not be captured in the event,
and in that case appears as “-”. For local groups it is not applicable and always has “-“ value.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4731(S ): A security-enabled local group was created.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you need to monitor each time a new security group is created, to see who created the group and when,
monitor this event.
If you need to monitor the creation of local security groups on different servers, and you use Windows
Event Forwarding to collect events in a central ___location, check “New Group\Group Domain.” It should
not be the name of the ___domain, but instead should be the computer name.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
 4732(S): A member was added to a security-enabled
local group.
6/6/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time a new
member was added to a security-enabled
(security) local group.
This event generates on ___domain
controllers, member servers, and
workstations.
For every added member you will get
separate 4732 event.
You will typically see “4735: A security-
enabled local group was changed.” event
without any changes in it prior to 4732
event.

Note For recommendations, see

Security Monitoring Recommendations
for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T03:02:38.563110400Z" />
<EventRecordID>174856</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=eadmin,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add member to the group” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “add member to the
group” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was added to the group. Event Viewer automatically tries to
resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the
event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For
example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value,
even if new member is a ___domain account. For some well-known security principals, such as LOCAL
SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Group:
Security ID [Type = SID ]: SID of the group to which new member was added. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group to which new member was added. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain or computer name of the group to which the new
member was added. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
 Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4732(S ): A member was added to a security-enabled local group.

TYPE OF MONITORING REQUIRED RECOMMENDATION

Addition of members to local or ___domain security If you need to monitor each time a member is added to a
groups: You might need to monitor the addition of members local or ___domain security group, to see who added the
to local or ___domain security groups. member and when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.

High-value local or ___domain security groups: You might Monitor this event with the “Group\Group Name” values
have a list of critical local or ___domain security groups in the that correspond to the high-value local or ___domain security
organization, and need to specifically monitor these groups groups.
for the addition of new members (or for other changes).
Examples of critical local or ___domain groups are built-in local
administrators group, ___domain admins, enterprise admins, and
so on.

High-value accounts: You might have high-value ___domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.

Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or ___domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.

External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another ___domain, or “external” accounts that are not allowed corresponding to accounts from another ___domain or “external”
to perform certain actions (represented by certain specific accounts.
events).

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.
TYPE OF MONITORING REQUIRED RECOMMENDATION

Account naming conventions: Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.

Mismatch between type of account (user or computer) Monitor the type of account added to the group to see if it
and the group it was added to: You might want to monitor matches what the group is intended for.
to ensure that a computer account was not added to a group
intended for users, or a user account was not added to a
group intended for computers.
 4733(S): A member was removed from a security-
enabled local group.
6/6/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time member
was removed from security-enabled
(security) local group.
This event generates on ___domain
controllers, member servers, and
workstations.
For every removed member you will get
separate 4733 event.
You will typically see “4735: A security-
enabled local group was changed.” event
without any changes in it prior to 4733
event.

Note For recommendations, see

Security Monitoring Recommendations
for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4733</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T16:51:00.376806500Z" />
<EventRecordID>175037</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35e38</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “remove member from the group” operation.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved,
you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “remove member
from the group” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Member:
Security ID [Type = SID ]: SID of account that was removed from the group. Event Viewer automatically
tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data
in the event.
Account Name [Type = UnicodeString]: distinguished name of account that was removed from the group.
For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“
value, even if removed member is a ___domain account. For some well-known security principals, such as
LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Group:
Security ID [Type = SID ]: SID of the group from which the member was removed. Event Viewer
automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see
the source data in the event.
Group Name [Type = UnicodeString]: the name of the group from which the member was removed. For
example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain or computer name of the group from which the member
was removed. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs, for
example: “Win81”.
Built-in groups: Builtin
Additional Information:
 Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4733(S ): A member was removed from a security-enabled local group.

TYPE OF MONITORING REQUIRED RECOMMENDATION

Removal of members from local or ___domain security If you need to monitor each time a member is removed from
groups: You might need to monitor the removal of members a local or ___domain security group, to see who added the
from local or ___domain security groups. member and when, monitor this event.
Typically, this event is used as an informational event, to be
reviewed if needed.

High-value local or ___domain security groups: You might Monitor this event with the “Group\Group Name” values
have a list of critical local or ___domain security groups in the that correspond to the high-value local or ___domain security
organization, and need to specifically monitor these groups groups.
for the removal of members (or for other changes).
Examples of critical local or ___domain groups are built-in local
administrators group, ___domain admins, enterprise admins, and
so on.

Local or ___domain security groups with required Monitor this event with the “Group\Group Name” that
members: You might need to ensure that for certain local or corresponds to the group of interest, and the
___domain security groups, particular members are never “Member\Security ID” of the members who should not be
removed. removed.

High-value accounts: You might have high-value ___domain or Monitor this event with the “Subject\Security ID” and
local accounts for which you need to monitor each action. “Member\Security ID” that correspond to the high-value
Examples of high-value accounts are database administrators, account or accounts.
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” (with other information) to monitor
malicious actions. For example, you might need to monitor for how or when a particular account is being used.
use of an account outside of working hours.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” and
or guest accounts, or other accounts that should never be “Member\Security ID” that correspond to the accounts that
used. should never be used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” for accounts that are outside the
corresponding to particular events. whitelist.

Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” to
for example, local or ___domain account, machine or user see whether the account type is as expected.
account, vendor or employee account, and so on.

External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another ___domain, or “external” accounts that are not allowed corresponding to accounts from another ___domain or “external”
to perform certain actions (represented by certain specific accounts.
events).
TYPE OF MONITORING REQUIRED RECOMMENDATION

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” that you are
people (accounts) should not typically perform any actions. concerned about.

Account naming conventions: Your organization might Monitor “Subject\Account Name” for names that don’t
have specific naming conventions for account names. comply with naming conventions.
 4734(S): A security-enabled local group was deleted.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time security-
enabled (security) local group is deleted.
This event generates on ___domain controllers,
member servers, and workstations.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4734</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T18:23:42.426245700Z" />
<EventRecordID>175039</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1072" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35e38</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete group” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete group”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of deleted group. Event Viewer automatically tries to resolve SIDs and
show the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group that was deleted. For example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain or computer name of the deleted group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4734(S ): A security-enabled local group was deleted.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a list of critical local or ___domain security groups in the organization, and need to specifically
monitor these groups for any change, especially group deletion, monitor events with the “Group\Group
Name” values that correspond to the critical local or ___domain security groups. Examples of critical local or
___domain groups are built-in local administrators group, ___domain admins, enterprise admins, and so on.
If you need to monitor each time a local or ___domain security group is deleted, to see who deleted it and
when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
 4735(S): A security-enabled local group was
changed.
6/6/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates every time a security-
enabled (security) local group is changed.
This event generates on ___domain controllers,
member servers, and workstations.
Some changes do not invoke a 4735 event,
for example, changes made using Active
Directory Users and Computers management
console in Managed By tab in group
account properties.
If you change the name of the group (SAM
Account Name), you also get “4781: The
name of an account was changed” if “Audit
User Account Management” subcategory
success auditing is enabled.
If you change the group type, you get a
change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group
type changes, it is better to monitor for “4764: A group’s type was changed.” These events are generated for any
group type when group type is changed. “Audit Security Group Management” subcategory success auditing must
be enabled.
From 4735 event you can get information about changes of sAMAccountName and sIDHistory attributes or
you will see that something changed, but will not be able to see what exactly changed.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4735</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-19T02:00:45.537440000Z" />
<EventRecordID>174850</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">AccountOperators\_NEW</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3031e</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">AccountOperators\_NEW</Data>
<Data Name="SidHistory">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change group” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change group”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and show
the group name. If the SID cannot be resolved, you will see the source data in the event.

Note Sometimes you can see the Group\Security ID field contains an old group name in Event Viewer (as
you can see in the event example). That happens because Event Viewer caches names for SIDs that it has
already resolved for the current session.
Note Security ID field has the same value as new group name (Changed Attributes>SAM Account
Name). That is happens because event is generated after name was changed and SID resolves to the new
name. It is always better to use SID instead of group names for queries or filtering of events, because you will
know for sure that this the right object you are looking for or want to monitor.

Group Name [Type = UnicodeString]: the name of the group that was changed. For example: ServiceDesk
Group Domain [Type = UnicodeString]: ___domain or computer name of the changed group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Changed Attributes:

Note If attribute was not changed it will have “-“ value.

You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This
usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way
to determine which attribute was changed. For example, this would happen if you change the Description of a
group object using the Active Directory Users and Computers administrative console. Also, if the discretionary
access control list (DACL ) is changed, a 4735 event will generate, but all attributes will be “-“.
SAM Account Name [Type = UnicodeString]: This is a new name of changed group used to support
clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of
sAMAccountName attribute of group object was changed, you will see the new value here. For example:
ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another ___domain. Whenever an object is moved from one ___domain to another, a new SID is created
 and becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of
sIDHistory attribute of group object was changed, you will see the new value here. For local groups it is
not applicable and always has “-“ value.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as
“-”. See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4735(S ): A security-enabled local group was changed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.

If you have a list of critical local or ___domain security groups in the organization, and need to specifically
monitor these groups for any change, monitor events with the “Group\Group Name” values that
correspond to the critical local or ___domain security groups.
If you need to monitor each time a member is added to a local or ___domain security group, to see who added
the member and when, monitor this event. Typically, this event is used as an informational event, to be
reviewed if needed.
If your organization has naming conventions for account names, monitor “Attributes\SAM Account
Name” for names that don’t comply with the naming conventions.
 4764(S): A group’s type was changed.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Security Group
Management
Event Description:
This event generates
every time group’s type
is changed.
This event generates for
both security and
distribution groups.
This event generates
only on ___domain
controllers.

Note For
recommendations, see
Security Monitoring
Recommendations for
this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4764</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T00:25:33.459568000Z" />
<EventRecordID>175221</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1072" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="GroupTypeChange">Security Enabled Local Group Changed to Security Disabled Local Group.</Data>
<Data Name="TargetUserName">CompanyAuditors</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6608</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38200</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change group type” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change group type”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Change Type [Type = UnicodeString]: contains three parts: “<Param1> Changed To <Param2>.”. These two
parameters can have the following values (they cannot have the same value at the same time):
Security Disabled Local Group
Security Disabled Universal Group
Security Disabled Global Group
Security Enabled Local Group
Security Enabled Universal Group
Security Enabled Global Group
Group:
Security ID [Type = SID ]: SID of changed group. Event Viewer automatically tries to resolve SIDs and
show the group name. If the SID cannot be resolved, you will see the source data in the event.
Group Name [Type = UnicodeString]: the name of the group, which type was changed. For example:
ServiceDesk
Group Domain [Type = UnicodeString]: ___domain or computer name of the changed group. Formats vary,
and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this new group belongs,
for example: “Win81”.
Built-in groups: Builtin
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4764(S ): A group’s type was changed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a list of critical local or ___domain groups in the organization, and need to specifically monitor
these groups for any change, especially group type change, monitor events with the “Group\Group
Name” values that correspond to the critical distribution groups. Examples of critical local or ___domain
groups are built-in local administrators group, ___domain admins, enterprise admins, critical distribution
groups, and so on.
If you need to monitor each time any group’s type is changed, to see who changed it and when, monitor
this event. Typically, this event is used as an informational event, to be reviewed if needed.
 4799(S): A security-enabled local group membership
was enumerated.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Security Group
Management
Event Description:
This event generates when a process
enumerates the members of a security-enabled
local group on the computer or device.
This event doesn't generate when group
members were enumerated using Active
Directory Users and Computers snap-in.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4799</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T03:50:23.625407600Z" />
<EventRecordID>685</EventRecordID>
<Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" />
<Execution ProcessID="744" ThreadID="188" />
<Channel>Security</Channel>
<Computer>WIN10-1.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x72d9d</Data>
<Data Name="CallerProcessId">0xc80</Data>
<Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data>
</EventData>
</Event>

Required Server Roles: none.

Minimum OS Version: Windows Server 2016, Windows 10.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enumerate security-enabled local group
members” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID
cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “enumerate security-
enabled local group members” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Group:
Security ID [Type = SID ]: SID of the group which members were enumerated. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Group Name [Type = UnicodeString]: the name of the group which members were enumerated.
Group Domain [Type = UnicodeString]: group’s ___domain or computer name. Formats vary, and
include the following:
For Builtin groups this field has “Builtin” value.
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For a local group, this field will contain the name of the computer to which this group belongs, for
example: “Win81”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enumerated the members of the
group. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has
been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

Security Monitoring Recommendations

For 4799(S ): A security-enabled local group membership was enumerated.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a list of critical local security groups in the organization, and need to specifically monitor these
groups for any access (in this case, enumeration of group membership), monitor events with the
“Group\Group Name” values that correspond to the critical local security groups. Examples of critical local
groups are built-in local administrators, built-in backup operators, and so on.
If you need to monitor each time the membership is enumerated for a local or ___domain security group, to see
who enumerated the membership and when, monitor this event. Typically, this event is used as an
informational event, to be reviewed if needed.
 Audit User Account Management
12/18/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit User Account Management determines whether the operating system generates audit events when
specific user account management tasks are performed.
Event volume: Low.
This policy setting allows you to audit changes to user accounts. Events include the following:
A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
A user account’s password is set or changed.
A security identifier (SID ) is added to the SID History of a user account, or fails to be added.
The Directory Services Restore Mode password is configured.
Permissions on administrative user accounts are changed.
A user's local group membership was enumerated.
Credential Manager credentials are backed up or restored.
Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer
accounts.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes Yes Yes Yes This subcategory

Controller contains many
useful events for
monitoring,
especially for
critical ___domain
accounts, such as
___domain admins,
service accounts,
database admins,
and so on.
We recommend
Failure auditing,
mostly to see
invalid password
change and reset
attempts for
___domain
accounts, DSRM
account
password change
failures, and
failed SID History
add attempts.

Member Server Yes Yes Yes Yes We recommend

monitoring all
changes related
to local user
accounts,
especially built-in
local
Administrator
and other critical
accounts.
We recommend
Failure auditing,
mostly to see
invalid password
change and reset
attempts for
local accounts.

Workstation Yes Yes Yes Yes We recommend

monitoring all
changes related
to local user
accounts,
especially built-in
local
Administrator
and other critical
accounts.
We recommend
Failure auditing,
mostly to see
invalid password
change and reset
attempts for
local accounts.
Events List:
4720(S ): A user account was created.
4722(S ): A user account was enabled.
4723(S, F ): An attempt was made to change an account's password.
4724(S, F ): An attempt was made to reset an account's password.
4725(S ): A user account was disabled.
4726(S ): A user account was deleted.
4738(S ): A user account was changed.
4740(S ): A user account was locked out.
4765(S ): SID History was added to an account.
4766(F ): An attempt to add SID History to an account failed.
4767(S ): A user account was unlocked.
4780(S ): The ACL was set on accounts which are members of administrators groups.
4781(S ): The name of an account was changed.
4794(S, F ): An attempt was made to set the Directory Services Restore Mode administrator password.
4798(S ): A user's local group membership was enumerated.
5376(S ): Credential Manager credentials were backed up.
5377(S ): Credential Manager credentials were restored from a backup.
 4720(S): A user account was created.
6/6/2019 • 17 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a new user
object is created.
This event generates on ___domain controllers,
member servers, and workstations.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4720</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.759912000Z" />
<EventRecordID>175408</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">ksmith</Data>
<Data Name="DisplayName">Ken Smith</Data>
<Data Name="UserPrincipalName">[email protected]</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">513</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x15</Data>
<Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1793</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create user account” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
 from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “create user account”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
New Account:
Security ID [Type = SID ]: SID of created user account. Event Viewer automatically tries to resolve SIDs and
show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the user account that was created. For example:
dadmin.
Account Domain [Type = UnicodeString]: ___domain name of created user account. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local accounts, this field will contain the name of the computer to which this new account
belongs, for example: “Win81”.
Attributes:
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName
attribute of new user object. For example: ksmith. For local account this field contains the name of new user
account.
Display Name [Type = UnicodeString]: the value of displayName attribute of new user object. It is a
name displayed in the address book for a particular account .This is usually the combination of the user's
first name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using
Active Directory Users and Computers, or through a script, for example. Local accounts contain Full Name
attribute in this field, but for new local accounts this field typically has value “<value not set>”.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
 Internet standard RFC 822. By convention this should map to the account's email name. This parameter
contains the value of userPrincipalName attribute of new user object. For example, [email protected].
For local users this field is not applicable and has value “-“. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and specifies
a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form
\\Server\Share\Directory. This parameter contains the value of homeDirectory attribute of new user
object. For new local accounts this field typically has value “<value not set>”. You can change this attribute
by using Active Directory Users and Computers, or through a script, for example. This parameter might not
be captured in the event, and in that case appears as “-”.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. This parameter contains the value of homeDrive attribute of new user object. You can
change this attribute by using Active Directory Users and Computers, or through a script, for example. This
parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this
field typically has value “<value not set>”.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. This parameter
contains the value of scriptPath attribute of new user object. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”. For new local accounts this field typically has value “<value not
set>”.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null string,
a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of new user
object. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. This parameter might not be captured in the event, and in that case appears as “-”. For new local
accounts this field typically has value “<value not set>”.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a user object. This parameter contains the value of userWorkstations
attribute of new user object. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. This parameter might not be captured in the event, and in that case appears
as “-”. For local users this field is not applicable and typically has value “<value not set>”.
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually
created user account, using Active Directory Users and Computers snap-in, this field typically has value
“<never>”. This parameter contains the value of pwdLastSet attribute of new user object.
Account Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the
value of accountExpires attribute of new user object. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. This parameter might not be captured in
the event, and in that case appears as “-”. For manually created local and ___domain user accounts this field
typically has value “<never>”.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of user’s object primary group.

Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
___domain.

Typically, Primary Group field for new user accounts has the following values:
 513 (Domain Users. For local accounts this RID means Users) – for ___domain and local users.
See this article https://support.microsoft.com/kb/243330 for more information. This parameter contains the
value of primaryGroupID attribute of new user object.
Allowed To Delegate To [Type = UnicodeString]: the list of SPNs to which this account can present delegated
credentials. Can be changed using Active Directory Users and Computers management console in Delegation
tab of user account, if this account has at least one SPN registered. This parameter contains the value of
AllowedToDelegateTo attribute of new user object. For local user accounts this field is not applicable and
typically has value “-“. For new ___domain user accounts it is typically has value “-“. See description of
AllowedToDelegateTo field for “4738(S ): A user account was changed.” event for more details.

Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.

Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. Old UAC value always “0x0” for new user accounts. This
parameter contains the previous value of userAccountControl attribute of user object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. This parameter contains the value of userAccountControl
attribute of new user object.
To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s
account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the
flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that
event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to
the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
 User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl attribute.
You will see a line of text for each change. For new user accounts, when the object for this account was created,
the userAccountControl value was considered to be “0x0”, and then it was changed from “0x0” to the real
value for the account's userAccountControl attribute. See possible values in the table below. In the “User
Account Control field text” column, you can see the text that will be displayed in the User Account Control
field in 4720 event.

USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT

FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T

SCRIPT 0x0001 1 The logon script will Changes of this flag

be run. do not show in 4720
events.

ACCOUNTDISABLE 0x0002 2 The user account is Account Disabled

disabled. Account Enabled

Undeclared 0x0004 4 This flag is Changes of this flag

undeclared. do not show in 4720
events.

HOMEDIR_REQUIRED 0x0008 8 The home folder is 'Home Directory

required. Required' - Enabled
'Home Directory
Required' - Disabled

LOCKOUT 0x0010 16 Changes of this flag

do not show in 4720
events.

PASSWD_NOTREQD 0x0020 32 No password is 'Password Not

required. Required' - Enabled
'Password Not
Required' - Disabled

PASSWD_CANT_CHA 0x0040 64 The user cannot Changes of this flag

NGE change the password. do not show in 4720
This is a permission events.
on the user's object.

ENCRYPTED_TEXT_PW 0x0080 128 The user can send an 'Encrypted Text

D_ALLOWED encrypted password. Password Allowed' -
Can be set using Disabled
“Store password using 'Encrypted Text
reversible encryption” Password Allowed' -
checkbox. Enabled

TEMP_DUPLICATE_AC 0x0100 256 This is an account for Cannot be set for

COUNT users whose primary computer account.
account is in another
___domain. This account
provides user access
to this ___domain, but
not to any ___domain
that trusts this
___domain. This is
sometimes referred to
as a local user
account.
 USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT
FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T

NORMAL_ACCOUNT 0x0200 512 This is a default 'Normal Account' -

account type that Disabled
represents a typical 'Normal Account' -
user. Enabled

INTERDOMAIN_TRUS 0x0800 2048 This is a permit to Cannot be set for

T_ACCOUNT trust an account for a computer account.
system ___domain that
trusts other domains.

WORKSTATION_TRUS 0x1000 4096 This is a computer 'Workstation Trust

T_ACCOUNT account for a Account' - Disabled
computer that is 'Workstation Trust
running Microsoft Account' - Enabled
Windows NT 4.0
Workstation,
Microsoft Windows
NT 4.0 Server,
Microsoft Windows
2000 Professional, or
Windows 2000 Server
and is a member of
this ___domain.

SERVER_TRUST_ACCO 0x2000 8192 This is a computer 'Server Trust Account'

UNT account for a ___domain - Enabled
controller that is a 'Server Trust Account'
member of this - Disabled
___domain.

DONT_EXPIRE_PASSW 0x10000 65536 Represents the 'Don't Expire

ORD password, which Password' - Disabled
should never expire 'Don't Expire
on the account. Password' - Enabled
Can be set using
“Password never
expires” checkbox.

MNS_LOGON_ACCO 0x20000 131072 This is an MNS logon 'MNS Logon Account'

UNT account. - Disabled
'MNS Logon Account'
- Enabled

SMARTCARD_REQUIR 0x40000 262144 When this flag is set, 'Smartcard Required' -

ED it forces the user to Disabled
log on by using a 'Smartcard Required' -
smart card. Enabled
 USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT
FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T

TRUSTED_FOR_DELEG 0x80000 524288 When this flag is set, 'Trusted For

ATION the service account Delegation' - Enabled
(the user or computer 'Trusted For
account) under which Delegation' - Disabled
a service runs is
trusted for Kerberos
delegation. Any such
service can
impersonate a client
requesting the
service. To enable a
service for Kerberos
delegation, you must
set this flag on the
userAccountControl
property of the
service account.
If you enable
Kerberos constraint or
unconstraint
delegation or disable
these types of
delegation in
Delegation tab you
will get this flag
changed.

NOT_DELEGATED 0x100000 1048576 When this flag is set, 'Not Delegated' -

the security context of Disabled
the user is not 'Not Delegated' -
delegated to a service Enabled
even if the service
account is set as
trusted for Kerberos
delegation.
Can be set using
“Account is sensitive
and cannot be
delegated” checkbox.

USE_DES_KEY_ONLY 0x200000 2097152 Restrict this principal 'Use DES Key Only' -
to use only Data Disabled
Encryption Standard 'Use DES Key Only' -
(DES) encryption Enabled
types for keys.
Can be set using “Use
Kerberos DES
encryption types for
this account”
checkbox.

DONT_REQ_PREAUTH 0x400000 4194304 This account does not 'Don't Require

require Kerberos pre- Preauth' - Disabled
authentication for 'Don't Require
logging on. Preauth' - Enabled
Can be set using “Do
not require Kerberos
preauthentication”
checkbox.
 USERACCOUNTCONTRO USERACCOUNTCONTRO USER ACCOUNT
FLAG NAME L IN HEXADECIMAL L IN DECIMAL DESCRIPTION CONTROL FIELD TEX T

PASSWORD_EXPIRED 0x800000 8388608 The user's password Changes of this flag

has expired. do not show in 4720
events.

TRUSTED_TO_AUTH_F 0x1000000 16777216 The account is 'Trusted To

OR_DELEGATION enabled for Authenticate For
delegation. This is a Delegation' - Disabled
security-sensitive 'Trusted To
setting. Accounts that Authenticate For
have this option Delegation' - Enabled
enabled should be
tightly controlled. This
setting lets a service
that runs under the
account assume a
client's identity and
authenticate as that
user to other remote
servers on the
network.
If you enable
Kerberos protocol
transition delegation
or disable this type of
delegation in
Delegation tab you
will get this flag
changed.

PARTIAL_SECRETS_AC 0x04000000 67108864 The account is a read- No information.

COUNT only ___domain
controller (RODC).
This is a security-
sensitive setting.
Removing this setting
from an RODC
compromises security
on that server.

For new, manually created, ___domain or local user accounts typical flags are:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' – Enabled
After new user creation event you will typically see couple of “4738: A user account was changed.” events
with new flags:
'Password Not Required' – Disabled
Account Enabled
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of user’s account properties, then you will see <value
changed, but not displayed> in this field in “4738: A user account was changed.” This parameter might
not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has
value “<value not set>”.
 SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another ___domain. Whenever an object is moved from one ___domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the
value of sIDHistory attribute of new user object. This parameter might not be captured in the event, and in
that case appears as “-”.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the ___domain. The value
of logonHours attribute of new user object. You can change this attribute by using Active Directory Users
and Computers, or through a script, for example. You will typically see “<value not set>” value for new
manually created user accounts in event 4720. For new local accounts this field is not applicable and
typically has value “All”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4720(S ): A user account was created.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Some organizations monitor every 4720 event.

Consider whether to track the following fields and values:

FIELD AND VALUE TO TRACK REASON TO TRACK

SAM Account Name is empty or - This field must contain the user account name. If it is empty or
-, it might indicate an anomaly.

User Principal Name is empty or - Typically this field should not be empty for new user accounts.
If it is empty or -, it might indicate an anomaly.

Home Directory is not - Typically these fields are - for new user accounts. Other values
Home Drive is not - might indicate an anomaly and should be monitored.
Script Path is not - For local accounts these fields should display <value not
Profile Path is not - set>.
User Workstations is not -

Password Last Set is <never> This typically means this is a manually created user account,
which you might need to monitor.

Password Last Set is a time in the future This might indicate an anomaly.

Account Expires is not <never> Typically this field is <never> for new user accounts. Other
values might indicate an anomaly and should be monitored.

Primary Group ID is not 513 Typically, the Primary Group value is 513 for ___domain and
local users. Other values should be monitored.

Allowed To Delegate To is not - Typically this field is - for new user accounts. Other values
might indicate an anomaly and should be monitored.
FIELD AND VALUE TO TRACK REASON TO TRACK

Old UAC Value is not 0x0 Typically this field is 0x0 for new user accounts. Other values
might indicate an anomaly and should be monitored.

SID History is not - This field will always be set to - unless the account was
migrated from another ___domain.

Logon Hours value other than <value not set> or** “All”** This should always be <value not set> for new ___domain user
accounts, and “All” for new local user accounts.

Consider whether to track the following user account control flags:

USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG

'Normal Account' – Disabled Should not be disabled for user accounts.

'Encrypted Text Password Allowed' – Enabled By default, these flags should not be enabled for new user
'Smartcard Required' – Enabled accounts created with the “Active Directory Users and
'Not Delegated' – Enabled Computers” snap-in.
'Use DES Key Only' – Enabled
'Don't Require Preauth' – Enabled
'Trusted To Authenticate For Delegation' – Enabled

'Server Trust Account' – Enabled Should never be enabled for user accounts. Applies only to
___domain controller (computer) accounts.

'Don't Expire Password' – Enabled Should be monitored for critical accounts, or all accounts if
your organization does not allow this flag. By default, this flag
should not be enabled for new user accounts created with the
“Active Directory Users and Computers” snap-in.

'Trusted For Delegation' – Enabled By default, this flag should not be enabled for new user
accounts created with the “Active Directory Users and
Computers” snap-in. It is enabled by default only for new
___domain controllers.
 4722(S): A user account was enabled.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time user or
computer object is enabled.
For user accounts, this event generates on
___domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on ___domain controllers.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4722</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T23:55:11.038308600Z" />
<EventRecordID>175716</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enable account” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “enable account”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was enabled. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was enabled.
Account Domain [Type = UnicodeString]: target account’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.

Security Monitoring Recommendations

For 4722(S ): A user account was enabled.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a high-value ___domain or local account for which you need to monitor every change, monitor all
4722 events with the “Target Account\Security ID” that corresponds to the account.
If you have ___domain or local accounts that should never be enabled, you can monitor all 4722 events with
the “Target Account\Security ID” fields that correspond to the accounts.
We recommend monitoring all 4722 events for local accounts, because these accounts usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
 4723(S, F): An attempt was made to change an
account's password.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a user
attempts to change his or her password.
For user accounts, this event generates on
___domain controllers, member servers, and
workstations.
For ___domain accounts, a Failure event
generates if new password fails to meet the
password policy.
For local accounts, a Failure event generates if
new password fails to meet the password
policy or old password is wrong.
For ___domain accounts if old password was
wrong, then “4771: Kerberos pre-
authentication failed” or “4776: The computer attempted to validate the credentials for an account” will be
generated on ___domain controller if specific subcategories were enabled on it.
Typically you will see 4723 events with the same Subject\Security ID and Target Account\Security ID fields,
which is normal behavior.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4723</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T01:32:51.494558000Z" />
<EventRecordID>175722</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x1a9b76</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to change Target’s Account password. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made an attempt to change Target’s
Account password.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account: account for which the password change was requested.
Security ID [Type = SID ]: SID of account for which the password change was requested. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.
Account Name [Type = UnicodeString]: the name of the account for which the password change was
requested.
Account Domain [Type = UnicodeString]: target account’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4723(S, F ): An attempt was made to change an account's password.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a high-value ___domain or local user account for which you need to monitor every password
change attempt, monitor all 4723 events with the “Target Account\Security ID” that corresponds to the
account.
If you have a high-value ___domain or local account for which you need to monitor every change, monitor all
4723 events with the “Target Account\Security ID” that corresponds to the account.
If you have ___domain or local accounts for which the password should never be changed, you can monitor all
4723 events with the “Target Account\Security ID” that corresponds to the account.
 4724(S, F): An attempt was made to reset an
account's password.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time an account
attempted to reset the password for another
account.
For user accounts, this event generates on
___domain controllers, member servers, and
workstations.
For ___domain accounts, a Failure event
generates if the new password fails to meet
the password policy.
A Failure event does NOT generate if user gets
“Access Denied” while doing the password
reset procedure.
This event also generates if a computer account reset procedure was performed.
For local accounts, a Failure event generates if the new password fails to meet the local password policy.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4724</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T01:58:21.725864900Z" />
<EventRecordID>175740</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">User1</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1107</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to reset Target’s Account password. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made an attempt to reset Target’s
Account password.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account: account for which password reset was requested.
Security ID [Type = SID ]: SID of account for which password reset was requested. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.
Account Name [Type = UnicodeString]: the name of the account for which password reset was requested.
Account Domain [Type = UnicodeString]: target account’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.

Security Monitoring Recommendations

For 4724(S, F ): An attempt was made to reset an account's password.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a high-value ___domain or local user account for which you need to monitor every password reset
attempt, monitor all 4724 events with the “Target Account\Security ID” that corresponds to the account.
If you have a high-value ___domain or local account for which you need to monitor every change, monitor all
4724 events with the “Target Account\Security ID” that corresponds to the account.
If you have ___domain or local accounts for which the password should never be reset, you can monitor all
4724 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4724 events for local accounts, because their passwords usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
 4725(S): A user account was disabled.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time user or
computer object is disabled.
For user accounts, this event generates on
___domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on ___domain controllers.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4725</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T23:55:07.657358900Z" />
<EventRecordID>175714</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “disable account” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “disable account”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was disabled. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was disabled.
Account Domain [Type = UnicodeString]: target account’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.

Security Monitoring Recommendations

For 4725(S ): A user account was disabled.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a high-value ___domain or local account for which you need to monitor every change, monitor all
4725 events with the “Target Account\Security ID” that corresponds to the account.
If you have ___domain or local accounts that should never be disabled (for example, service accounts), you can
monitor all 4725 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4725 events for local accounts, because these accounts usually do not
change often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
 4726(S): A user account was deleted.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time user object
was deleted.
This event generates on ___domain controllers,
member servers, and workstations.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4726</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T00:52:25.104613800Z" />
<EventRecordID>175720</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete user account” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete user account”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was deleted. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was deleted.
Account Domain [Type = UnicodeString]: target account’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4726(S ): A user account was deleted.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a high-value ___domain or local account for which you need to monitor every change (or deletion),
monitor all 4726 events with the “Target Account\Security ID” that corresponds to the account.
If you have a ___domain or local account that should never be deleted (for example, service accounts), monitor
all 4726 events with the “Target Account\Security ID” that corresponds to the account.
We recommend monitoring all 4726 events for local accounts, because these accounts typically are not
deleted often. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
 4738(S): A user account was changed.
11/7/2019 • 16 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time user object is
changed.
This event generates on ___domain controllers,
member servers, and workstations.
For each change, a separate 4738 event will
be generated.
You might see this event without any changes
inside, that is, where all Changed Attributes
apear as “-“. This usually happens when a
change is made to an attribute that is not
listed in the event. In this case there is no way
to determine which attribute was changed.
For example, if the discretionary access
control list (DACL ) is changed, a 4738 event
will generate, but all attributes will be “-“.
Some changes do not invoke a 4738 event.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Dummy">-</Data>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change user account” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
 controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change user
account” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was changed. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was changed.
Account Domain [Type = UnicodeString]: target account’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Changed Attributes:
If attribute was not changed it will have “–“ value.
Unfortunately, for local accounts, all fields, except changed attributes, will have previous values populated. Also,
the User Account Control field will have values only if it was modified. Changed attributes will have new values,
but it is hard to understand which attribute was really changed.
SAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers
from previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName
attribute of user object was changed, you will see the new value here. For example: ladmin. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Display Name [Type = UnicodeString]: it is a name, displayed in the address book for a particular account.
This is usually the combination of the user's first name, middle initial, and last name. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example. If the value of
displayName attribute of user object was changed, you will see the new value here. For local accounts,
this field always has some value—if the account's attribute was not changed it will contain the current value
of the attribute.
User Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the
Internet standard RFC 822. By convention this should map to the account's email name. If the value of
userPrincipalName attribute of user object was changed, you will see the new value here. You can change
this attribute by using Active Directory Users and Computers, or through a script, for example. For local
accounts, this field is not applicable and always has “-“ value.
Home Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and
specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the
form \\Server\Share\Directory. If the value of homeDirectory attribute of user object was changed, you
will see the new value here. You can change this attribute by using Active Directory Users and Computers,
or through a script, for example. For local accounts, this field always has some value—if the account's
attribute was not changed it will contain the current value of the attribute.
Home Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by
homeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”. For
example – “H:”. If the value of homeDrive attribute of user object was changed, you will see the new value
here. You can change this attribute by using Active Directory Users and Computers, or through a script, for
example. For local accounts, this field always has some value—if the account's attribute was not changed it
will contain the current value of the attribute.
Script Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of
scriptPath attribute of user object was changed, you will see the new value here. You can change this
attribute by using Active Directory Users and Computers, or through a script, for example. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Profile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null
string, a local absolute path, or a UNC path. If the value of profilePath attribute of user object was
changed, you will see the new value here. You can change this attribute by using Active Directory Users and
Computers, or through a script, for example. For local accounts, this field always has some value—if the
account's attribute was not changed it will contain the current value of the attribute.
User Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers
from which the user can logon. Each computer name is separated by a comma. The name of a computer is
the sAMAccountName property of a computer object. If the value of userWorkstations attribute of user
object was changed, you will see the new value here. You can change this attribute by using Active
Directory Users and Computers, or through a script, for example. For local accounts, this field is not
applicable and always appears as “<value not set>.“
Password Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of
pwdLastSet attribute of user object was changed, you will see the new value here. For example: 8/12/2015
11:41:39 AM. This value will be changed, for example, after manual user account password reset. For local
accounts, this field always has some value—if the account's attribute was not changed it will contain the
current value of the attribute.
Account Expires [Type = UnicodeString]: the date when the account expires. If the value of
accountExpires attribute of user object was changed, you will see the new value here. . For example,
“9/21/2015 12:00:00 AM”. You can change this attribute by using Active Directory Users and Computers,
 or through a script, for example. For local accounts, this field always has some value—if the account's
attribute was not changed it will contain the current value of the attribute.
Primary Group ID [Type = UnicodeString]: Relative Identifier (RID ) of user’s object primary group.

Note Relative identifier (RID ) is a variable length number that is assigned to objects at creation and
becomes part of the object's Security Identifier (SID ) that uniquely identifies an account or group within a
___domain.

This field will contain some value if user’s object primary group was changed. You can change user’s primary
group using Active Directory Users and Computers management console in the Member Of tab of user object
properties. You will see a RID of new primary group as a field value. For example, RID 513 (Domain Users) is a
default primary group for users.
Typical Primary Group values for user accounts:
513 (Domain Users. For local accounts this RID means Users) – for ___domain and local users.
See this article https://support.microsoft.com/kb/243330 for more information. If the value of
primaryGroupID attribute of user object was changed, you will see the new value here.
AllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present
delegated credentials. Can be changed using Active Directory Users and Computers management console
in Delegation tab of user account, if at least one SPN is registered for user account. If the SPNs list on
Delegation tab of a user account was changed, you will see the new SPNs list in AllowedToDelegateTo
field (note that you will see the new list instead of changes) of this event. This is an example of
AllowedToDelegateTo:
dcom/WIN2012
dcom/WIN2012.contoso.local
If the value of msDS -AllowedToDelegateTo attribute of user object was changed, you will see the
new value here.
The value can be “<value not set>”, for example, if delegation was disabled.
For local accounts, this field is not applicable and always has “-“ value.

Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must
have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients
might use for authentication. For example, an SPN always includes the name of the host computer on which
the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Old UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. This parameter contains the previous value of
userAccountControl attribute of user object.
New UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,
script, and other behavior for the user account. If the value of userAccountControl attribute of user object
was changed, you will see the new value here.
To decode this value, you can go through the property value definitions in the User’s or Computer’s account UAC
flags. from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the
event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract
the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
Here's an example: Flags value from event: 0x15
Decoding:
• PASSWD_NOTREQD 0x0020
• LOCKOUT 0x0010
• HOMEDIR_REQUIRED 0x0008
• (undeclared) 0x0004
• ACCOUNTDISABLE 0x0002
• SCRIPT 0x0001
0x0020 > 0x15, so PASSWD_NOTREQD does not apply to this event
0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
So this UAC flags value decodes to: LOCKOUT and SCRIPT
User Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl
attribute. You will see a line of text for each change. See possible values in here: User’s or Computer’s
account UAC flags. In the “User Account Control field text” column, you can see the text that will be
displayed in the User Account Control field in 4738 event.
User Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and
Computers management console in Dial-in tab of user’s account properties, then you will see <value
changed, but not displayed> in this field. For local accounts, this field is not applicable and always has
“<value not set>“ value.
SID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved
from another ___domain. Whenever an object is moved from one ___domain to another, a new SID is created and
becomes the objectSID. The previous SID is added to the sIDHistory property. If the value of sIDHistory
attribute of user object was changed, you will see the new value here.
Logon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the ___domain. If the
value of logonHours attribute of user object was changed, you will see the new value here. You can
change this attribute by using Active Directory Users and Computers, or through a script, for example.
Here is an example of this field:
Sunday 12:00 AM - 7:00 PM
Sunday 9:00 PM -Monday 1:00 PM
Monday 2:00 PM -Tuesday 6:00 PM
Tuesday 8:00 PM -Wednesday 10:00 AM
For local accounts this field is not applicable and typically has value “All”.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as
 “-”. See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4738(S ): A user account was changed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Some organizations monitor every 4738 event.

If you have critical user computer accounts (for example, ___domain administrator accounts or service
accounts) for which you need to monitor each change, monitor this event with the “Target
Account\Account Name” that corresponds to the critical account or accounts.
If you have user accounts for which any change in the services list on the Delegation tab should be
monitored, monitor this event when AllowedToDelegateTo is not -. This value means the services list
was changed.
Consider whether to track the following fields:

FIELD TO TRACK REASON TO TRACK

Display Name We recommend monitoring all changes for these fields for
User Principal Name critical ___domain and local accounts.
Home Directory
Home Drive
Script Path
Profile Path
User Workstations
Password Last Set
Account Expires
Primary Group ID
Logon Hours

Primary Group ID is not 513 Typically, the Primary Group value is 513 for ___domain and
local users. Other values should be monitored.

For user accounts for which the services list (on the If AllowedToDelegateTo is marked <value not set> on
Delegation tab) should not be empty: user accounts that previously had a services list (on the
AllowedToDelegateTo is marked <value not set> Delegation tab), it means the list was cleared.

SID History is not - This field will always be set to - unless the account was
migrated from another ___domain.

Consider whether to track the following user account control flags:

USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG

'Normal Account' – Disabled Should not be disabled for user accounts.

'Password Not Required' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account.

'Encrypted Text Password Allowed' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account.
USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG

'Server Trust Account' – Enabled Should never be enabled for user accounts. Applies only to
___domain controller (computer) accounts.

'Don't Expire Password' – Enabled Should be monitored for critical accounts, or all accounts if
your organization does not allow this flag.

'Smartcard Required' – Enabled Should be monitored for critical accounts.

'Password Not Required' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”

'Encrypted Text Password Allowed' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”

'Don't Expire Password' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”

'Smartcard Required' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”

'Trusted For Delegation' – Enabled Means that Kerberos Constraint or Unconstraint delegation
was enabled for the user account. We recommend monitoring
this to discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.

'Trusted For Delegation' – Disabled Means that Kerberos Constraint or Unconstraint delegation
was disabled for the user account. We recommend
monitoring this to discover whether it is an approved action
(done by an administrator), a mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is
critical and should not be disabled, monitor this for those
accounts.

'Trusted To Authenticate For Delegation' – Enabled Means that Protocol Transition delegation was enabled for
the user account. We recommend monitoring this to discover
whether it is an approved action (done by an administrator), a
mistake, or a malicious action.

'Trusted To Authenticate For Delegation' – Disabled Means that Protocol Transition delegation was disabled for
the user account. We recommend monitoring this to discover
whether it is an approved action (done by an administrator), a
mistake, or a malicious action.
Also, if you have a list of user accounts for which delegation is
critical and should not be disabled, monitor this for those
accounts.

'Not Delegated' – Enabled Means that Account is sensitive and cannot be delegated
was checked for the user account. We recommend monitoring
this to discover whether it is an approved action (done by an
administrator), a mistake, or a malicious action.
USER ACCOUNT CONTROL FLAG TO TRACK INFORMATION ABOUT THE FLAG

'Not Delegated' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.” Means that Account is sensitive and
cannot be delegated was unchecked for the user account.
We recommend monitoring this to discover whether it is an
approved action (done by an administrator), a mistake, or a
malicious action.

'Use DES Key Only' – Enabled Should not typically be enabled for user accounts because it
weakens security for the account’s Kerberos authentication.

'Don't Require Preauth' – Enabled Should not be enabled for user accounts because it weakens
security for the account’s Kerberos authentication.

'Use DES Key Only' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”

'Don't Require Preauth' – Disabled Should be monitored for all accounts where the setting
should be “Enabled.”
 4740(S): A user account was locked out.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a user
account is locked out.
For user accounts, this event generates on
___domain controllers, member servers, and
workstations.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T22:06:08.576887500Z" />
<EventRecordID>175703</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">WIN81</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the lockout operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that performed the lockout operation.
Account Domain [Type = UnicodeString]: ___domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Account That Was Locked Out:
Security ID [Type = SID ]: SID of account that was locked out. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was locked out.
Additional Information:
Caller Computer Name [Type = UnicodeString]: the name of computer account from which logon attempt
was received and after which target account was locked out. For example: WIN81.

Security Monitoring Recommendations

For 4740(S ): A user account was locked out.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
If you have high-value ___domain or local accounts (for example, ___domain administrator accounts) for which
you need to monitor every lockout, monitor all 4740 events with the “Account That Was Locked Out
\Security ID” values that correspond to the accounts.
If you have a high-value ___domain or local account for which you need to monitor every change, monitor all
4740 events with the “Account That Was Locked Out \Security ID” that corresponds to the account.
If the user account “Account That Was Locked Out\Security ID” should not be used (for authentication
attempts) from the Additional Information\Caller Computer Name, then trigger an alert.
Monitor for all 4740 events where Additional Information\Caller Computer Name is not from your
___domain. However, be aware that even if the computer is not in your ___domain you will get the computer
name instead of an IP address in the 4740 event.
 4765(S): SID History was added to an account.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates when SID History was added to an account.
See more information about SID History here: https://technet.microsoft.com/library/cc779590(v=ws.10).aspx.
There is no example of this event in this document.
Subcategory: Audit User Account Management
Event Schema:
SID History was added to an account.
Subject:

Security ID:%6
Account Name:%7
Account Domain:%8
Logon ID:%9

Target Account:

Security ID:%5
Account Name:%3
Account Domain:%4

Source Account:

Security ID:%2
Account Name:%1

Additional Information:

Privileges:%10
SID List:%11

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Security Monitoring Recommendations
There is no recommendation for this event in this document.
 4766(F): An attempt to add SID History to an account
failed.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates when an attempt to add SID History to an account failed.
See more information about SID History here: https://technet.microsoft.com/library/cc779590(v=ws.10).aspx.
There is no example of this event in this document.
Subcategory: Audit User Account Management
Event Schema:
An attempt to add SID History to an account failed.
Subject:

Security ID:-
Account Name:%5
Account Domain:%6
Logon ID:%7

Target Account:

Security ID:%4
Account Name:%2
Account Domain:%3

Source Account:

Account Name:%1

Additional Information:

Privileges:%8

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Security Monitoring Recommendations
There is no recommendation for this event in this document.
 4767(S): A user account was unlocked.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a user account
is unlocked.
For user accounts, this event generates on
___domain controllers, member servers, and
workstations.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4767</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-21T22:31:01.871931700Z" />
<EventRecordID>175705</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the unlock operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that performed the unlock operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account that was unlocked. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: the name of the account that was unlocked.
Account Domain [Type = UnicodeString]: target account’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Security Monitoring Recommendations
For 4767(S ): A user account was unlocked.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

We recommend monitoring all 4767 events for local accounts.

 4780(S): The ACL was set on accounts which are
members of administrators groups.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Every hour, the ___domain controller that holds the primary ___domain controller (PDC ) Flexible Single Master
Operation (FSMO ) role compares the ACL on all security principal accounts (users, groups, and machine accounts)
present for its ___domain in Active Directory and that are in administrative or security-sensitive groups and which
have AdminCount attribute = 1 against the ACL on the AdminSDHolder object. If the ACL on the principal account
differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the
ACL on the AdminSDHolder object and this event is generated.
For some reason, this event doesn’t generate on some OS versions.
Subcategory: Audit User Account Management
Event Schema:
The ACL was set on accounts which are members of administrators groups.
Subject:

Security ID:%4
Account Name:%5
Account Domain:%6
Logon ID:%7

Target Account:

Security ID:%3
Account Name:%1
Account Domain:%2

Additional Information:

Privileges:%8

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.

Security Monitoring Recommendations

Monitor for this event and investigate why the object’s ACL was changed.
 4781(S): The name of an account was changed.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time a user or
computer account name (sAMAccountName
attribute) is changed.
For user accounts, this event generates on
___domain controllers, member servers, and
workstations.
For computer accounts, this event generates
only on ___domain controllers.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4781</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T02:41:09.737420900Z" />
<EventRecordID>175754</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1112" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OldTargetUserName">Admin</Data>
<Data Name="NewTargetUserName">MainAdmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6117</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d5f</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the “change account name” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that performed the “change account
name” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Target Account:
Security ID [Type = SID ]: SID of account on which the name was changed. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Account Domain [Type = UnicodeString]: target account’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Old Account Name [Type = UnicodeString]: old name of target account.
New Account Name [Type = UnicodeString]: new name of target account.
Additional Information:
Privileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for
example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
See full list of user privileges in “Table 8. User Privileges.”.

Security Monitoring Recommendations

For 4781(S ): The name of an account was changed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have high-value user or computer accounts (or local user accounts) for which you need to monitor each
change to the accounts, monitor this event with the “Target Account\Security ID” that corresponds to the
high-value accounts.
 4794(S, F): An attempt was made to set the Directory
Services Restore Mode administrator password.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time Directory
Services Restore Mode (DSRM ) administrator
password is changed.
This event generates only on ___domain
controllers.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4794</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-18T02:49:26.087748900Z" />
<EventRecordID>172348</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="2964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36f67</Data>
<Data Name="Workstation">DC01</Data>
<Data Name="Status">0x0</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to set Directory Services Restore Mode
administrator password. Event Viewer automatically tries to resolve SIDs and show the account name. If the
SID cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made an attempt to set Directory
Services Restore Mode administrator password.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Additional Information:
Caller Workstation [Type = UnicodeString]: the name of computer account from which Directory Services
Restore Mode (DSRM ) administrator password change request was received. For example: “DC01”. If the
change request was sent locally (from the same server) this field will have the same name as the computer
account.
Status Code [Type = HexInt32]: for Success events it has “0x0” value.

Security Monitoring Recommendations

For 4794(S, F ): An attempt was made to set the Directory Services Restore Mode administrator password.
Always monitor 4794 events and trigger alerts when they occur.
 4798(S): A user's local group membership was
enumerated.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account Management
Event Description:
This event generates when a process
enumerates a user's security-enabled local
groups on a computer or device.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4798</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T04:14:17.436787700Z" />
<EventRecordID>691</EventRecordID>
<Correlation ActivityID="{CBAEDE08-1CF0-0000-50DE-AECBF01CD101}" />
<Execution ProcessID="744" ThreadID="3928" />
<Channel>Security</Channel>
<Computer>WIN10-1.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN10-1</Data>
<Data Name="TargetSid">S-1-5-21-1694160624-234216347-2203645164-500</Data>
<Data Name="SubjectUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x72d9d</Data>
<Data Name="CallerProcessId">0xc80</Data>
<Data Name="CallerProcessName">C:\\Windows\\System32\\mmc.exe</Data>
</EventData>
</Event>

Required Server Roles: none.

Minimum OS Version: Windows Server 2016, Windows 10.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enumerate user's security-enabled local groups”
operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “enumerate user's
security-enabled local groups” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
User:
Security ID [Type = SID ]: SID of the account whose groups were enumerated. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data
in the event.
Account Name [Type = UnicodeString]: the name of the account whose groups were enumerated.
Account Domain [Type = UnicodeString]: group’s ___domain or computer name. Formats vary, and include
the following:
For a local group, this field will contain the name of the computer to which this group belongs, for
example: “Win81”.
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that enumerated the members of the
group. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has
been created” Process Information\New Process ID.
 Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

Security Monitoring Recommendations

For 4798(S ): A user's local group membership was enumerated.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have high value ___domain or local accounts for which you need to monitor each enumeration of their
group membership, or any access attempt, monitor events with the “Subject\Security ID” that
corresponds to the high value account or accounts.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
 5376(S): Credential Manager credentials were backed
up.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time the user
(Subject) successfully backs up the credential
manager database.
Typically this can be done by clicking “Back up
Credentials” in Credential Manager in the
Control Panel.
This event generates on ___domain controllers,
member servers, and workstations.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5376</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T03:28:02.200404700Z" />
<EventRecordID>175779</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the backup operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that performed the backup operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
 For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Security Monitoring Recommendations

For 5376(S ): Credential Manager credentials were backed up.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Every 5376 event should be recorded for all local and ___domain accounts, because this action (back up Credential
Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.
 5377(S): Credential Manager credentials were
restored from a backup.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit User Account
Management
Event Description:
This event generates every time the user
(Subject) successfully restores the credential
manager database.
Typically this can be done by clicking “Restore
Credentials” in Credential Manager in the
Control Panel.
This event generates on ___domain controllers,
member servers, and workstations.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5377</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T03:35:47.523266300Z" />
<EventRecordID>175780</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1236" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that performed the restore operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that performed the restore operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
 For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Security Monitoring Recommendations

For 5377(S ): Credential Manager credentials were restored from a backup.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Every 5377 event should be recorded for all local and ___domain accounts, because this action (restore Credential
Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or
malicious activity.
 Audit DPAPI Activity
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit DPAPI Activity determines whether the operating system generates audit events when encryption or
decryption calls are made into the data protection application interface (DPAPI).
Event volume: Low.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF IF – Events in this

Controller subcategory
typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
these events. It’s
mainly used for
DPAPI
troubleshooting.

Member Server IF IF IF IF IF – Events in this

subcategory
typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
these events. It’s
mainly used for
DPAPI
troubleshooting.

Workstation IF IF IF IF IF – Events in this

subcategory
typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
these events. It’s
mainly used for
DPAPI
troubleshooting.

Events List:
4692(S, F ): Backup of data protection master key was attempted.
4693(S, F ): Recovery of data protection master key was attempted.
4694(S, F ): Protection of auditable protected data was attempted.
4695(S, F ): Unprotection of auditable protected data was attempted.
 4692(S, F): Backup of data protection master key was
attempted.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit DPAPI Activity
Event Description:
This event generates every time that a backup
is attempted for the DPAPI Master Key.
When a computer is a member of a ___domain,
DPAPI has a backup mechanism to allow
unprotection of the data. When a Master Key is
generated, DPAPI communicates with a
___domain controller. Domain controllers have a
___domain-wide public/private key pair, associated
solely with DPAPI. The local DPAPI client gets
the ___domain controller public key from a
___domain controller by using a mutually
authenticated and privacy protected RPC call.
The client encrypts the Master Key with the
___domain controller public key. It then stores this backup Master Key along with the Master Key protected by the
user's password.
Periodically, a ___domain-joined machine will try to send an RPC request to a ___domain controller to back up the user’s
master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys
are stored in the user profile, a ___domain controller must be contacted to encrypt the master key with a ___domain
recovery key.
This event also generates every time a new DPAPI Master Key is generated, for example.
This event generates on ___domain controllers, member servers, and workstations.
Failure event generates when a Master Key backup operation fails for some reason.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4692</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13314</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-25T01:59:14.573672700Z" />
<EventRecordID>176964</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="540" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30c08</Data>
<Data Name="MasterKeyId">16cfaea0-dbe3-4d92-9523-d494edb546bc</Data>
<Data Name="RecoveryServer" />
<Data Name="RecoveryKeyId">806a0350-aeb1-4c56-91f9-ef16cf759291</Data>
<Data Name="FailureReason">0x0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested backup operation. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested backup operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Key Information:
Key Identifier [Type = UnicodeString]: unique identifier of a master key which backup was created. The
Master Key is used, with some additional data, to generate an actual symmetric session key to
encrypt\decrypt the data using DPAPI. All of user's Master Keys are located in user profile ->
%APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is it’s
ID.
Recovery Server [Type = UnicodeString]: the name (typically – DNS name) of the computer that you
contacted to back up your Master Key. For ___domain joined machines, it’s typically a name of a ___domain
controller. This parameter might not be captured in the event, and in that case will be empty.
Recovery Key ID [Type = UnicodeString]: unique identifier of a recovery key. The recovery key is
generated when a user chooses to create a Password Reset Disk (PRD ) from the user's Control Panel or
when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the
recovery key. In this field you will see unique Recovery key ID which was used for Master key backup
operation.
For Failure events this field is typically empty.
Status Information:
Status Code [Type = HexInt32]: hexadecimal unique status code of performed operation. For Success events
this field is typically “0x0”. To see the meaning of status code you need to convert it to decimal value and us
“net helpmsg STATUS_CODE” command to see the description for specific STATUS_CODE. Here is an
example of “net helpmsg” command output for status code 0x3A:

[Net helpmsg 58 illustration](..images/net-helpmsg-58.png)

Security Monitoring Recommendations

For 4692(S, F ): Backup of data protection master key was attempted.
This event is typically an informational event and it is difficult to detect any malicious activity using this event.
It’s mainly used for DPAPI troubleshooting.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
 4693(S, F): Recovery of data protection master key
was attempted.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit DPAPI Activity
Event Description:
This event generates every time that recovery
is attempted for a DPAPI Master Key.
While unprotecting data, if DPAPI cannot use
the Master Key protected by the user's
password, it sends the backup Master Key to a
___domain controller by using a mutually
authenticated and privacy protected RPC call.
The ___domain controller then decrypts the
Master Key with its private key and sends it
back to the client by using the same protected
RPC call. This protected RPC call is used to
ensure that no one listening on the network
can get the Master Key.
This event generates on ___domain controllers,
member servers, and workstations.
Failure event generates when a Master Key restore operation fails for some reason.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4693</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13314</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-22T06:25:14.589407700Z" />
<EventRecordID>175809</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1340" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30d7c</Data>
<Data Name="MasterKeyId">0445c766-75f0-4de7-82ad-d9d97aad59f6</Data>
<Data Name="RecoveryReason">0x5c005c</Data>
<Data Name="RecoveryServer">DC01.contoso.local</Data>
<Data Name="RecoveryKeyId" />
<Data Name="FailureId">0x380000</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “recover” operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “recover” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Key Information:
Key Identifier [Type = UnicodeString]: unique identifier of a master key which was recovered. The Master
Key is used, with some additional data, to generate an actual symmetric session key to encrypt\decrypt the
data using DPAPI. All of user's Master Keys are located in user profile ->
%APPDATA%\Roaming\Microsoft\Windows\Protect\%SID% folder. The name of every Master Key file is it’s
ID.
Recovery Server [Type = UnicodeString]: the name (typically – DNS name) of the computer that you
contacted to recover your Master Key. For ___domain joined machines, it’s typically a name of a ___domain
controller.

Note In this event Recovery Server field contains information from Recovery Reason field.

Recovery Key ID [Type = UnicodeString]: unique identifier of a recovery key. The recovery key is
generated when a user chooses to create a Password Reset Disk (PRD ) from the user's Control Panel or
when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the
recovery key. In this field you will see unique Recovery key ID which was used for Master key recovery
operation. This parameter might not be captured in the event, and in that case will be empty.
Recovery Reason [Type = HexInt32]: hexadecimal code of recovery reason.

Note In this event Recovery Reason field contains information from Recovery Server field.

Status Information:
Status Code [Type = HexInt32]: hexadecimal unique status code. For Success events this field is typically
“0x380000”.

Security Monitoring Recommendations

For 4693(S, F ): Recovery of data protection master key was attempted.
This event is typically an informational event and it is difficult to detect any malicious activity using this
event. It’s mainly used for DPAPI troubleshooting.
For ___domain joined computers, Recovery Reason should typically be a ___domain controller DNS name.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
 4694(S, F): Protection of auditable protected data was
attempted.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates if DPAPI  CryptProtectData() function was used with CRYPTPROTECT_AUDIT flag
(dwFlags) enabled.
There is no example of this event in this document.
Subcategory: Audit DPAPI Activity
Event Schema:
Protection of auditable protected data was attempted.
Subject:

Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4

Protected Data:

Data Description:%6
Key Identifier:%5
Protected Data Flags:%7
Protection Algorithms:%8

Status Information:

Status Code:%9

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
This event is typically an informational event and it is difficult to detect any malicious activity using this
event. It’s mainly used for DPAPI troubleshooting.
 4695(S, F): Unprotection of auditable protected data
was attempted.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates if DPAPI CryptUnprotectData() function was used to unprotect “auditable” data that was
encrypted using CryptProtectData() function with CRYPTPROTECT_AUDIT flag (dwFlags) enabled.
There is no example of this event in this document.
Subcategory: Audit DPAPI Activity
Event Schema:
Unprotection of auditable protected data was attempted.
Subject:

Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4

Protected Data:

Data Description:%6
Key Identifier:%5
Protected Data Flags:%7
Protection Algorithms:%8

Status Information:

Status Code:%9

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
This event is typically an informational event and it is difficult to detect any malicious activity using this
event. It’s mainly used for DPAPI troubleshooting.
 Audit PNP Activity
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit PNP Activity determines when Plug and Play detects an external device.
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine
where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
Event volume: Varies, depending on how the computer is used. Typically Low.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No This subcategory

Controller will help identify
when and which
Plug and Play
device was
attached,
enabled, disabled
or restricted by
device installation
policy.
You can track, for
example, whether
a USB flash drive
or stick was
attached to a
___domain
controller, which
is typically not
allowed.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server Yes No Yes No This subcategory

will help identify
when and which
Plug and Play
device was
attached,
enabled, disabled
or restricted by
device installation
policy.
You can track, for
example, whether
a USB flash drive
or stick was
attached to a
critical server,
which is typically
not allowed.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Workstation Yes No Yes No This subcategory

will help identify
when and which
Plug and Play
device was
attached,
enabled, disabled
or restricted by
device installation
policy.
You can track, for
example, whether
a USB flash drive
or stick was
attached to an
administrative
workstation or
VIP workstation.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
6416(S ): A new external device was recognized by the System
6419(S ): A request was made to disable a device
6420(S ): A device was disabled.
6421(S ): A request was made to enable a device.
6422(S ): A device was enabled.
6423(S ): The installation of this device is forbidden by system policy.
6424(S ): The installation of this device was allowed, after having previously been forbidden by policy.
 6416(S): A new external device was recognized by the
System.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time a new external
device is recognized by a system.
This event generates, for example, when a new
external device is connected or enabled.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6416</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-13T18:20:16.818569900Z" />
<EventRecordID>436</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="308" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">SCSI\\Disk&Ven\_Seagate&Prod\_Expansion\\000000</Data>
<Data Name="DeviceDescription">Seagate Expansion SCSI Disk Device</Data>
<Data Name="ClassId">{4D36E967-E325-11CE-BFC1-08002BE10318}</Data>
<Data Name="ClassName">DiskDrive</Data>
<Data Name="VendorIds">SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_0636
SCSI\\DiskSeagate\_Expansion\_\_\_\_\_\_\_ SCSI\\DiskSeagate\_ SCSI\\Seagate\_Expansion\_\_\_\_\_\_\_0
Seagate\_Expansion\_\_\_\_\_\_\_0 GenDisk</Data>
<Data Name="CompatibleIds">SCSI\\Disk SCSI\\RAW</Data>
<Data Name="LocationInformation">Bus Number 0, Target Id 0, LUN 0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2016, Windows 10.
Event Versions:
0 - Windows 10.
1 - Windows 10 [Version 1511].
Added “Device ID” field.
Added “Device Name” field.
Added “Class Name” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that registered the new device. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
 unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that registered the new device.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString] [Version 1]: “Device instance path” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:

Device Name [Type = UnicodeString] [Version 1]: “Device description” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:

Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:

Class Name [Type = UnicodeString] [Version 1]: “Class” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:

Vendor IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:

Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:

Security Monitoring Recommendations

For 6416(S ): A new external device was recognized by the System.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
You can use this event to track the events and event information shown in the following table by using the
listed fields:

EVENT AND EVENT INFORMATION TO MONITOR FIELD TO USE

Device recognition events, Device Instance Path “Device ID”

Device recognition events, Device Description “Device Name”

Device recognition events, Class GUID “Class ID”

Device recognition events, Hardware IDs “Vendor IDs”

Device recognition events, Compatible IDs “Compatible IDs”

EVENT AND EVENT INFORMATION TO MONITOR FIELD TO USE

Device recognition events, Location information “Location Information”

 6419(S): A request was made to disable a device.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
when someone made a request to
disable a device.
This event doesn’t mean that device
was disabled.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6419</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:23:26.789591400Z" />
<EventRecordID>483</EventRecordID>
<Correlation />
<Execution ProcessID="2192" ThreadID="1392" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-2695983153-1310895815-1903476278-1001</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data>
<Data Name="SubjectLogonId">0x3fcc7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made the request. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made the request.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:

Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:

Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:

Security Monitoring Recommendations

For 6419(S ): A request was made to disable a device.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

You can use this event to track the events and event information shown in the following table by using the listed
fields:

EVENT AND EVENT INFORMATION TO MONITOR FIELD TO USE

Device disable requests, Device Instance Path “Device ID”

Device disable requests, Device Description “Device Name”

Device disable requests, Class GUID “Class ID”

Device disable requests, Hardware IDs “Hardware IDs”

Device disable requests, Compatible IDs “Compatible IDs”

Device disable requests, Location information “Location Information”

 6420(S): A device was disabled.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
specific device was disabled.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6420</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:23:29.137398300Z" />
<EventRecordID>484</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="88" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that disabled the device. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that disabled the device.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:

Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:

Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:

Security Monitoring Recommendations

For 6420(S ): A device was disabled.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

You can use this event to track the events and event information shown in the following table by using the listed
fields:

EVENT AND EVENT INFORMATION TO MONITOR FIELD TO USE

Device disable events, Device Instance Path “Device ID”

Device disable events, Device Description “Device Name”

Device disable events, Class GUID “Class ID”

Device disable events, Hardware IDs “Hardware IDs”

Device disable events, Compatible IDs “Compatible IDs”

Device disable events, Location information “Location Information”

 6421(S): A request was made to enable a device.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
when someone made a request to
enable a device.
This event doesn’t mean that device
was enabled.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6421</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:37:50.034918700Z" />
<EventRecordID>485</EventRecordID>
<Correlation />
<Execution ProcessID="2192" ThreadID="1392" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-2695983153-1310895815-1903476278-1001</Data>
<Data Name="SubjectUserName">ladmin</Data>
<Data Name="SubjectDomainName">DESKTOP-NFC0HVN</Data>
<Data Name="SubjectLogonId">0x3fcc7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\FFBC12C950A0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made the request. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made the request.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:

Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:

Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:

Security Monitoring Recommendations

For 6421(S ): A request was made to enable a device.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

You can use this event to track the events and event information shown in the following table by using the listed
fields:

EVENT AND EVENT INFORMATION TO MONITOR FIELD TO USE

Device enable requests, Device Instance Path “Device ID”

Device enable requests, Device Description “Device Name”

Device enable requests, Class GUID “Class ID”

Device enable requests, Hardware IDs “Hardware IDs”

Device enable requests, Compatible IDs “Compatible IDs”

Device enable requests, Location information “Location Information”

 6422(S): A device was enabled.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
specific device was enabled.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6422</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:37:50.036050900Z" />
<EventRecordID>486</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="408" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_138A&PID\_0017\\ffbc12c950a0</Data>
<Data Name="DeviceDescription">Synaptics FP Sensors (WBF) (PID=0017)</Data>
<Data Name="ClassId">{53D29EF7-377C-4D14-864B-EB3A85769359}</Data>
<Data Name="ClassName">Biometric</Data>
<Data Name="HardwareIds">USB\\VID\_138A&PID\_0017&REV\_0078 USB\\VID\_138A&PID\_0017</Data>
<Data Name="CompatibleIds">USB\\Class\_FF&SubClass\_00&Prot\_00 USB\\Class\_FF&SubClass\_00
USB\\Class\_FF</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that enabled the device. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that enabled the device.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:

Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:

Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:

Security Monitoring Recommendations

For 6422(S ): A device was enabled.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
You can use this event to track the events and event information shown in the following table by using the
listed fields:

EVENT AND EVENT INFORMATION TO MONITOR FIELD TO USE

Device enable events, Device Instance Path “Device ID”

Device enable events, Device Description “Device Name”

Device enable events, Class GUID “Class ID”

Device enable events, Hardware IDs “Hardware IDs”

Device enable events, Compatible IDs “Compatible IDs”

EVENT AND EVENT INFORMATION TO MONITOR FIELD TO USE

Device enable events, Location information “Location Information”

 6423(S): The installation of this device is forbidden by
system policy.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit PNP Activity
Event Description:
This event generates every time
installation of this device is
forbidden by system policy.
Device installation restriction group
policies are located here:
\Computer
Configuration\Administrative
Templates\System\Device
Installation\Device Installation
Restrictions. If one of the policies
restricts installation of a specific
device, this event will be generated.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>6423</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13316</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-14T22:49:34.647975900Z" />
<EventRecordID>488</EventRecordID>
<Correlation />
<Execution ProcessID="828" ThreadID="1924" />
<Channel>Security</Channel>
<Computer>DESKTOP-NFC0HVN</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-NFC0HVN$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="DeviceId">USB\\VID\_04F3&PID\_012D\\7&1E3A8971&0&2</Data>
<Data Name="DeviceDescription">Touchscreen</Data>
<Data Name="ClassId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="ClassName" />
<Data Name="HardwareIds">USB\\VID\_04F3&PID\_012D&REV\_0013 USB\\VID\_04F3&PID\_012D</Data>
<Data Name="CompatibleIds">USB\\Class\_03&SubClass\_00&Prot\_00 USB\\Class\_03&SubClass\_00
USB\\Class\_03</Data>
<Data Name="LocationInformation">Port\_\#0002.Hub\_\#0004</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that forbids the device installation. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that forbids the device installation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Device ID [Type = UnicodeString]: “Device instance path” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Device Name [Type = UnicodeString]: “Device description” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:

Class ID [Type = UnicodeString]: “Class Guid” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:
Class Name [Type = UnicodeString]: “Class” attribute of device. To see device properties, start Device Manager,
open specific device properties, and click “Details”:

Hardware IDs [Type = UnicodeString]: “Hardware Ids” attribute of device. To see device properties, start Device
Manager, open specific device properties, and click “Details”:

Compatible IDs [Type = UnicodeString]: “Compatible Ids” attribute of device. To see device properties, start
Device Manager, open specific device properties, and click “Details”:
Location Information [Type = UnicodeString]: “Location information” attribute of device. To see device
properties, start Device Manager, open specific device properties, and click “Details”:

Security Monitoring Recommendations

For 6423(S ): The installation of this device is forbidden by system policy.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you want to track device installation policy violations then you need to track every event of this type.
Because this event is typically triggered by the SYSTEM account, we recommend that you report it
whenever “Subject\Security ID” is not SYSTEM.
You can use this event to track the policy violations and related information shown in the following table by
using the listed fields:

POLICY VIOLATION AND RELATED INFORMATION TO MONITOR FIELD TO USE

Device installation policy violations, Device Instance Path “Device ID”

Device installation policy violations, Device Description “Device Name”

Device installation policy violations, Class GUID “Class ID”

Device installation policy violations, Hardware IDs “Hardware IDs”

POLICY VIOLATION AND RELATED INFORMATION TO MONITOR FIELD TO USE

Device installation policy violations, Compatible IDs “Compatible IDs”

Device installation policy violations, Location information “Location Information”

 6424(S): The installation of this device was allowed,
after having previously been forbidden by policy.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event occurs rarely, and in some situations may be difficult to reproduce.
Subcategory: Audit PNP Activity
Required Server Roles: None.
Minimum OS Version: Windows 10 [Version 1511].
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 Audit Process Creation
12/24/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Process Creation determines whether the operating system generates audit events when a process is
created (starts).
These audit events can help you track user activity and understand how a computer is being used. Information
includes the name of the program or the user that created the process.
Event volume: Low to Medium, depending on system usage.
This subcategory allows you to audit events generated when a process is created or starts. The name of the
application and user that created the process is also audited.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No It is typically

Controller useful to collect
Success auditing
information for
this subcategory
for forensic
investigations, to
find information
who, when and
with which
options\paramet
ers ran specific
process.
Additionally, you
can analyse
process creation
events for
elevated
credentials use,
potential
malicious process
names and so on.
The event
volume is
typically
medium-high
level, depending
on the process
activity on the
computer.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server Yes No Yes No It is typically

useful to collect
Success auditing
information for
this subcategory
for forensic
investigations, to
find information
who, when and
with which
options\paramet
ers ran specific
process.
Additionally, you
can analyse
process creation
events for
elevated
credentials use,
potential
malicious process
names and so on.
The event
volume is
typically
medium-high
level, depending
on the process
activity on the
computer.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation Yes No Yes No It is typically

useful to collect
Success auditing
information for
this subcategory
for forensic
investigations, to
find information
who, when and
with which
options\paramet
ers ran specific
process.
Additionally, you
can analyse
process creation
events for
elevated
credentials use,
potential
malicious process
names and so on.
The event
volume is
typically
medium-high
level, depending
on the process
activity on the
computer.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
4688(S ): A new process has been created.
4696(S ): A primary token was assigned to process.
 4688(S): A new process has been created.
8/10/2019 • 9 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Creation
Event Description:
This event generates every time a new
process starts.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="CommandLine" />
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012 R2, Windows 8.1.
Added “Process Command Line” field.
2 - Windows 10.
Subject renamed to Creator Subject.
Added “Target Subject” section.
Added “Mandatory Label” field.
Added “Creator Process Name” field.
Field Descriptions:
Creator Subject [Value for versions 0 and 1 – Subject]:
Security ID [Type = SID ]: SID of account that requested the “create process” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.
 Note A security identifier (SID ) is a unique value of variable length used to identify a trustee
(security principal). Each account has a unique SID that is issued by an authority, such as an Active
Directory ___domain controller, and stored in a security database. Each time a user logs on, the system
retrieves the SID for that user from the database and places it in the access token for that user. The
system uses the SID in the access token to identify the user in all subsequent interactions with
Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever
be used again to identify another user or group. For more information about SIDs, see Security
identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “create
process” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully
logged on.”
Target Subject [Version 2]:

Note This event includes the principal of the process creator, but this is not always sufficient if the
target context is different from the creator context. In that situation, the subject specified in the process
termination event does not match the subject in the process creation event even though both events
refer to the same process ID. Therefore, in addition to including the creator of the process, we will also
include the target principal when the creator and target do not share the same logon.

Security ID [Type = SID ] [Version 2]: SID of target account. Event Viewer automatically tries to resolve
SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee
(security principal). Each account has a unique SID that is issued by an authority, such as an Active
Directory ___domain controller, and stored in a security database. Each time a user logs on, the system
retrieves the SID for that user from the database and places it in the access token for that user. The
system uses the SID in the access token to identify the user in all subsequent interactions with
Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever
be used again to identify another user or group. For more information about SIDs, see Security
identifiers.

Account Name [Type = UnicodeString] [Version 2]: the name of the target account.
Account Domain [Type = UnicodeString] [Version 2]: target account’s ___domain or computer name.
 Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64] [Version 2]: hexadecimal value that can help you correlate this event
with recent events that might contain the same Logon ID, for example, “4624: An account was
successfully logged on.”
Process Information:
New Process ID [Type = Pointer]: hexadecimal Process ID of the new process. Process ID (PID ) is a
number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

New Process Name [Type = UnicodeString]: full path and the name of the executable for the new
process.
Token Elevation Type [Type = UnicodeString]:
TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or
groups disabled. A full token is only used if User Account Control is disabled or if the user is
the built-in Administrator account (for which UAC disabled by default), service account or
local system account.
TokenElevationTypeFull (2): Type 2 is an elevated token with no privileges removed or
groups disabled. An elevated token is used when User Account Control is enabled and the
user chooses to start the program using Run as administrator. An elevated token is also used
when an application is configured to always require administrative privilege or to always
require maximum privilege, and the user is a member of the Administrators group.
 TokenElevationTypeLimited (3): Type 3 is a limited token with administrative privileges
removed and administrative groups disabled. The limited token is used when User Account
Control is enabled, the application does not require administrative privilege, and the user
does not choose to start the program using Run as administrator.
Mandatory Label [Version 2] [Type = SID ]: SID of integrity label which was assigned to the new
process. Can have one of the following values:

SID RID RID LABEL MEANING

S-1-16-0 0x00000000 SECURITY_MANDATORY_ Untrusted.

UNTRUSTED_RID

S-1-16-4096 0x00001000 SECURITY_MANDATORY_L Low integrity.

OW_RID

S-1-16-8192 0x00002000 SECURITY_MANDATORY_ Medium integrity.

MEDIUM_RID

S-1-16-8448 0x00002100 SECURITY_MANDATORY_ Medium high integrity.

MEDIUM_PLUS_RID

S-1-16-12288 0X00003000 SECURITY_MANDATORY_ High integrity.

HIGH_RID

S-1-16-16384 0x00004000 SECURITY_MANDATORY_S System integrity.

YSTEM_RID

S-1-16-20480 0x00005000 SECURITY_MANDATORY_ Protected process.

PROTECTED_PROCESS_RI
D

Creator Process ID [Type = Pointer]: hexadecimal Process ID of the process which ran the new
process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task
Manager.

You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID.

Creator Process Name [Version 2] [Type = UnicodeString]: full path and the name of the
executable for the process.
Process Command Line [Version 1, 2] [Type = UnicodeString]: contains the name of executable
and arguments which were passed to it. You must enable “Administrative Templates\System\Audit
Process Creation\Include command line in process creation events” group policy to include
command line in process creation events:
 By default Process Command Line field is empty.

Security Monitoring Recommendations

For 4688(S ): A new process has been created.

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high-value Monitor all events with the “Creator Subject\Security
___domain or local accounts for which you need to monitor ID” or “Target Subject\Security ID” that corresponds to
each action. the high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator account,
___domain administrators, service accounts, ___domain
controller accounts and so on.

Anomalies or malicious actions: You might have When you monitor for anomalies or malicious actions, use
specific requirements for detecting anomalies or the “Creator Subject\Security ID” or “Target
monitoring potential malicious actions. For example, you Subject\Security ID” (with other information) to monitor
might need to monitor for use of an account outside of how or when a particular account is being used.
working hours.

Non-active accounts: You might have non-active, Monitor all events with the “Creator Subject\Security
disabled, or guest accounts, or other accounts that should ID” or “Target Subject\Security ID” that corresponds to
never be used. the accounts that should never be used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action,
accounts that are the only ones allowed to perform review the “Creator Subject\Security ID” and “Target
actions corresponding to particular events. Subject\Security ID” for accounts that are outside the
whitelist.

Accounts of different types: You might want to ensure If this event corresponds to an action you want to
that certain actions are performed only by certain account monitor for certain account types, review the “Creator
types, for example, local or ___domain account, machine or Subject\Security ID” or “Target Subject\Security ID”
user account, vendor or employee account, and so on. to see whether the account type is as expected.
TYPE OF MONITORING REQUIRED RECOMMENDATION

External accounts: You might be monitoring accounts Monitor the specific events for the “Creator
from another ___domain, or “external” accounts that are not Subject\Security ID” or “Target Subject\Security ID”
allowed to perform certain actions (represented by certain corresponding to accounts from another ___domain or
specific events). “external” accounts.

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Creator Subject\Security ID”
people (accounts) should not typically perform any or “Target Subject\Security ID” that you are concerned
actions. about.

Account naming conventions: Your organization might Monitor “Creator Subject\Security ID” or “Target
have specific naming conventions for account names. Subject\Security ID” for names that don’t comply with
naming conventions.

If you have a pre-defined “New Process Name” or “Creator Process Name” for the process
reported in this event, monitor all events with “New Process Name” or “Creator Process Name”
not equal to your defined value.
You can monitor to see if “New Process Name” or “Creator Process Name” is not in a standard
folder (for example, not in System32 or Program Files) or is in a restricted folder (for example,
Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example
“mimikatz” or “cain.exe”), check for these substrings in “New Process Name” or “Creator
Process Name.”
It can be unusual for a process to run using a local account in either Creator Subject\Security ID
or in Target Subject\Security ID.
Monitor for Token Elevation Type with value TokenElevationTypeDefault (1) when
Subject\Security ID lists a real user account, for example when Account Name doesn’t contain
the $ symbol. Typically this means that UAC is disabled for this account for some reason.
Monitor for Token Elevation Type with value TokenElevationTypeDefault (2) on standard
workstations, when Subject\Security ID lists a real user account, for example when Account
Name doesn’t contain the $ symbol. This means that a user ran a program using administrative
privileges.
You can also monitor for Token Elevation Type with value TokenElevationTypeDefault (2) on
standard workstations, when a computer object was used to run the process, but that computer
object is not the same computer where the event occurs.
If you need to monitor all new processes with a specific Mandatory Label, for example S -1-16-
20480 (Protected process), check the “Mandatory Label” in this event.
 4696(S): A primary token was assigned to process.
5/31/2019 • 7 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Creation
Event Description:
This event generates every time a process runs
using the non-current access token, for example,
UAC elevated token, RUN AS different user
actions, scheduled task with defined user,
services, and so on.
IMPORTANT: this event is deprecated starting
from Windows 7 and Windows 2008 R2.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4696</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-25T21:33:42.401Z" />
<EventRecordID>561</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="88" />
<Channel>Security</Channel>
<Computer>Win2008.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN2008$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x1c8c5</Data>
<Data Name="TargetProcessId">0xf40</Data>
<Data Name="TargetProcessName">C:\\Windows\\System32\\WerFault.exe</Data>
<Data Name="ProcessId">0x698</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>

Required Server Roles: this event is deprecated starting from Windows 7 and Windows 2008 R2.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “assign token to process” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “assign token to
process” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which started the new process with the
new security token. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process which ran
the new process with new security token.
Target Process:
Target Process ID [Type = Pointer]: hexadecimal Process ID of the new process with new security token. If you
convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has
been created” Process Information\New Process ID.

Target Process Name [Type = UnicodeString]: full path and the name of the executable for the new process.
New Token Information:
 Security ID [Type = SID ]: SID of account through which the security token will be assigned to the new process.
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you
will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account through which the security token will be
assigned to the new process.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Security Monitoring Recommendations

For 4696(S ): A primary token was assigned to process.

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high-value ___domain or Monitor this event with the “Subject\Security ID” or “New
local accounts for which you need to monitor each action. Token Information\Security ID” that corresponds to the
Examples of high-value accounts are database administrators, high-value account or accounts.
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” or “New Token
malicious actions. For example, you might need to monitor for Information\Security ID” (with other information) to
use of an account outside of working hours. monitor how or when a particular account is being used.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or “New
or guest accounts, or other accounts that should never be Token Information\Security ID” that corresponds to the
used. accounts that should never be used.
TYPE OF MONITORING REQUIRED RECOMMENDATION

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Security ID” and “New Token
corresponding to particular events. Information\Security ID” for accounts that are outside the
whitelist.

Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Security ID” or
for example, local or ___domain account, machine or user “New Token Information\Security ID” to see whether the
account, vendor or employee account, and so on. account type is as expected.

External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Security ID” or “New
another ___domain, or “external” accounts that are not allowed to Token Information\Security ID” corresponding to accounts
perform certain actions (represented by certain specific from another ___domain or “external” accounts.
events).

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” or “New
people (accounts) should not typically perform any actions. Token Information\Security ID” that you are concerned
about.

Account naming conventions: Your organization might have Monitor “Subject\Security ID” or “New Token
specific naming conventions for account names. Information\Security ID” for names that don’t comply with
naming conventions.

If you have a pre-defined “Process Name” or “Target Process Name” for the process reported in this
event, monitor all events with “Process Name” or “Target Process Name” not equal to your defined value.
You can monitor to see if “Process Name” or “Target Process Name” is not in a standard folder (for
example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet
Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name” or “Target Process Name”.
It can be uncommon if process runs using local account.
 Audit Process Termination
12/20/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Process Termination determines whether the operating system generates audit events when process has
exited.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
This policy setting can help you track user activity and understand how the computer is used.
Event volume: Low to Medium, depending on system usage.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No IF No IF - This
Controller subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No No IF No IF - This

subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation No No IF No IF - This
subcategory
typically is not as
important as
Audit Process
Creation
subcategory.
Using this
subcategory you
can, for example
get information
about for how
long process was
run in correlation
with 4688 event.
If you have a list
of critical
processes that
run on some
computers, you
can enable this
subcategory to
monitor for
termination of
these critical
processes.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
4689(S ): A process has exited.
 4689(S): A process has exited.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Process Termination
Event Description:
This event generates every time a process has
exited.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “terminate process” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “terminate process”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the ended/terminated process. Process ID (PID ) is a
number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688(S ): A new
process has been created” New Process ID on this computer.
Process Name [Type = UnicodeString]: full path and the executable name of the exited/terminated process.
Exit Status [Type = HexInt32]: hexadecimal exit code of exited/terminated process. This exit code is unique
for every application, check application documentation for more details. The exit code value for a process
reflects the specific convention implemented by the application developer for that process.

Security Monitoring Recommendations

For 4689(S ): A process has exited.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If you have a critical processes list for the computer, with the requirement that these processes must always
run and not stop, you can monitor Process Name field in 4689 events for these process names.
 Audit RPC Events
12/18/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit RPC Events determines whether the operating system generates audit events when inbound remote
procedure call (RPC ) connections are made.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No No No Events in this

Controller subcategory
occur rarely.

Member Server No No No No Events in this

subcategory
occur rarely.

Workstation No No No No Events in this

subcategory
occur rarely.

Events List:
5712(S ): A Remote Procedure Call (RPC ) was attempted.
 5712(S): A Remote Procedure Call (RPC) was
attempted.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
It appears that this event never occurs.
Subcategory: Audit RPC Events
Event Schema:
A Remote Procedure Call (RPC ) was attempted.
Subject:

SID:%1
Name:%2
Account Domain:%3
LogonId:%4

Process Information:

PID:%5 Name:%6

Network Information:

Remote IP Address:%7
Remote Port:%8

RPC Attributes:

Interface UUID:%9
Protocol Sequence:%10
Authentication Service:%11
Authentication Level:%12

Required Server Roles: no information.

Minimum OS Version: no information.
Event Versions: 0.
Security Monitoring Recommendations
There is no recommendation for this event in this document.
 Audit Detailed Directory Service Replication
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Detailed Directory Service Replication determines whether the operating system generates audit events
that contain detailed tracking information about data that is replicated between ___domain controllers.
This audit subcategory can be useful to diagnose replication issues.
Event volume: These events can create a very high volume of event data on ___domain controllers.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No IF IF IF - Events in this

Controller subcategory
typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
these events. It’s
mainly used for
Active Directory
replication
troubleshooting.

Member Server No No No No This subcategory

makes sense only
on ___domain
controllers.

Workstation No No No No This subcategory

makes sense only
on ___domain
controllers.

Events List:
4928(S, F ): An Active Directory replica source naming context was established.
4929(S, F ): An Active Directory replica source naming context was removed.
4930(S, F ): An Active Directory replica source naming context was modified.
4931(S, F ): An Active Directory replica destination naming context was modified.
4934(S ): Attributes of an Active Directory object were replicated.
4935(F ): Replication failure begins.
4936(S ): Replication failure ends.
4937(S ): A lingering object was removed from a replica.
 4928(S, F): An Active Directory replica source naming
context was established.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory Service
Replication
Event Description:
This event generates every time a new Active
Directory replica source naming context is
established.
Failure event generates if an error occurs
(Status Code != 0).

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4928</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T19:15:30.067319300Z" />
<EventRecordID>227065</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="1236" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceAddr">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data>
<Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data>
<Data Name="Options">368</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Destination DRA [Type = UnicodeString]: destination directory replication agent distinguished name.

Note The Directory Replication Agent (DRA ) handles replication between ___domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a ___domain controller when the ___domain controller needs to update its copy of Active Directory.

Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Source Address [Type = UnicodeString]: DNS record of the server from which information or an update
 was received.
Naming Context [Type = UnicodeString]: naming context to replicate.

Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to ___domain controllers in different domains within the forest. Each ___domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other ___domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.

Options [Type = UInt32]: decimal value of DRS Options.

Status Code [Type = UInt32]: if there are no issues or errors, the status code will be 0. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning
here: https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx

Security Monitoring Recommendations

For 4928(S, F ): An Active Directory replica source naming context was established.
Monitor for Source Address field, because the source of new replication (new DRA) must be authorized for
this action. If you find any unauthorized DRA you should trigger an event.
This event is typically used for Active Directory replication troubleshooting.
 4929(S, F): An Active Directory replica source naming
context was removed.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory
Service Replication
Event Description:
This event generates every time Active
Directory replica source naming context
was removed.
Failure event generates if an error
occurs (Status Code != 0).

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4929</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:54:50.446211200Z" />
<EventRecordID>227013</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2636" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">-</Data>
<Data Name="SourceAddr">2d361dd6-fc22-4d9d-b876-ec582b836458.\_msdcs.contoso.local</Data>
<Data Name="NamingContext">DC=contoso,DC=local</Data>
<Data Name="Options">16640</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>
Required Server Roles: Active Directory ___domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Destination DRA [Type = UnicodeString]: destination directory replication agent distinguished name.

Note The Directory Replication Agent (DRA ) handles replication between ___domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a ___domain controller when the ___domain controller needs to update its copy of Active Directory.

Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Source Address [Type = UnicodeString]: DNS record of the server from which the “remove” request was
received.
Naming Context [Type = UnicodeString]: naming context which was removed.

Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to ___domain controllers in different domains within the forest. Each ___domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other ___domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.

Options [Type = UInt32]: decimal value of DRS Options.

Status Code [Type = UInt32]: if there are no issues or errors, the status code will be 0. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning
here: https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx

Security Monitoring Recommendations

For 4929(S, F ): An Active Directory replica source naming context was removed.
Monitor for Source Address field, because the source of the request must be authorized for this action. If
you find any unauthorized DRA you should trigger an event.
This event is typically used for Active Directory replication troubleshooting.
 4930(S, F): An Active Directory replica source naming
context was modified.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory Service
Replication
Event Description:
This event generates every time Active
Directory replica source naming context was
modified.
Failure event generates if an error occurs
(Status Code != 0).
It is not possible to understand what exactly
was modified from this event.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4930</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:56:51.474057400Z" />
<EventRecordID>1564</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="1280" />
<Channel>Security</Channel>
<Computer>Win2012r2.corp.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">-</Data>
<Data Name="SourceAddr">edf0bef9-1f73-4df3-8991-f6ec2d4ef3ae</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">0</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Destination DRA [Type = UnicodeString]: destination directory replication agent distinguished name.

Note The Directory Replication Agent (DRA ) handles replication between ___domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a ___domain controller when the ___domain controller needs to update its copy of Active Directory.

Source DRA [Type = UnicodeString]: source directory replication agent distinguished name. Typically equals
“-“ for this event.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Source Address [Type = UnicodeString]: DNS record of computer from which the modification request
 was received.
Naming Context [Type = UnicodeString]: naming context which was modified.

Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to ___domain controllers in different domains within the forest. Each ___domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other ___domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.

Options [Type = UInt32]: decimal value of DRS Options.

Status Code [Type = UInt32]: if there are no issues or errors, the status code will be 0. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning
here: https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx

Security Monitoring Recommendations

For 4930(S, F ): An Active Directory replica source naming context was modified.
Monitor for Source Address field, because the source of the request must be authorized for this action. If
you find any unauthorized DRA you should trigger an event.
This event is typically used for Active Directory replication troubleshooting.
 4931(S, F): An Active Directory replica destination
naming context was modified.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory
Service Replication
Event Description:
This event generates every time Active
Directory replica destination naming
context was modified.
Failure event generates if an error
occurs (Status Code != 0).
It is not possible to understand what
exactly was modified from this event.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4931</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T19:02:41.563619400Z" />
<EventRecordID>227058</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2936" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">ddec0cff-6ceb-4a59-b13f-1724c38a0970.\_msdcs.contoso.local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceAddr">-</Data>
<Data Name="NamingContext">DC=ForestDnsZones,DC=contoso,DC=local</Data>
<Data Name="Options">23</Data>
<Data Name="StatusCode">0</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Destination DRA [Type = UnicodeString]: destination directory replication agent distinguished name.

Note The Directory Replication Agent (DRA ) handles replication between ___domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a ___domain controller when the ___domain controller needs to update its copy of Active Directory.

Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Destination Address [Type = UnicodeString]: DNS record of computer to which the modification request
was sent.
 Naming Context [Type = UnicodeString]: naming context which was modified.

Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to ___domain controllers in different domains within the forest. Each ___domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other ___domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.

Options [Type = UInt32]: decimal value of DRS Options.

Status Code [Type = UInt32]: if there are no issues or errors, the status code will be 0. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning
here: https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx

Security Monitoring Recommendations

For 4931(S, F ): An Active Directory replica destination naming context was modified.
This event is typically used for Active Directory replication troubleshooting.
 4934(S): Attributes of an Active Directory object were
replicated.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates when attributes of an Active Directory object were replicated.
There is no example of this event in this document.
Subcategory: Audit Detailed Directory Service Replication
Event Schema:
Attributes of an Active Directory object were replicated.
Session ID:%1
Object:%2
Attribute:%3
Type of change:%4
New Value:%5
USN:%6
Status Code:%7
Required Server Roles: Active Directory ___domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.

Security Monitoring Recommendations

This event is typically used for Active Directory replication troubleshooting.
 4935(F): Replication failure begins.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Detailed Directory Service
Replication
Event Description:
This event generates when Active Directory
replication failure begins.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4935</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14083</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T18:54:48.758149800Z" />
<EventRecordID>1552</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>Win2012r2.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ReplicationEvent">1</Data>
<Data Name="AuditStatusCode">8419</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Replication Event [Type = UInt32]: there is no detailed information about this field in this document.
Audit Status Code [Type = UInt32]: there is no detailed information about this field in this document.

Security Monitoring Recommendations

For 4935(F ): Replication failure begins.
This event is typically used for Active Directory replication troubleshooting.
 4936(S): Replication failure ends.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates when Active Directory replication failure ends.
There is no example of this event in this document.
Subcategory: Audit Detailed Directory Service Replication
Event Schema:
Replication failure ends.
Replication Event:%1
Audit Status Code:%2
Replication Status Code:%3
Required Server Roles: Active Directory ___domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.

Security Monitoring Recommendations

This event is typically used for Active Directory replication troubleshooting.
 4937(S): A lingering object was removed from a
replica.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates when a lingering object was removed from a replica.
There is no example of this event in this document.
Subcategory: Audit Detailed Directory Service Replication
Event Schema:
A lingering object was removed from a replica.
Destination DRA:%1
Source DRA:%2
Object:%3
Options:%4
Status Code:%5
Required Server Roles: Active Directory ___domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 Audit Directory Service Access
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Directory Service Access determines whether the operating system generates audit events when an Active
Directory Domain Services (AD DS ) object is accessed.
Event volume: High on servers running AD DS role services.
This subcategory allows you to audit when an Active Directory Domain Services (AD DS ) object is accessed. It
also generates Failure events if access was not granted.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No Yes No Yes It is better to

Controller track changes to
Active Directory
objects through
the Audit
Directory Service
Changes
subcategory.
However, Audit
Directory Service
Changes doesn’t
give you
information
about failed
access attempts,
so we
recommend
Failure auditing
in this
subcategory to
track failed access
attempts to
Active Directory
objects.
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections. Also,
develop an Active
Directory
auditing policy
(SACL design for
specific classes,
operation types
which need to be
monitored for
specific
Organizational
Units, and so on)
so you can audit
only the access
attempts that are
made to specific
important
objects.

Member Server No No No No This subcategory

makes sense only
on ___domain
controllers.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation No No No No This subcategory

makes sense only
on ___domain
controllers.

Events List:
4662(S, F ): An operation was performed on an object.
4661(S, F ): A handle to an object was requested.
 4662(S, F): An operation was performed on an
object.
6/6/2019 • 7 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Access
Event Description:
This event generates every time when
an operation was performed on an
Active Directory object.
This event generates only if appropriate
SACL was set for Active Directory
object and performed operation meets
this SACL.
If operation failed then Failure event
will be generated.
You will get one 4662 for each
operation type which was performed.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the operation. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “DS” value for this event.
Object Type [Type = UnicodeString]: type or class of the object that was accessed. Some of the common
Active Directory object types and classes are:
container – for containers.
user – for users.
group – for groups.
domainDNS – for ___domain object.
groupPolicyContainer – for group policy objects.
For all possible values of Object Type open Active Directory Schema snap-in (see how to enable
this snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Object Name [Type = UnicodeString]: distinguished name of the object that was accessed.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate
this event with other events that might contain the same Handle ID, for example, “4661: A handle to an object
was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Operation:
Operation Type [Type = UnicodeString]: the type of operation which was performed on an object.
Typically has “Object Access” value for this event.
 Accesses [Type = UnicodeString]: the type of access used for the operation. See “Table 9. Active Directory
Access Codes and Rights.” for more information.
Access Mask [Type = HexInt32]: hexadecimal mask for the type of access used for the operation. See
“Table 9. Active Directory Access Codes and Rights.” for more information.

ACCESS MASK ACCESS NAME DESCRIPTION

0x1 Create Child The right to create child objects of the

object.

0x2 Delete Child The right to delete child objects of the

object.

0x4 List Contents The right to list child objects of this

object.

0x8 SELF The right to perform an operation

controlled by a validated write access
right.

0x10 Read Property The right to read properties of the

object.

0x20 Write Property The right to write properties of the

object.

0x40 Delete Tree Delete all children of this object,

regardless of the permissions of the
children. It is indicates that “Use Delete
Subtree server control” check box was
checked during deletion. This operation
means that all objects within the
subtree, including all delete-protected
objects, will be deleted.

0x80 List Object The right to list a particular object.

0x100 Control Access Access allowed only after extended

rights checks supported by the object
are performed.
The right to perform an operation
controlled by an extended access right.

0x10000 DELETE The right to delete the object.

DELETE also generated when object was
moved.

0x20000 READ_CONTROL The right to read data from the security

descriptor of the object, not including
the data in the SACL.

0x40000 WRITE_DAC The right to modify the discretionary

access-control list (DACL) in the object
security descriptor.
 ACCESS MASK ACCESS NAME DESCRIPTION

0x80000 WRITE_OWNER The right to assume ownership of the

object. The user must be an object
trustee. The user cannot transfer the
ownership to other users.

0x100000 SYNCHRONIZE The right to use the object for

synchronization. This enables a thread
to wait until the object is in the signaled
state.

0x1000000 ADS_RIGHT_ACCESS_SYSTEM_SECURIT The right to get or set the SACL in the

Y object security descriptor.

0x80000000 ADS_RIGHT_GENERIC_READ The right to read permissions on this

object, read all the properties on this
object, list this object name when the
parent container is listed, and list the
contents of this object if it is a container.

0x40000000 ADS_RIGHT_GENERIC_WRITE The right to read permissions on this

object, write all the properties on this
object, and perform all validated writes
to this object.

0x20000000 ADS_RIGHT_GENERIC_EXECUTE The right to read permissions on, and

list the contents of, a container object.

0x10000000 ADS_RIGHT_GENERIC_ALL The right to create or delete child

objects, delete a subtree, read and write
properties, examine child objects and
the object itself, add and remove the
object from the directory, and read or
write with an extended right.

Table 9. Active Directory Access Codes and Rights.

Properties [Type = UnicodeString]: first part is the type of access that was used. Typically has the same
value as Accesses field.
Second part is a tree of GUID values of Active Directory classes or property sets, for which operation was
performed.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

To translate this GUID, use the following procedure:

Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(schemaIDGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2
 Take first 3 sections bf967a86-0de6-11d0.
For each of these 3 sections you need to change (Invert) the order of bytes, like this
867a96bf-e60d-d011
Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-
00aa003049e2
Delete - : 867a96bfe60dd011a28500aa003049e2
Divide bytes with backslashes: \86\7a\96\bf\e6\0d\d0\11\a2\85\00\aa\00\30\49\e2
Filter example: (&(objectClass=*)
(schemaIDGUID=\86\7a\96\bf\e6\0d\d0\11\a2\85\00\aa\00\30\49\e2))
Scope: Subtree
Attributes: schemaIDGUID

Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (Rights-GUID field),
“property set name” and details here: https://msdn.microsoft.com/library/ms683990(v=vs.85).aspx.
Here is an example of decoding of Properties field:

PROPERTIES TRANSLATION

{bf967a86-0de6-11d0-a285-00aa003049e2} Computer
{91e647de-d96f-4b70-9557-d63ff4f3ccd8} Private-Information property set
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05} ms-PKI-RoamingTimeStamp
{b3f93023-9239-4f7c-b99c-6745d87adbc2} ms-PKI-DPAPIMasterKeys
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} ms-PKI-AccountCredentials

Additional Information:
Parameter 1 [Type = UnicodeString]: there is no information about this field in this document.
Parameter 2 [Type = UnicodeString]: there is no information about this field in this document.

Security Monitoring Recommendations

For 4662(S, F ): An operation was performed on an object.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you need to monitor operations attempts to specific Active Directory classes, monitor for Object Type
field with specific class name. For example, we recommend that you monitor all operations attempts to
domainDNS class.
If you need to monitor operations attempts to specific Active Directory objects, monitor for Object Name
field with specific object name. For example, we recommend that you monitor all operations attempts to
“CN=AdminSDHolder,CN=System,DC=___domain,DC=com” object.
Some access types are more important to monitor, for example:
Write Property
Control Access
DELETE
WRITE_DAC
WRITE_OWNER
You can decide to monitor these (or one of these) access types for specific Active Directory objects.
To do so, monitor for Accesses field with specific access type.
If you need to monitor operations attempts to specific Active Directory properties, monitor for Properties
field with specific property GUID.
Do not forget that Failure attempts are also very important to audit. Decide where you want to monitor
Failure attempts based on previous recommendations.
 4661(S, F): A handle to an object was requested.
6/6/2019 • 12 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Directory Service Access
and Audit SAM
Event Description:
This event indicates that a handle was
requested for either an Active Directory object
or a Security Account Manager (SAM ) object.
If access was declined, then Failure event is
generated.
This event generates only if Success auditing is
enabled for the Audit Handle Manipulation
subcategory.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}
</Data>
</EventData>
</Event>

Required Server Roles: For an Active Directory object, the ___domain controller role is required. For a SAM object,
there is no required role.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
 Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security Account Manager” value for this event.
Object Type [Type = UnicodeString]: the type or class of the object that was accessed. The following list
contains possible values for this field:
SAM_ALIAS - a local group.
SAM_GROUP - a group that is not a local group.
SAM_USER - a user account.
SAM_DOMAIN - a ___domain. For Active Directory events, this is the typical value.
SAM_SERVER - a computer account.
Object Name [Type = UnicodeString]: the name of an object for which access was requested. Depends on
Object Type. This event can have the following format:
SAM_ALIAS – SID of the group.
SAM_GROUP - SID of the group.
SAM_USER - SID of the account.
SAM_DOMAIN – distinguished name of the accessed object.
SAM_SERVER - distinguished name of the accessed object.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate
 this event with other events that might contain the same Handle ID, for example, “4662: An operation was
performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested the handle. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same the Transaction ID, such as “4660(S ): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. See “Table 13. File access codes.” for more information about
file access rights. For information about SAM object access right use https://technet.microsoft.com/ or other
informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed. See
“Table 13. File access codes.” for more information about file access rights. For information about SAM
object access right use https://technet.microsoft.com/ or other informational resources.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token of

a process.
With this privilege, the user can initiate
a process to replace the default token
associated with a started subprocess.

SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.

SeBackupPrivilege Back up files and directories - Required to perform backup

operations.
With this privilege, the user can bypass
file and directory, registry, and other
persistent object permissions for the
purposes of backing up the system.
This privilege causes the system to
grant all read access control to any file,
regardless of the access control list
(ACL) specified for the file. Any access
request other than read is still evaluated
with the ACL. The following access
rights are granted if this privilege is
held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE

SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of

changes to files or directories. This
privilege also causes the system to skip
all traversal access checks.
With this privilege, the user can traverse
directory trees even though the user
may not have permissions on the
traversed directory. This privilege does
not allow the user to list the contents of
a directory, only to traverse directories.

SeCreateGlobalPrivilege Create global objects Required to create named file mapping

objects in the global namespace during
Terminal Services sessions.

SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.

SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent object.

This privilege is useful to kernel-mode
components that extend the object
namespace. Components that are
running in kernel mode already have
this privilege inherently; it is not
necessary to assign them the privilege.

SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeCreateTokenPrivilege Create a token object Allows a process to create a token which

it can then use to get access to any local
resources when the process uses
NtCreateToken() or other token-creation
APIs.
When a process requires this privilege,
we recommend using the LocalSystem
account (which already includes the
privilege), rather than creating a
separate user account and assigning
this privilege to it.

SeDebugPrivilege Debug programs Required to debug and adjust the

memory of a process owned by another
account.
With this privilege, the user can attach a
debugger to any process or to the
kernel. Developers who are debugging
their own applications do not need this
user right. Developers who are
debugging new system components
need this user right. This user right
provides complete access to sensitive
and critical operating system
components.

SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.

SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.

SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority of

a process.
With this privilege, the user can use a
process with Write property access to
another process to increase the
execution priority assigned to the other
process. A user with this privilege can
change the scheduling priority of a
process through the Task Manager user
interface.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.

SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.

SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.

SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in

memory.
With this privilege, the user can use a
process to keep data in physical
memory, which prevents the system
from paging the data to virtual memory
on disk. Exercising this privilege could
significantly affect system performance
by decreasing the amount of available
random access memory (RAM).

SeMachineAccountPrivilege Add workstations to ___domain With this privilege, the user can create a
computer account.
This privilege is valid only on ___domain
controllers.

SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on a

volume, such as remote
defragmentation.

SeProfileSingleProcessPrivilege Profile single process Required to gather profiling information

for a single process.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of non-system
processes.

SeRelabelPrivilege Modify an object label Required to modify the mandatory

integrity level of an object.

SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeRestorePrivilege Restore files and directories Required to perform restore operations.

This privilege causes the system to
grant all write access control to any file,
regardless of the ACL specified for the
file. Any access request other than write
is still evaluated with the ACL.
Additionally, this privilege enables you
to set any valid user or group SID as the
owner of a file. The following access
rights are granted if this privilege is
held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can bypass
file, directory, registry, and other
persistent objects permissions when
restoring backed up files and directories
and determines which users can set any
valid security principal as the owner of
an object.

SeSecurityPrivilege Manage auditing and security log Required to perform a number of

security-related functions, such as
controlling and viewing audit events in
security event log.
With this privilege, the user can specify
object access auditing options for
individual resources, such as files, Active
Directory objects, and registry keys.
A user with this privilege can also view
and clear the security log.

SeShutdownPrivilege Shut down the system Required to shut down a local system.

SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on ___domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.

SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeSystemProfilePrivilege Profile system performance Required to gather profiling information

for the entire system.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of system
processes.

SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.

SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.

SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.

SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.

SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted Required to access Credential Manager

caller as a trusted caller.

SeUndockPrivilege Remove computer from docking station Required to undock a laptop.

With this privilege, the user can undock
a portable computer from its docking
station without logging on.

SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input from

a terminal device.

Properties [Type = UnicodeString]: depends on Object Type. This field can be empty or contain the list of
the object properties that were accessed. See more detailed information in “4661: A handle to an object was
requested” from Audit SAM subcategory.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.
Security Monitoring Recommendations
For 4661(S, F ): A handle to an object was requested.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

You can get almost the same information from “4662: An operation was performed on an object.” There are no
additional recommendations for this event in this document.
 Audit Directory Service Changes
12/24/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Directory Service Changes determines whether the operating system generates audit events when changes
are made to objects in Active Directory Domain Services (AD DS ).
Auditing of directory service objects can provide information about the old and new properties of the objects that
were changed.
Audit events are generated only for objects with configured system access control lists (SACLs), and only when
they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit
events to be generated due to settings on the object class in the schema.
This subcategory only logs events on ___domain controllers.
Event volume: High on ___domain controllers.
This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or
deleted.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No It is important to

Controller track actions
related to high
value or critical
Active Directory
objects, for
example, changes
to
AdminSDHolder
container or
Domain Admins
group objects.
This subcategory
shows you what
actions were
performed. If you
want to track
failed access
attempts for
Active Directory
objects you need
to take a look at
Audit Directory
Service Access
subcategory.
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections. Also,
develop an
Active Directory
auditing policy
(SACL design for
specific classes,
operation types
which need to be
monitored for
specific
Organizational
Units, and so on)
so you can audit
only the access
attempts that are
made to specific
important
objects.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No No No No This subcategory

makes sense only
on ___domain
controllers.

Workstation No No No No This subcategory

makes sense only
on ___domain
controllers.

Events List:
5136(S ): A directory service object was modified.
5137(S ): A directory service object was created.
5138(S ): A directory service object was undeleted.
5139(S ): A directory service object was moved.
5141(S ): A directory service object was deleted.
 5136(S): A directory service object was modified.
6/6/2019 • 7 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is modified.
To generate this event, the modified object
must have an appropriate entry in SACL: the
“Write” action auditing for specific attributes.
For a change operation you will typically see
two 5136 events for one action, with different
Operation\Type fields: “Value Deleted” and
then “Value Added”. “Value Deleted” event
typically contains previous value and “Value
Added” event contains new value.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T17:36:04.129472600Z" />
<EventRecordID>410204</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4020" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{02647639-8626-43CE-AFE6-7AA1AD657739}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=Sergey,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{4FE80A66-5F93-4F73-B215-68678058E613}</Data>
<Data Name="ObjectClass">user</Data>
<Data Name="AttributeLDAPDisplayName">userAccountControl</Data>
<Data Name="AttributeSyntaxOID">2.5.5.9</Data>
<Data Name="AttributeValue">512</Data>
<Data Name="OperationType">%%14675</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “modify object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
 the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of the Active Directory ___domain where the modified object is
located.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was modified.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
 Filter: (&(objectClass=*)(objectGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was modified. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for ___domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Attribute:
LDAP Display Name [Type = UnicodeString]: the object attribute that was modified.

Note LDAP Display Name is the name used by LDAP clients, such as the ADSI LDAP provider, to read and
write the attribute by using the LDAP protocol.

Syntax (OID ) [Type = UnicodeString]: The syntax for an attribute defines the storage representation, byte
ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a
number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax.
The syntaxes are not represented as objects in the schema, but they are programmed to be understood by
Active Directory. The allowable syntaxes in Active Directory are predefined.

OID SYNTAX NAME DESCRIPTION

2.5.5.0 Undefined Not a legal syntax.

 OID SYNTAX NAME DESCRIPTION

2.5.5.1 Object(DN-DN) The fully qualified name of an object in

the directory.

2.5.5.2 String(Object-Identifier) The object identifier.

2.5.5.3 Case-Sensitive String General String.

2.5.5.4 CaseIgnoreString(Teletex) Differentiates uppercase and lowercase.

2.5.5.5 String(Printable), String(IA5) Teletex. Does not differentiate

uppercase and lowercase.

2.5.5.6 String(Numeric) Printable string or IA5-String.

2.5.5.7 Object(DN-Binary) Both character sets are case-sensitive.

2.5.5.8 Boolean A sequence of digits.

2.5.5.9 Integer, Enumeration A distinguished name plus a binary

large object.

2.5.5.10 String(Octet) TRUE or FALSE values.

2.5.5.11 String(UTC-Time), String(Generalized- A 32-bit number or enumeration.

Time)

2.5.5.12 String(Unicode) A string of bytes.

2.5.5.13 Object(Presentation-Address) UTC Time or Generalized-Time.

2.5.5.14 Object(DN-String) Unicode string.

2.5.5.15 String(NT-Sec-Desc) Presentation address.

2.5.5.16 LargeInteger A DN-String plus a Unicode string.

2.5.5.17 String(Sid) A Microsoft® Windows NT® Security

descriptor.

Table 10. LDAP Attribute Syntax OIDs.

Value [Type = UnicodeString]: the value which was added or deleted, depending on the Operation\Type field.
Operation:
Type [Type = UnicodeString]: type of performed operation.
Value Added – new value added.
Value Deleted – value deleted (typically “Value Deleted” is a part of change operation).
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
 from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5139: A directory service object was moved.”

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.

Security Monitoring Recommendations

For 5136(S ): A directory service object was modified.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you need to monitor modifications to specific Active Directory objects, monitor for DN field with specific
object name. For example, we recommend that you monitor all modifications to
“CN=AdminSDHolder,CN=System,DC=___domain,DC=com” object.
If you need to monitor modifications to specific Active Directory classes, monitor for Class field with specific
class name. For example, we recommend that you monitor all modifications to domainDNS class.
If you need to monitor modifications to specific Active Directory attributes, monitor for LDAP Display
Name field with specific attribute name.
It is better to monitor Operation\Type = Value Added events, because you will see the new value of
attribute. At the same time you can correlate to previous Operation\Type = Value Deleted event with the
same Correlation ID to see the previous value.
 5137(S): A directory service object was created.
6/6/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is created.
This event only generates if the parent object
has a particular entry in its SACL: the
“Create” action, auditing for specific classes or
objects. An example is the “Create Computer
objects” action auditing for the organizational
unit.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5137</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T18:36:26.048167500Z" />
<EventRecordID>410737</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3156" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{4EAD68FF-7229-42A4-8C73-AAB57169858B}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">cn=Win2000,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{41D5F7AF-64A2-4985-9A4B-70DAAFC7CCE6}</Data>
<Data Name="ObjectClass">computer</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “create object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory ___domain, where new object is created.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was created.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
 Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was created. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for ___domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5136: A directory service object was
modified.” and “5139: A directory service object was moved.”

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.

Security Monitoring Recommendations

For 5137(S ): A directory service object was created.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you need to monitor creation of Active Directory objects with specific classes, monitor for Class field with
specific class name. For example, we recommend that you monitor all new group policy objects creations:
groupPolicyContainer class.
You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to
get 5137. There is no reason to audit all creation events for all types of Active Directory objects; find the
most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only
(user, computer, group, etc.).
 5138(S): A directory service object was undeleted.
6/6/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit Directory Service Changes

Event Description:
This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active
Directory object was restored from the Active Directory Recycle Bin.
This event only generates if the container to which the Active Directory object was restored has a particular entry
in its SACL: the “Create” action, auditing for specific classes or objects. An example is the “Create User objects”
action.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5138</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-02T04:34:20.611082300Z" />
<EventRecordID>229336</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="544" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{3E2B5ECF-4C35-4C3F-8D82-B8D6F477D846}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3be49</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="OldObjectDN">CN=Andrei\\0ADEL:53511188-bc98-4995-9d78-2d40143c9711,CN=Deleted
Objects,DC=contoso,DC=local</Data>
<Data Name="NewObjectDN">CN=Andrei,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{53511188-BC98-4995-9D78-2D40143C9711}</Data>
<Data Name="ObjectClass">user</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested that the object be undeleted or restored. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: name of account that requested that the object be undeleted or
restored.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory ___domain, where the object was undeleted.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
Old DN [Type = UnicodeString]: Old distinguished name of undeleted object. It will points to Active Directory
Recycle Bin folder, in case if it was restored from it.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

New DN [Type = UnicodeString]: New distinguished name of undeleted object. The Active Directory
container to which the object was restored.
GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
 Filter: (&(objectClass=*)(objectGUID=GUID ))
Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was undeleted. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for ___domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5139: A directory service object was moved.”

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.

Security Monitoring Recommendations

For 5138(S ): A directory service object was undeleted.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes,
monitor for Class field with specific class name.
It may be a good idea to monitor all undelete events, because the operation is not performed very often.
Confirm that there is a reason for the object to be undeleted.
 5139(S): A directory service object was moved.
6/6/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Changes
Event Description:
This event generates every time an
Active Directory object is moved.
This event only generates if the
destination object has a particular
entry in its SACL: the “Create” action,
auditing for specific classes or objects.
An example is the “Create Computer
objects” action, auditing for the
organizational unit.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5139</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T06:26:07.019116600Z" />
<EventRecordID>409532</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{67A42C05-A70D-4348-AF19-E883CB1FCA9C}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="OldObjectDN">CN=NewUser,CN=Builtin,DC=contoso,DC=local</Data>
<Data Name="NewObjectDN">CN=NewUser,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{06713960-9CC3-4B5D-A594-35883A04F934}</Data>
<Data Name="ObjectClass">user</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “move object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “move object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory ___domain, where the object was moved.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
Old DN [Type = UnicodeString]: Old distinguished name of moved object.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

New DN [Type = UnicodeString]: New distinguished name of moved object. The Active Directory
container to which the object was moved.
GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID ))
 Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was moved. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for ___domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5141: A directory service object was deleted.”

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.

Security Monitoring Recommendations

For 5139(S ): A directory service object was moved.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you need to monitor movement of Active Directory objects with specific classes, monitor for Class field
with specific class name.
You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to
get 5139. There is no reason to audit all movement events for all types of Active Directory objects, you
need to find the most important locations (organizational units, folders, etc.) and monitor for movement of
specific classes only to these locations (user, computer, group, etc.).
 5141(S): A directory service object was deleted.
6/6/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Directory Service
Changes
Event Description:
This event generates every time an Active
Directory object is deleted.
This event only generates if the deleted object
has a particular entry in its SACL: the
“Delete” action, auditing for specific objects.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5141</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T18:48:06.792762900Z" />
<EventRecordID>411118</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="OpCorrelationID">{C8A9000C-C618-4EE9-87FF-F852C0564F18}</Data>
<Data Name="AppCorrelationID">-</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x32004</Data>
<Data Name="DSName">contoso.local</Data>
<Data Name="DSType">%%14676</Data>
<Data Name="ObjectDN">CN=WIN2003,CN=Users,DC=contoso,DC=local</Data>
<Data Name="ObjectGUID">{CA15B875-AFB1-4E5A-86B2-96E61DE09110}</Data>
<Data Name="ObjectClass">computer</Data>
<Data Name="TreeDelete">%%14679</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
 Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Directory Service:
Name [Type = UnicodeString]: the name of an Active Directory ___domain, where the object was deleted.
Type [Type = UnicodeString]: has “Active Directory Domain Services” value for this event.
Object:
DN [Type = UnicodeString]: distinguished name of the object that was deleted.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

GUID [Type = GUID ]: each Active Directory object has globally unique identifier (GUID ), which is a 128-bit
value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object
created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID ) property.
Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's
properties that is published in the global catalog. Searching the global catalog for a User object's GUID will
yield results if the user has an account somewhere in the enterprise. In fact, searching for any object by
Object-GUID might be the most reliable way of finding the object you want to find. The values of other
object properties can change, but the Object-GUID never changes. When an object is assigned a GUID, it
keeps that value for life.
Event Viewer automatically resolves GUID field to real object. For deleted objects GUID will be resolved to
new destination of object, for example: OU=My\0ADEL:cc94c0d7-dd53-4061-9791-
e53478dbbc3b,CN=Deleted Objects,DC=contoso,DC=local.
To translate this GUID, use the following procedure:
Perform the following LDAP search using LDP.exe tool:
Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
Filter: (&(objectClass=*)(objectGUID=GUID ))
 Perform the following operations with the GUID before using it in a search request:
We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
Take first 3 sections a6b34ab5-551b-4626.
For each of these 3 sections you need to change (Invert) the order of bytes, like
this b54ab3a6-1b55-2646
Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-
2b36b3ee6672
Delete - : b54ab3a61b552646b8ee2b36b3ee6672
Divide bytes with backslashes:
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72
Filter example: (&(objectClass=*)(objectGUID =
\b5\4a\b3\a6\1b\55\26\46\b8\ee\2b\36\b3\ee\66\72))
Scope: Subtree
Attributes: objectGUID
Class [Type = UnicodeString]: class of the object that was deleted. Some of the common Active Directory
object classes:
container – for containers.
user – for users.
group – for groups.
domainDNS – for ___domain object.
groupPolicyContainer – for group policy objects.
For all possible values of this field open Active Directory Schema snap-in (see how to enable this
snap-in: https://technet.microsoft.com/library/Cc755885(v=WS.10).aspx) and navigate to Active
Directory Schema\Classes. Or use this document:
https://msdn.microsoft.com/library/cc221630.aspx
Operation:
Tree Delete [Type = UnicodeString]:
Yes – “Delete Subtree” operation was performed. It happens, for example, if “Use Delete Subtree
server control” check box was checked during delete operation using Active Directory Users and
Computers management console.
No – delete operation was performed without “Delete Subtree” server control.
 Correlation ID [Type = GUID ]: multiple modifications are often executed as one operation via LDAP. This
value allows you to correlate all the modification events that comprise the operation. Just look for other events
from current subcategory with the same Correlation ID, for example “5137: A directory service object was
created.” and “5139: A directory service object was moved.”

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Application Correlation ID [Type = UnicodeString]: always has “-“ value. Not in use.

Security Monitoring Recommendations

For 5141(S ): A directory service object was deleted.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you need to monitor deletion of Active Directory objects with specific classes, monitor for Class field with
specific class name. For example, we recommend that you monitor for group policy objects deletions:
groupPolicyContainer class.
If you need to monitor deletion of specific Active Directory objects, monitor for DN field with specific object
name. For example, if you have critical Active Directory objects which should not be deleted, monitor for
their deletion.
 Audit Directory Service Replication
12/18/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Directory Service Replication determines whether the operating system generates audit events when
replication between two ___domain controllers begins and ends.
Event volume: Medium on ___domain controllers.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No IF IF IF - Events in this

Controller subcategory
typically have an
informational
purpose and it is
difficult to detect
any malicious
activity using
these events. It’s
mainly used for
Active Directory
replication
troubleshooting.

Member Server No No No No This subcategory

makes sense only
on ___domain
controllers.

Workstation No No No No This subcategory

makes sense only
on ___domain
controllers.

Events List:
4932(S ): Synchronization of a replica of an Active Directory naming context has begun.
4933(S, F ): Synchronization of a replica of an Active Directory naming context has ended.
 4932(S): Synchronization of a replica of an Active
Directory naming context has begun.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit Directory Service Replication

Event Description:
This event generates every time synchronization of a replica of an Active Directory naming context has begun.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4932</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14082</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-02T02:06:03.814642100Z" />
<EventRecordID>413689</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="276" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">2147483733</Data>
<Data Name="SessionID">48</Data>
<Data Name="StartUSN">20869</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Destination DRA [Type = UnicodeString]: destination directory replication agent distinguished name.

Note The Directory Replication Agent (DRA ) handles replication between ___domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that are
relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners
of a ___domain controller when the ___domain controller needs to update its copy of Active Directory.

Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Naming Context [Type = UnicodeString]: naming context to replicate.

 Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to ___domain controllers in different domains within the forest. Each ___domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other ___domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.

Options [Type = UInt32]: decimal value of DRS Options.

Session ID [Type = UInt32]: unique identifier of replication session. Using this field you can find “4932:
Synchronization of a replica of an Active Directory naming context has begun.” and “4933: Synchronization
of a replica of an Active Directory naming context has ended.” events for the same session.
Start USN [Type = UnicodeString]: Naming Context’s USN number before replication begins.

Note Active Directory replication does not depend on time to determine what changes need to be
propagated. It relies instead on the use of update sequence numbers (USNs) that are assigned by a counter
that is local to each ___domain controller. Because these USN counters are local, it is easy to ensure that they are
reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare
a USN assigned on one ___domain controller to a USN assigned on a different ___domain controller. The replication
system is designed with this restriction in mind.

Security Monitoring Recommendations

For 4932(S ): Synchronization of a replica of an Active Directory naming context has begun.
Monitor for Source Address field, because the source of replication (DRA) must be authorized for this
action. If you find any unauthorized DRA you should trigger an event.
This event is typically used for Active Directory replication troubleshooting.
 4933(S, F): Synchronization of a replica of an Active
Directory naming context has ended.
6/6/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit Directory Service Replication

Event Description:
This event generates every time synchronization of a replica of an Active Directory naming context has ended.
Failure event occurs when synchronization of a replica of an Active Directory naming context failed.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4933</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14082</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-01T20:58:28.854735700Z" />
<EventRecordID>413644</EventRecordID>
<Correlation />
<Execution ProcessID="524" ThreadID="2288" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="DestinationDRA">CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="SourceDRA">CN=NTDS Settings,CN=WIN2012R2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="NamingContext">CN=Schema,CN=Configuration,DC=contoso,DC=local</Data>
<Data Name="Options">2147483733</Data>
<Data Name="SessionID">40</Data>
<Data Name="EndUSN">20869</Data>
<Data Name="StatusCode">1722</Data>
</EventData>
</Event>

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Field Descriptions:
Destination DRA [Type = UnicodeString]: destination directory replication agent distinguished name.

Note The Directory Replication Agent (DRA ) handles replication between ___domain controllers. The
Directory Replication Agent uses the connection objects in the topology map to find out those partners that
are relevant when replicating changes to directory partitions. The DRA sends a replication request to the
partners of a ___domain controller when the ___domain controller needs to update its copy of Active Directory.

Source DRA [Type = UnicodeString]: source directory replication agent distinguished name.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Naming Context [Type = UnicodeString]: naming context to replicate.

 Note The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated)
to ___domain controllers in different domains within the forest. Each ___domain controller stores a copy of a specific
part of the directory tree, called a Naming Context also known as Directory Partition. Naming Context is
replicated as a unit to other ___domain controllers in the forest that contain a replica of the same sub tree. A
Naming Context is also called a Directory Partition.

Options [Type = UInt32]: decimal value of DRS Options.

Session ID [Type = UInt32]: unique identifier of replication session. Using this field you can find “4932:
Synchronization of a replica of an Active Directory naming context has begun.” and “4933: Synchronization
of a replica of an Active Directory naming context has ended.” events for the same session.
End USN [Type = UInt32]: Naming Context’s USN number after replication ends.

Note Active Directory replication does not depend on time to determine what changes need to be
propagated. It relies instead on the use of update sequence numbers (USNs) that are assigned by a counter
that is local to each ___domain controller. Because these USN counters are local, it is easy to ensure that they are
reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare
a USN assigned on one ___domain controller to a USN assigned on a different ___domain controller. The replication
system is designed with this restriction in mind.

Status Code [Type = UInt32]: if there are no issues or errors, the status code will be “0”. If an error happened,
you will receive Failure event and Status Code will not be equal to “0”. You can check error code meaning here:
https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx

Security Monitoring Recommendations

For 4933(S, F ): Synchronization of a replica of an Active Directory naming context has ended.
Monitor for Source Address field, because the source of replication (DRA) must be authorized for this
action. If you find any unauthorized DRA you should trigger an event.
This event is typically used for Active Directory replication troubleshooting.
 Audit Account Lockout
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an
account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer
because the account is locked out.
Account lockout events are essential for understanding user activity and detecting potential attacks.
Event volume: Low.
This subcategory failure logon attempts, when account was already locked out.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No Yes No Yes We recommend

Controller tracking account
lockouts,
especially for
high value
___domain or local
accounts
(database
administrators,
built-in local
administrator
account, ___domain
administrators,
service accounts,
___domain controller
accounts, and so
on).
This subcategory
doesn’t have
Success events,
so there is no
recommendation
to enable Success
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No Yes No Yes We recommend

tracking account
lockouts,
especially for
high value
___domain or local
accounts
(database
administrators,
built-in local
administrator
account, ___domain
administrators,
service accounts,
___domain controller
accounts, and so
on).
This subcategory
doesn’t have
Success events,
so there is no
recommendation
to enable Success
auditing for this
subcategory.

Workstation No Yes No Yes We recommend

tracking account
lockouts,
especially for
high value
___domain or local
accounts
(database
administrators,
built-in local
administrator
account, ___domain
administrators,
service accounts,
___domain controller
accounts, and so
on).
This subcategory
doesn’t have
Success events,
so there is no
recommendation
to enable Success
auditing for this
subcategory.

Events List:
4625(F ): An account failed to log on.
 4625(F): An account failed to log on.
6/6/2019 • 13 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Account Lockout and
Audit Logon
Event Description:
This event generates if an account logon
attempt failed when the account was already
locked out. It also generates for a logon
attempt after which the account was locked out.
It generates on the computer where logon
attempt was made, for example, if logon
attempt was made on user’s workstation, then
event will be logged on this workstation.
This event generates on ___domain controllers,
member servers, and workstations.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about logon failure. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that reported information about logon
failure.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types” contains
the list of possible values for this field.

LOGON TYPE LOGON TITLE DESCRIPTION

2 Interactive A user logged on to this computer.

3 Network A user or computer logged on to this

computer from the network.

4 Batch Batch logon type is used by batch

servers, where processes may be
executing on behalf of a user without
their direct intervention.

5 Service A service was started by the Service

Control Manager.

7 Unlock This workstation was unlocked.

8 NetworkCleartext A user logged on to this computer from

the network. The user's password was
passed to the authentication package in
its unhashed form. The built-in
authentication packages all hash
credentials before sending them across
the network. The credentials do not
traverse the network in plaintext (also
called cleartext).

9 NewCredentials A caller cloned its current token and

specified new credentials for outbound
connections. The new logon session has
the same local identity, but uses
different credentials for other network
connections.

10 RemoteInteractive A user logged on to this computer

remotely using Terminal Services or
Remote Desktop.
 LOGON TYPE LOGON TITLE DESCRIPTION

11 CachedInteractive A user logged on to this computer with

network credentials that were stored
locally on the computer. The ___domain
controller was not contacted to verify
the credentials.

Table: Windows Logon Types

Account For Which Logon Failed:

Security ID [Type = SID ]: SID of the account that was specified in the logon attempt. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
Account Domain [Type = UnicodeString]: ___domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically
has “Account locked out” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234” value.
The most common status codes are listed in “Table 12. Windows logon status codes.”

STATUS\SUB-STATUS CODE DESCRIPTION

0XC000005E There are currently no logon servers available to service the

logon request.
STATUS\SUB-STATUS CODE DESCRIPTION

0xC0000064 User logon with misspelled or bad user account

0xC000006A User logon with misspelled or bad password

0XC000006D This is either due to a bad username or authentication

information

0XC000006E Unknown user name or bad password.

0xC000006F User logon outside authorized hours

0xC0000070 User logon from unauthorized workstation

0xC0000071 User logon with expired password

0xC0000072 User logon to account disabled by administrator

0XC00000DC Indicates the Sam Server was in the wrong state to perform
the desired operation.

0XC0000133 Clocks between DC and other computer too far out of sync

0XC000015B The user has not been granted the requested logon type (aka
logon right) at this machine

0XC000018C The logon request failed because the trust relationship

between the primary ___domain and the trusted ___domain failed.

0XC0000192 An attempt was made to logon, but the Netlogon service was
not started.

0xC0000193 User logon with expired account

0XC0000224 User is required to change password at next logon

0XC0000225 Evidently a bug in Windows and not a risk

0xC0000234 User logon with account locked

0XC00002EE Failure Reason: An Error occurred during Logon

0XC0000413 Logon Failure: The machine you are logging onto is protected
by an authentication firewall. The specified account is not
allowed to authenticate to the machine.

0x0 Status OK.

Table: Windows logon status codes.

Note To see the meaning of other status\sub-status codes you may also check for status code in the Window
header file ntstatus.h in Windows SDK.
More information: https://dev.windows.com/en-us/downloads
Sub Status [Type = HexInt32]: additional information about logon failure. The most common sub-status codes
listed in the “Table 12. Windows logon status codes.”.
Process Information:
Caller Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon.
Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the logon
attempt. See event “4611: A trusted logon process has been registered with the Local Security Authority”
description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was used
for the logon authentication process. Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded at
runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local
 Security Authority” (typically for NTLM ) or “4622: A security package has been loaded by the Local Security
Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with
the package name. The most common authentication packages are:
NTLM – NTLM -family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols.
Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the
authentication or the calling application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted
services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a
Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service
ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on
behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package
(NTLM -family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM”.
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit
length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable
for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate
authentication package.

Security Monitoring Recommendations

For 4625(F ): An account failed to log on.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If Subject\Account Name is a name of service account or user account, it may be useful to investigate
whether that account is allowed (or expected) to request logon for Account For Which Logon
Failed\Security ID.
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon Type
4-Batch or 5-Service is used by a member of a ___domain administrative group), monitor Logon Type in this
event.
If you have a high-value ___domain or local account for which you need to monitor every lockout, monitor all
4625 events with the “Subject\Security ID” that corresponds to the account.
 We recommend monitoring all 4625 events for local accounts, because these accounts typically should not
be locked out. This is especially relevant for critical servers, administrative workstations, and other high value
assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be
locked out or prevented from functioning. This is especially relevant for critical servers, administrative
workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed \Security ID” should never be used to log on from the
specific Network Information\Workstation Name.
If a specific account, such as a service account, should only be used from your internal IP address list
(or some other list of IP addresses). In this case, you can monitor for Network Information\Source
Network Address and compare the network address with your list of IP addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this
event to monitor Package Name (NTLM only), for example, to find events where Package Name
(NTLM only) does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a specific account (New
Logon\Security ID ). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128,
because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:

FIELD VALUE TO MONITOR FOR

Failure Information\Status or 0XC000005E – “There are currently no logon servers available

Failure Information\Sub Status to service the logon request.”
This is typically not a security issue but it can be an
infrastructure or availability issue.

Failure Information\Status or 0xC0000064 – “User logon with misspelled or bad user

Failure Information\Sub Status account”.
Especially if you get a number of these in a row, it can be a
sign of user enumeration attack.

Failure Information\Status or 0xC000006A – “User logon with misspelled or bad password”

Failure Information\Sub Status for critical accounts or service accounts.
Especially watch for a number of such events in a row.

Failure Information\Status or 0XC000006D – “This is either due to a bad username or

Failure Information\Sub Status authentication information” for critical accounts or service
accounts.
Especially watch for a number of such events in a row.

Failure Information\Status or 0xC000006F – “User logon outside authorized hours”.

Failure Information\Sub Status

Failure Information\Status or 0xC0000070 – “User logon from unauthorized workstation”.

Failure Information\Sub Status
FIELD VALUE TO MONITOR FOR

Failure Information\Status or 0xC0000072 – “User logon to account disabled by

Failure Information\Sub Status administrator”.

Failure Information\Status or 0XC000015B – “The user has not been granted the requested
Failure Information\Sub Status logon type (aka logon right) at this machine”.

Failure Information\Status or 0XC0000192 – “An attempt was made to logon, but the
Failure Information\Sub Status Netlogon service was not started”.
This is typically not a security issue but it can be an
infrastructure or availability issue.

Failure Information\Status or 0xC0000193 – “User logon with expired account”.

Failure Information\Sub Status

Failure Information\Status or 0XC0000413 – “Logon Failure: The machine you are logging
Failure Information\Sub Status onto is protected by an authentication firewall. The specified
account is not allowed to authenticate to the machine”.
 Audit User/Device Claims
12/18/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token.
Events in this subcategory are generated on the computer on which a logon session is created. For an interactive
logon, the security audit event is generated on the computer that the user logged on to.
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the
computer hosting the resource.
Important: Audit Logon subcategory must also be enabled in order to get events from this subcategory.
Event volume:
Low on a client computer.
Medium on a ___domain controller or network servers.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF No IF No IF – if claims are

Controller in use in your
organization and
you need to
monitor
user/device
claims, enable
Success auditing
for this
subcategory.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server IF No IF No IF – if claims are

in use in your
organization and
you need to
monitor
user/device
claims, enable
Success auditing
for this
subcategory.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Workstation IF No IF No IF – if claims are

in use in your
organization and
you need to
monitor
user/device
claims, enable
Success auditing
for this
subcategory.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
4626(S ): User/Device claims information.
 4626(S): User/Device claims information.
6/6/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
User/Device Claims
Event Description:
This event generates for new
account logons and contains
user/device claims which were
associated with a new logon
session.
This event does not generate if
the user/device doesn’t have
claims.
For computer account logons
you will also see device claims
listed in the “User Claims” field.
You will typically get “4624: An
account was successfully logged
on” and after it a 4626 event
with the same information in
Subject, Logon Type and New
Logon sections.
This event generates on the
computer to which the logon
was performed (target
computer). For example, for
Interactive logons it will be the
same computer.

Note For recommendations,

see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4626</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12553</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T00:12:02.243396300Z" />
<EventRecordID>232648</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x136f7b</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="UserClaims">ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b
<%%1818> : "IT"</Data>
<Data Name="DeviceClaims">-</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2012, Windows 8.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about claims. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that reported information about claims.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon Type [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible
values for this field:

LOGON TYPE LOGON TITLE DESCRIPTION

2 Interactive A user logged on to this computer.

3 Network A user or computer logged on to this

computer from the network.

4 Batch Batch logon type is used by batch

servers, where processes may be
executing on behalf of a user without
their direct intervention.

5 Service A service was started by the Service

Control Manager.

7 Unlock This workstation was unlocked.

8 NetworkCleartext A user logged on to this computer from

the network. The user's password was
passed to the authentication package in
its unhashed form. The built-in
authentication packages all hash
credentials before sending them across
the network. The credentials do not
traverse the network in plaintext (also
called cleartext).

9 NewCredentials A caller cloned its current token and

specified new credentials for outbound
connections. The new logon session has
the same local identity, but uses
different credentials for other network
connections.

10 RemoteInteractive A user logged on to this computer

remotely using Terminal Services or
Remote Desktop.
 LOGON TYPE LOGON TITLE DESCRIPTION

11 CachedInteractive A user logged on to this computer with

network credentials that were stored
locally on the computer. The ___domain
controller was not contacted to verify
the credentials.

New Logon:
Security ID [Type = SID ]: SID of account for which logon was performed. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Event in sequence [Type = UInt32]: If is there is not enough space in one event to put all claims, you will see “1
of N” in this field and additional events will be generated. Typically this field has “1 of 1” value.
User Claims [Type = UnicodeString]: list of user claims for new logon session. This field contains user claims if
user account was logged in and device claims if computer account was logged in. Here is an example how to parse
the entrance of this field:
ad://ext/cn:88d2b96fdb2b4c49 <String> : “dadmin”
cn – claim display name.
88d2b96fdb2b4c49 – unique claim ID.
<String> - claim type.
“dadmin” – claim value.
Device Claims [Type = UnicodeString]: list of device claims for new logon session. For user accounts this field
typically has “-“ value. For computer accounts this field has device claims listed.

Security Monitoring Recommendations

For 4626(S ): User/Device claims information.
Typically this action is reported by the NULL SID account, so we recommend reporting all events with
“Subject\Security ID” not equal “NULL SID”.
If you need to monitor account logons with specific claims, you can monitor for 4626 and check User
Claims\Device Claims fields.
If you have specific requirements, such as:
Users with specific claims should not access specific computers;
Computer account should not have specific claims;
User account should not have specific claims;
Claim should not be empty
And so on…
You can monitor for 4626 and check User Claims\Device Claims fields.
If you need to monitor computer/user logon attempts only and you don’t need information about claims,
then it is better to monitor “4624: An account was successfully logged on.”
 Audit Group Membership
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Group Membership enables you to audit group memberships when they are enumerated on the client
computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this
subcategory are generated on the computer on which a logon session is created.
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a
network logon, such as accessing a shared folder on the network, the security audit event is generated on the
computer hosting the resource.
You must also enable the Audit Logon subcategory.
Multiple events are generated if the group membership information cannot fit in a single security audit event
Event volume:
Low on a client computer.
Medium on a ___domain controller or network servers.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No Group

Controller membership
information for
logged in user
can help to
detect that
member of
specific ___domain
or local group
logged in to the
machine (for
example, member
of database
administrators,
built-in local
administrators,
___domain
administrators,
service accounts
group or other
high value
groups).
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server Yes No Yes No Group

membership
information for
logged in user
can help to
detect that
member of
specific ___domain
or local group
logged in to the
machine (for
example, member
of database
administrators,
built-in local
administrators,
___domain
administrators,
service accounts
group or other
high value
groups).
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation Yes No Yes No Group

membership
information for
logged in user
can help to
detect that
member of
specific ___domain
or local group
logged in to the
machine (for
example, member
of database
administrators,
built-in local
administrators,
___domain
administrators,
service accounts
group or other
high value
groups).
For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
4627(S ): Group membership information.
 4627(S): Group membership information.
5/31/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Group Membership
Event Description:
This event generates with “4624(S ): An account was successfully logged on” and shows the list of groups that the
logged-on account belongs to.
You must also enable the Success audit for Audit Logon subcategory to get this event.
Multiple events are generated if the group membership information cannot fit in a single security audit event.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4627</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12554</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T03:51:25.843673000Z" />
<EventRecordID>3081</EventRecordID>
<Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" />
<Execution ProcessID="736" ThreadID="808" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x569860</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="GroupMembership">%{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-
5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %
{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288}</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2016, Windows 10.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about successful logon or invokes it. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that reported information about
successful logon or invokes it.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
 the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4672(S ): Special privileges assigned to new logon.”
Logon Type [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible
values for this field:

LOGON TYPE LOGON TITLE DESCRIPTION

2 Interactive A user logged on to this computer.

3 Network A user or computer logged on to this

computer from the network.

4 Batch Batch logon type is used by batch

servers, where processes may be
executing on behalf of a user without
their direct intervention.

5 Service A service was started by the Service

Control Manager.

7 Unlock This workstation was unlocked.

8 NetworkCleartext A user logged on to this computer from

the network. The user's password was
passed to the authentication package in
its unhashed form. The built-in
authentication packages all hash
credentials before sending them across
the network. The credentials do not
traverse the network in plaintext (also
called cleartext).

9 NewCredentials A caller cloned its current token and

specified new credentials for outbound
connections. The new logon session has
the same local identity, but uses
different credentials for other network
connections.

10 RemoteInteractive A user logged on to this computer

remotely using Terminal Services or
Remote Desktop.
 LOGON TYPE LOGON TITLE DESCRIPTION

11 CachedInteractive A user logged on to this computer with

network credentials that were stored
locally on the computer. The ___domain
controller was not contacted to verify
the credentials.

New Logon:
Security ID [Type = SID ]: SID of account for which logon was performed. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4672(S ): Special privileges assigned to new logon.”
Event in sequence [Type = UInt32]: If is there is not enough space in one event to put all groups, you will see “1
of N” in this field and additional events will be generated. Typically this field has “1 of 1” value.
Group Membership [Type = UnicodeString]: the list of group SIDs which logged account belongs to (member of).
Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you
will see the source data in the event.

Security Monitoring Recommendations

For 4627(S ): Group membership information.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Typically this action is reported by the NULL SID account, so we recommend reporting all events with
“Subject\Security ID” not equal “NULL SID”.
If you need to track that a member of a specific group logged on to a computer, check the “Group
Membership” field.
 Audit IPsec Extended Mode
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Extended Mode negotiations.
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used
for IPsec Extended Mode troubleshooting.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.

Member Server IF IF IF IF IF - This

subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.

Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Extended
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Extended Mode
operations.

4978(S ): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem
persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4979(S ): IPsec Main Mode and Extended Mode security associations were established.
4980(S ): IPsec Main Mode and Extended Mode security associations were established.
4981(S ): IPsec Main Mode and Extended Mode security associations were established.
4982(S ): IPsec Main Mode and Extended Mode security associations were established.
4983(S ): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association
has been deleted.
4984(S ): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association
has been deleted.
 Audit IPsec Main Mode
12/23/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Main Mode negotiations.
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for
IPsec Main Mode troubleshooting.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.

Member Server IF IF IF IF IF - This

subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.

Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Main Mode
troubleshooting,
or for tracing or
monitoring IPsec
Main Mode
operations.

4646(S ): Security ID: %1

4650(S ): An IPsec Main Mode security association was established. Extended Mode was not enabled.
Certificate authentication was not used.
4651(S ): An IPsec Main Mode security association was established. Extended Mode was not enabled. A
certificate was used for authentication.
4652(F ): An IPsec Main Mode negotiation failed.
4653(F ): An IPsec Main Mode negotiation failed.
4655(S ): An IPsec Main Mode security association ended.
4976(S ): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem
persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
5049(S ): An IPsec Security Association was deleted.
5453(S ): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying
Modules (IKEEXT) service is not started.
 Audit IPsec Quick Mode
1/2/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE ) and
Authenticated Internet Protocol (AuthIP ) during Quick Mode negotiations.
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for
IPsec Quick Mode troubleshooting.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF IF - This
Controller subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.

Member Server IF IF IF IF IF - This

subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.

Workstation IF IF IF IF IF - This
subcategory is
mainly used for
IPsec Quick
Mode
troubleshooting,
or for tracing or
monitoring IPsec
Quick Mode
operations.

4977(S ): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem
persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
5451(S ): An IPsec Quick Mode security association was established.
5452(S ): An IPsec Quick Mode security association ended.
 Audit Logoff
1/2/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Logoff determines whether the operating system generates audit events when logon sessions are
terminated.
These events occur on the computer that was accessed. In the case of an interactive logon, these events are
generated on the computer that was logged on to.
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down)
do not generate an audit record.
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not
100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this
case, a logoff event is not generated.
Event volume: High.
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on
the computer that was accessed. For an interactive logoff the security audit event is generated on the computer
that the user account logged on to.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No Yes No This subcategory

Controller typically
generates huge
amount of
“4634(S): An
account was
logged off.”
events, which
typically have
little security
relevance. It is
more important
to audit Logon
events using
Audit Logon
subcategory,
rather than
Logoff events.
Enable Success
audit if you want
to track, for
example, for how
long session was
active (in
correlation with
Audit Logon
events) and when
user actually
logged off.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No No Yes No This subcategory

typically
generates huge
amount of
“4634(S): An
account was
logged off.”
events, which
typically have
little security
relevance. It is
more important
to audit Logon
events using
Audit Logon
subcategory,
rather than
Logoff events.
Enable Success
audit if you want
to track, for
example, for how
long session was
active (in
correlation with
Audit Logon
events) and when
user actually
logged off.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation No No Yes No This subcategory

typically
generates huge
amount of
“4634(S): An
account was
logged off.”
events, which
typically have
little security
relevance. It is
more important
to audit Logon
events using
Audit Logon
subcategory,
rather than
Logoff events.
Enable Success
audit if you want
to track, for
example, for how
long session was
active (in
correlation with
Audit Logon
events) and when
user actually
logged off.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
4634(S ): An account was logged off.
4647(S ): User initiated logoff.
 4634(S): An account was logged off.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logoff
Event Description:
This event shows that logon session was
terminated and no longer exists.
The main difference between “4647: User
initiated logoff.” and 4634 event is that 4647
event is generated when logoff procedure was
initiated by specific account using logoff
function, and 4634 event shows that session
was terminated and no longer exists.
4647 is more typical for Interactive and
RemoteInteractive logon types when user
was logged off using standard methods. You
will typically see both 4647 and 4634 events
when logoff procedure was initiated by user.
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID
value. Logon IDs are only unique between reboots on the same computer.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T02:27:57.877205900Z" />
<EventRecordID>230019</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="832" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-90-1</Data>
<Data Name="TargetUserName">DWM-1</Data>
<Data Name="TargetDomainName">Window Manager</Data>
<Data Name="TargetLogonId">0x1a0992</Data>
<Data Name="LogonType">2</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that was logged off. Event Viewer automatically tries to resolve SIDs
and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that was logged off.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
 For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon Type [Type = UInt32]: the type of logon which was used. The table below contains the list of possible
values for this field:

LOGON TYPE LOGON TITLE DESCRIPTION

2 Interactive A user logged on to this computer.

3 Network A user or computer logged on to this

computer from the network.

4 Batch Batch logon type is used by batch

servers, where processes may be
executing on behalf of a user without
their direct intervention.

5 Service A service was started by the Service

Control Manager.

7 Unlock This workstation was unlocked.

8 NetworkCleartext A user logged on to this computer from

the network. The user's password was
passed to the authentication package in
its unhashed form. The built-in
authentication packages all hash
credentials before sending them across
the network. The credentials do not
traverse the network in plaintext (also
called cleartext).

9 NewCredentials A caller cloned its current token and

specified new credentials for outbound
connections. The new logon session has
the same local identity, but uses
different credentials for other network
connections.

10 RemoteInteractive A user logged on to this computer

remotely using Terminal Services or
Remote Desktop.

11 CachedInteractive A user logged on to this computer with

network credentials that were stored
locally on the computer. The ___domain
controller was not contacted to verify
the credentials.

Security Monitoring Recommendations

For 4634(S ): An account was logged off.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If a particular Logon Type should not be used by a particular account (for example if Logon Type 4-Batch or
5-Service is used by a member of a ___domain administrative group), monitor this event for such actions.
 4647(S): User initiated logoff.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logoff
Event Description:
This event is generated when a logoff is
initiated. No further user-initiated activity can
occur. This event can be interpreted as a logoff
event.
The main difference with “4634(S ): An account
was logged off.” event is that 4647 event is
generated when logoff procedure was initiated
by specific account using logoff function, and
4634 event shows that session was terminated
and no longer exists.
4647 is more typical for Interactive and
RemoteInteractive logon types when user
was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure
was initiated by user.
It may be positively correlated with a “4624: An account was successfully logged on.” event using the Logon ID
value. Logon IDs are only unique between reboots on the same computer.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4647</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T03:08:39.126890800Z" />
<EventRecordID>230200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3864" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x29b379</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “logoff” operation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “logoff” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
 For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Security Monitoring Recommendations

For 4647(S ): User initiated logoff.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
 Audit Logon
1/6/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Logon determines whether the operating system generates audit events when a user attempts to log on
to a computer.
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an
interactive logon, events are generated on the computer that was logged on to. For a network logon, such as
accessing a share, events are generated on the computer that hosts the resource that was accessed.
The following events are recorded:
Logon success and failure.
Logon attempts by using explicit credentials. This event is generated when a process attempts to log on
an account by explicitly specifying that account's credentials. This most commonly occurs in batch
configurations such as scheduled tasks, or when using the RunAs command.
Security identifiers (SIDs) are filtered.
Logon events are essential to tracking user activity and detecting potential attacks.
Event volume:
Low on a client computer.
Medium on a ___domain controllers or network servers.

GENERAL STRONGER STRONGER

COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes Yes Yes Yes Audit Logon

Controller events, for
example, will give
you information
about which
account, when,
using which
Logon Type,
from which
machine logged
on to this
machine.
Failure events
will show you
failed logon
attempts and
the reason why
these attempts
failed.
 GENERAL STRONGER STRONGER
COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server Yes Yes Yes Yes Audit Logon

events, for
example, will give
you information
about which
account, when,
using which
Logon Type,
from which
machine logged
on to this
machine.
Failure events
will show you
failed logon
attempts and
the reason why
these attempts
failed.

Workstation Yes Yes Yes Yes Audit Logon

events, for
example, will give
you information
about which
account, when,
using which
Logon Type,
from which
machine logged
on to this
machine.
Failure events
will show you
failed logon
attempts and
the reason why
these attempts
failed.

Events List:
4624(S ): An account was successfully logged on.
4625(F ): An account failed to log on.
4648(S ): A logon was attempted using explicit credentials.
4675(S ): SIDs were filtered.
 4624(S): An account was successfully
logged on.
9/24/2019 • 14 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit Logon

Event Description:
This event generates when a logon session is created (on destination machine). It
generates on the computer that was accessed, where the session was created.

Note For recommendations, see Security Monitoring Recommendations for this

event.

Event XML:
 <?xml version="1.0"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-
4994-A5BA-3E3B0328C30D}"/>
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z"/>
<EventRecordID>211</EventRecordID>
<Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}"/>
<Execution ProcessID="716" ThreadID="760"/>
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security/>
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
<Data Name="TargetLogonId">0x8dcdc</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x44c</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012, Windows 8.
Added “Impersonation Level” field.
2 – Windows 10.
Added “Logon Information:” section.
Logon Type moved to “Logon Information:” section.
 Added “Restricted Admin Mode” field.
Added “Virtual Account” field.
Added “Elevated Token” field.
Added “Linked Logon ID” field.
Added “Network Account Name” field.
Added “Network Account Domain” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about
successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and
show the account name. If the SID cannot be resolved, you will see the source data
in the event.

Note A security identifier (SID ) is a unique value of variable length used to

identify a trustee (security principal). Each account has a unique SID that is issued
by an authority, such as an Active Directory ___domain controller, and stored in a
security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system
uses the SID in the access token to identify the user in all subsequent interactions
with Windows security. When a SID has been used as the unique identifier for a
user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that

reported information about successful logon.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer
name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or
ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer
or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate
this event with recent events that might contain the same Logon ID, for
example, “4672(S ): Special privileges assigned to new logon.”
Logon Information [Version 2]:
Logon Type [Version 0, 1, 2] [Type = UInt32]: the type of logon which was
performed. The table below contains the list of possible values for this field.
Logon types and descriptions
LOGON TYPE LOGON TITLE DESCRIPTION

2 Interactive A user logged on to this

computer.

3 Network A user or computer logged

on to this computer from the
network.

4 Batch Batch logon type is used by

batch servers, where
processes may be executing
on behalf of a user without
their direct intervention.

5 Service A service was started by the

Service Control Manager.

7 Unlock This workstation was

unlocked.

8 NetworkCleartext A user logged on to this

computer from the network.
The user's password was
passed to the authentication
package in its unhashed
form. The built-in
authentication packages all
hash credentials before
sending them across the
network. The credentials do
not traverse the network in
plaintext (also called
cleartext).

9 NewCredentials A caller cloned its current

token and specified new
credentials for outbound
connections. The new logon
session has the same local
identity, but uses different
credentials for other network
connections.

10 RemoteInteractive A user logged on to this

computer remotely using
Terminal Services or Remote
Desktop.

11 CachedInteractive A user logged on to this

computer with network
credentials that were stored
locally on the computer. The
___domain controller was not
contacted to verify the
credentials.

Restricted Admin Mode [Version 2] [Type = UnicodeString]: Only populated

 for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if
the credentials provided were passed using Restricted Admin mode. Restricted
Admin mode was added in Win8.1/2012R2 but this flag was added to the
event in Win10.
Reference: http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-
admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx.
If not a RemoteInteractive logon, then this will be "-" string.
Virtual Account [Version 2] [Type = UnicodeString]: a “Yes” or “No” flag,
which indicates if the account is a virtual account (e.g., "Managed Service
Account"), which was introduced in Windows 7 and Windows Server 2008 R2
to provide the ability to identify the account that a given Service uses, instead
of just using "NetworkService".
Elevated Token [Version 2] [Type = UnicodeString]: a “Yes” or “No” flag. If
“Yes” then the session this event represents is elevated and has administrator
privileges.
Impersonation Level [Version 1, 2] [Type = UnicodeString]: can have one of these
four values:
SecurityAnonymous (displayed as empty string): The server process cannot
obtain identification information about the client, and it cannot impersonate
the client. It is defined with no value given, and thus, by ANSI C rules, defaults
to a value of zero.
SecurityIdentification (displayed as "Identification"): The server process can
obtain information about the client, such as security identifiers and privileges,
but it cannot impersonate the client. This is useful for servers that export their
own objects, for example, database products that export tables and views.
Using the retrieved client-security information, the server can make access-
validation decisions without being able to use other services that are using the
client's security context.
SecurityImpersonation (displayed as "Impersonation"): The server process
can impersonate the client's security context on its local system. The server
cannot impersonate the client on remote systems. This is the most common
type.
SecurityDelegation (displayed as "Delegation"): The server process can
impersonate the client's security context on remote systems.
New Logon:
Security ID [Type = SID ]: SID of account for which logon was performed. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID
cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to

identify a trustee (security principal). Each account has a unique SID that is issued
by an authority, such as an Active Directory ___domain controller, and stored in a
security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system
uses the SID in the access token to identify the user in all subsequent interactions
with Windows security. When a SID has been used as the unique identifier for a
 user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account for which
logon was performed.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer
name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or
ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer
or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate
this event with recent events that might contain the same Logon ID, for
example, “4672(S ): Special privileges assigned to new logon.”
Linked Logon ID [Version 2] [Type = HexInt64]: A hexadecimal value of the
paired logon session. If there is no other logon session associated with this
logon session, then the value is “0x0”.
Network Account Name [Version 2] [Type = UnicodeString]: User name that
will be used for outbound (network) connections. Valid only for
NewCredentials logon type.
If not NewCredentials logon, then this will be a "-" string.
Network Account Domain [Version 2] [Type = UnicodeString]: Domain for
the user that will be used for outbound (network) connections. Valid only for
NewCredentials logon type.
If not NewCredentials logon, then this will be a "-" string.
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event
with another event that can contain the same Logon GUID, “4769(S, F ): A
Kerberos service ticket was requested event on a ___domain controller.
It also can be used for correlation between a 4624 event and several other
events (on the same computer) that can contain the same Logon GUID,
“4648(S ): A logon was attempted using explicit credentials” and “4964(S ):
Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as
“{00000000-0000-0000-0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer

number used to identify resources, activities or instances.

Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that
 attempted the logon. Process ID (PID ) is a number used by the operating
system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the
values in Task Manager.
You can also correlate this process ID with a process ID in other events, for
example, “4688: A new process has been created” Process Information\New
Process ID.
Process Name [Type = UnicodeString]: full path and the name of the
executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon
attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine
from which logon attempt was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source port which was used for logon
attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process
that was used for the logon. See event “4611: A trusted logon process has been
registered with the Local Security Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the
authentication package which was used for the logon authentication process.
Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key.
Other packages can be loaded at runtime. When a new package is loaded a
 “4610: An authentication package has been loaded by the Local Security
Authority” (typically for NTLM ) or “4622: A security package has been loaded
by the Local Security Authority” (typically for Kerberos) event is logged to
indicate that a new package has been loaded along with the package name. The
most common authentication packages are:
NTLM – NTLM -family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos
and NTLM protocols. Negotiate selects Kerberos unless it cannot be
used by one of the systems involved in the authentication or the calling
application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of
transmitted services. Transmitted services are populated if the logon was a
result of a S4U (Service For User) logon process. S4U is a Microsoft extension
to the Kerberos Protocol to allow an application service to obtain a Kerberos
service ticket on behalf of a user – most commonly done by a front-end
website to access an internal resource on behalf of a user. For more
information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN
Manager sub-package (NTLM -family protocol name) that was used during
logon. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM”.
Key Length [Type = UInt32]: the length of NTLM Session Security key.
Typically it has 128 bit or 56 bit length. This parameter is always 0 if
“Authentication Package” = “Kerberos”, because it is not applicable for
Kerberos protocol. This field will also have “0” value if Kerberos was negotiated
using Negotiate authentication package.

Security Monitoring Recommendations

For 4624(S ): An account was successfully logged on.

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high- Monitor this event with the “New
value ___domain or local accounts for which you Logon\Security ID” that corresponds to the
need to monitor each action. high-value account or accounts.
Examples of high-value accounts are database
administrators, built-in local administrator
account, ___domain administrators, service
accounts, ___domain controller accounts and so
on.
TYPE OF MONITORING REQUIRED RECOMMENDATION

Anomalies or malicious actions: You might When you monitor for anomalies or malicious
have specific requirements for detecting actions, use the “New Logon\Security ID”
anomalies or monitoring potential malicious (with other information) to monitor how or
actions. For example, you might need to when a particular account is being used.
monitor for use of an account outside of
working hours.

Non-active accounts: You might have non- Monitor this event with the “New
active, disabled, or guest accounts, or other Logon\Security ID” that corresponds to the
accounts that should never be used. accounts that should never be used.

Account whitelist: You might have a specific If this event corresponds to a “whitelist-only”
whitelist of accounts that are the only ones action, review the “New Logon\Security ID”
allowed to perform actions corresponding to for accounts that are outside the whitelist.
particular events.

Accounts of different types: You might If this event corresponds to an action you
want to ensure that certain actions are want to monitor for certain account types,
performed only by certain account types, for review the “New Logon\Security ID” to see
example, local or ___domain account, machine or whether the account type is as expected.
user account, vendor or employee account,
and so on.

External accounts: You might be monitoring Monitor this event for the “Subject\Account
accounts from another ___domain, or “external” Domain” corresponding to accounts from
accounts that are not allowed to perform another ___domain or “external” accounts.
certain actions (represented by certain specific
events).

Restricted-use computers or devices: You Monitor the target Computer: (or other
might have certain computers, machines, or target device) for actions performed by the
devices on which certain people (accounts) “New Logon\Security ID” that you are
should not typically perform any actions. concerned about.

Account naming conventions: Your Monitor “Subject\Account Name” for

organization might have specific naming names that don’t comply with naming
conventions for account names. conventions.

Because this event is typically triggered by the SYSTEM account, we

recommend that you report it whenever “Subject\Security ID” is not
SYSTEM.
If “Restricted Admin” mode must be used for logons by certain accounts, use
this event to monitor logons by “New Logon\Security ID” in relation to
“Logon Type”=10 and “Restricted Admin Mode”=”Yes”. If “Restricted
Admin Mode”=”No” for these accounts, trigger an alert.
If you need to monitor all logon events for accounts with administrator
privileges, monitor this event with “Elevated Token”=”Yes”.
If you need to monitor all logon events for managed service accounts and
group managed service accounts, monitor for events with “Virtual
Account”=”Yes”.
To monitor for a mismatch between the logon type and the account that uses it
(for example, if Logon Type 4-Batch or 5-Service is used by a member of a
___domain administrative group), monitor Logon Type in this event.
If your organization restricts logons in the following ways, you can use this
event to monitor accordingly:
If the user account “New Logon\Security ID” should never be used to
log on from the specific Computer:.
If New Logon\Security ID credentials should not be used from
Workstation Name or Source Network Address.
If a specific account, such as a service account, should only be used from
your internal IP address list (or some other list of IP addresses). In this
case, you can monitor for Network Information\Source Network
Address and compare the network address with your list of IP
addresses.
If a particular version of NTLM is always used in your organization. In
this case, you can use this event to monitor Package Name (NTLM
only), for example, to find events where Package Name (NTLM only)
does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a
specific account (New Logon\Security ID ). In this case, monitor for all
events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key
Length not equal to 128, because all Windows operating systems
starting with Windows 2000 support 128-bit Key Length.
If you monitor for potentially malicious software, or software that is not
authorized to request logon actions, monitor this event for Process Name.
If you have a trusted logon processes list, monitor for a Logon Process that is
not from the list.
 4625(F): An account failed to log on.
6/6/2019 • 13 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Account Lockout and
Audit Logon
Event Description:
This event generates if an account logon
attempt failed when the account was already
locked out. It also generates for a logon
attempt after which the account was locked
out.
It generates on the computer where logon
attempt was made, for example, if logon
attempt was made on user’s workstation,
then event will be logged on this workstation.
This event generates on ___domain controllers,
member servers, and workstations.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that reported information about logon failure. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that reported information about logon
failure.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types”
contains the list of possible values for this field.

LOGON TYPE LOGON TITLE DESCRIPTION

2 Interactive A user logged on to this computer.

3 Network A user or computer logged on to this

computer from the network.

4 Batch Batch logon type is used by batch

servers, where processes may be
executing on behalf of a user without
their direct intervention.

5 Service A service was started by the Service

Control Manager.

7 Unlock This workstation was unlocked.

8 NetworkCleartext A user logged on to this computer

from the network. The user's password
was passed to the authentication
package in its unhashed form. The
built-in authentication packages all
hash credentials before sending them
across the network. The credentials do
not traverse the network in plaintext
(also called cleartext).

9 NewCredentials A caller cloned its current token and

specified new credentials for outbound
connections. The new logon session has
the same local identity, but uses
different credentials for other network
connections.

10 RemoteInteractive A user logged on to this computer

remotely using Terminal Services or
Remote Desktop.
 LOGON TYPE LOGON TITLE DESCRIPTION

11 CachedInteractive A user logged on to this computer with

network credentials that were stored
locally on the computer. The ___domain
controller was not contacted to verify
the credentials.

Table: Windows Logon Types

Account For Which Logon Failed:

Security ID [Type = SID ]: SID of the account that was specified in the logon attempt. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
Account Domain [Type = UnicodeString]: ___domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically
has “Account locked out” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234” value.
The most common status codes are listed in “Table 12. Windows logon status codes.”

STATUS\SUB-STATUS CODE DESCRIPTION

0XC000005E There are currently no logon servers available to service the

logon request.
STATUS\SUB-STATUS CODE DESCRIPTION

0xC0000064 User logon with misspelled or bad user account

0xC000006A User logon with misspelled or bad password

0XC000006D This is either due to a bad username or authentication

information

0XC000006E Unknown user name or bad password.

0xC000006F User logon outside authorized hours

0xC0000070 User logon from unauthorized workstation

0xC0000071 User logon with expired password

0xC0000072 User logon to account disabled by administrator

0XC00000DC Indicates the Sam Server was in the wrong state to perform
the desired operation.

0XC0000133 Clocks between DC and other computer too far out of sync

0XC000015B The user has not been granted the requested logon type (aka
logon right) at this machine

0XC000018C The logon request failed because the trust relationship

between the primary ___domain and the trusted ___domain failed.

0XC0000192 An attempt was made to logon, but the Netlogon service

was not started.

0xC0000193 User logon with expired account

0XC0000224 User is required to change password at next logon

0XC0000225 Evidently a bug in Windows and not a risk

0xC0000234 User logon with account locked

0XC00002EE Failure Reason: An Error occurred during Logon

0XC0000413 Logon Failure: The machine you are logging onto is protected
by an authentication firewall. The specified account is not
allowed to authenticate to the machine.

0x0 Status OK.

Table: Windows logon status codes.

Note To see the meaning of other status\sub-status codes you may also check for status code in the Window
header file ntstatus.h in Windows SDK.
More information: https://dev.windows.com/en-us/downloads
Sub Status [Type = HexInt32]: additional information about logon failure. The most common sub-status
codes listed in the “Table 12. Windows logon status codes.”.
Process Information:
Caller Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon.
Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To see
the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the
logon attempt. See event “4611: A trusted logon process has been registered with the Local Security
Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was
used for the logon authentication process. Default packages loaded on LSA startup are located in
“HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig” registry key. Other packages can be loaded
at runtime. When a new package is loaded a “4610: An authentication package has been loaded by the
 Local Security Authority” (typically for NTLM ) or “4622: A security package has been loaded by the Local
Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded
along with the package name. The most common authentication packages are:
NTLM – NTLM -family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols.
Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the
authentication or the calling application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted
services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a
Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service
ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on
behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package
(NTLM -family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM”.
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit
length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not
applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using
Negotiate authentication package.

Security Monitoring Recommendations

For 4625(F ): An account failed to log on.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If Subject\Account Name is a name of service account or user account, it may be useful to investigate
whether that account is allowed (or expected) to request logon for Account For Which Logon
Failed\Security ID.
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon
Type 4-Batch or 5-Service is used by a member of a ___domain administrative group), monitor Logon Type
in this event.
If you have a high-value ___domain or local account for which you need to monitor every lockout, monitor all
 4625 events with the “Subject\Security ID” that corresponds to the account.
We recommend monitoring all 4625 events for local accounts, because these accounts typically should not
be locked out. This is especially relevant for critical servers, administrative workstations, and other high
value assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be
locked out or prevented from functioning. This is especially relevant for critical servers, administrative
workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed \Security ID” should never be used to log on from the
specific Network Information\Workstation Name.
If a specific account, such as a service account, should only be used from your internal IP address
list (or some other list of IP addresses). In this case, you can monitor for Network
Information\Source Network Address and compare the network address with your list of IP
addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this
event to monitor Package Name (NTLM only), for example, to find events where Package
Name (NTLM only) does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a specific account (New
Logon\Security ID ). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128,
because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:

FIELD VALUE TO MONITOR FOR

Failure Information\Status or 0XC000005E – “There are currently no logon servers available

Failure Information\Sub Status to service the logon request.”
This is typically not a security issue but it can be an
infrastructure or availability issue.

Failure Information\Status or 0xC0000064 – “User logon with misspelled or bad user

Failure Information\Sub Status account”.
Especially if you get a number of these in a row, it can be a
sign of user enumeration attack.

Failure Information\Status or 0xC000006A – “User logon with misspelled or bad password”

Failure Information\Sub Status for critical accounts or service accounts.
Especially watch for a number of such events in a row.

Failure Information\Status or 0XC000006D – “This is either due to a bad username or

Failure Information\Sub Status authentication information” for critical accounts or service
accounts.
Especially watch for a number of such events in a row.

Failure Information\Status or 0xC000006F – “User logon outside authorized hours”.

Failure Information\Sub Status
FIELD VALUE TO MONITOR FOR

Failure Information\Status or 0xC0000070 – “User logon from unauthorized workstation”.

Failure Information\Sub Status

Failure Information\Status or 0xC0000072 – “User logon to account disabled by

Failure Information\Sub Status administrator”.

Failure Information\Status or 0XC000015B – “The user has not been granted the requested
Failure Information\Sub Status logon type (aka logon right) at this machine”.

Failure Information\Status or 0XC0000192 – “An attempt was made to logon, but the
Failure Information\Sub Status Netlogon service was not started”.
This is typically not a security issue but it can be an
infrastructure or availability issue.

Failure Information\Status or 0xC0000193 – “User logon with expired account”.

Failure Information\Sub Status

Failure Information\Status or 0XC0000413 – “Logon Failure: The machine you are logging
Failure Information\Sub Status onto is protected by an authentication firewall. The specified
account is not allowed to authenticate to the machine”.
 4648(S): A logon was attempted using explicit
credentials.
5/31/2019 • 8 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Logon
Event Description:
This event is generated when a process
attempts an account logon by explicitly
specifying that account’s credentials.
This most commonly occurs in batch-
type configurations such as scheduled
tasks, or when using the “RUNAS”
command.
It is also a routine event which
periodically occurs during normal
operating system activity.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T02:54:50.771459000Z" />
<EventRecordID>233200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1116" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31844</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonGuid">{0887F1E4-39EA-D53C-804F-31D568A06274}</Data>
<Data Name="TargetServerName">localhost</Data>
<Data Name="TargetInfo">localhost</Data>
<Data Name="ProcessId">0x368</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the new logon session with explicit credentials. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the new logon session
with explicit credentials.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
 the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID, “4769(S, F ): A Kerberos service ticket was requested event on a ___domain
controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer)
that can contain the same Logon GUID, “4624(S ): An account was successfully logged on” and “4964(S ):
Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Account Whose Credentials Were Used:

Account Name [Type = UnicodeString]: the name of the account whose credentials were used.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID, “4769(S, F ): A Kerberos service ticket was requested event on a ___domain
controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer)
that can contain the same Logon GUID, “4624(S ): An account was successfully logged on” and “4964(S ):
Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
 Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Target Server:
Target Server Name [Type = UnicodeString]: the name of the server on which the new process was run.
Has “localhost” value if the process was run locally.
Additional Information [Type = UnicodeString]: there is no detailed information about this field in this
document.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was run using explicit
credentials. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was
performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
0 for interactive logons.

Security Monitoring Recommendations

For 4648(S ): A logon was attempted using explicit credentials.
The following table is similar to the table in Appendix A: Security monitoring recommendations for many audit
events, but also describes ways of monitoring that use “Account Whose Credentials Were Used\Security ID.”

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high value ___domain or Monitor this event with the “Subject\Security ID” or
local accounts for which you need to monitor each action. “Account Whose Credentials Were Used\Security ID” that
Examples of high value accounts are database administrators, correspond to the high value account or accounts.
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Security ID” and “Account Whose Credentials
malicious actions. For example, you might need to monitor for Were Used\Security ID” (with other information) to monitor
use of an account outside of working hours. how or when a particular account is being used.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Security ID” or
or guest accounts, or other accounts that should never be “Account Whose Credentials Were Used\Security ID” that
used. correspond to the accounts that should never be used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are allowed to perform actions corresponding the “Subject\Security ID” and “Account Whose
to particular events. Credentials Were Used\Security ID” for accounts that are
outside the whitelist.

External accounts: You might be monitoring accounts from Monitor for the “Subject\Account Domain” or “Account
another ___domain, or “external” accounts that are not allowed Whose Credentials Were Used\Security ID” corresponding
to perform the action corresponding to this event. to accounts from another ___domain or “external” accounts.

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Security ID” or “Account
people (accounts) should not typically perform any actions. Whose Credentials Were Used\Security ID” that you are
concerned about.
For example, you might monitor to ensure that “Account
Whose Credentials Were Used\Security ID” is not used to
log on to a certain computer.

Account naming conventions: Your organization might have Monitor “Subject\Account Name” and “Account Whose
specific naming conventions for account names. Credentials Were Used\Security ID” for names that don’t
comply with naming conventions.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If Subject\Security ID should not know or use credentials for Account Whose Credentials Were
Used\Account Name, monitor this event.
If credentials for Account Whose Credentials Were Used\Account Name should not be used from
Network Information\Network Address, monitor this event.
Check that Network Information\Network Address is from internal IP address list. For example, if you
know that a specific account (for example, a service account) should be used only from specific IP
addresses, you can monitor for all events where Network Information\Network Address is not one of
the allowed IP addresses.
 4675(S): SIDs were filtered.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates when SIDs were filtered for specific Active Directory trust.
See more information about SID filtering here: https://technet.microsoft.com/library/cc772633(v=ws.10).aspx.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

There is no example of this event in this document.

Subcategory: Audit Logon
Event Schema:
SIDs were filtered.
Target Account:

Security ID:%1
Account Name:%2
Account Domain:%3

Trust Information:

Trust Direction:%4
Trust Attributes:%5
Trust Type:%6
TDO Domain SID:%7
Filtered SIDs:%8

Required Server Roles: Active Directory ___domain controller.

Minimum OS Version: Windows Server 2008.
Event Versions: 0.
Security Monitoring Recommendations
If you need to monitor all SID filtering events/operations for specific or all Active Directory trusts, you can use
this event to get all required information.
 Audit Network Policy Server
12/20/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS ) and Network Access
Protection (NAP ) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine,
Lock, and Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
This subcategory generates events only if NAS or IAS role is installed on the server.
NAP events can be used to help understand the overall health of the network.
Event volume: Medium to High on servers that are running Network Policy Server (NPS ).
Role-specific subcategories are outside the scope of this document.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF IF – if a server
Controller has the Network
Policy Server
(NPS) role
installed and you
need to monitor
access requests
and other NPS-
related events,
enable this
subcategory.

Member Server IF IF IF IF IF – if a server

has the Network
Policy Server
(NPS) role
installed and you
need to monitor
access requests
and other NPS-
related events,
enable this
subcategory.

Workstation No No No No Network Policy

Server (NPS) role
cannot be
installed on client
OS.

6272: Network Policy Server granted access to a user.

6273: Network Policy Server denied access to a user.
6274: Network Policy Server discarded the request for a user.
6275: Network Policy Server discarded the accounting request for a user.
6276: Network Policy Server quarantined a user.
6277: Network Policy Server granted access to a user but put it on probation because the host did not meet
the defined health policy.
6278: Network Policy Server granted full access to a user because the host met the defined health policy.
6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
6280: Network Policy Server unlocked the user account.
 Audit Other Logon/Logoff Events
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff
events.
These other logon or logoff events include:
A Remote Desktop session connects or disconnects.
A workstation is locked or unlocked.
A screen saver is invoked or dismissed.
A replay attack is detected. This event indicates that a Kerberos request was received twice with identical
information. This condition could also be caused by network misconfiguration.
A user is granted access to a wireless network. It can be either a user account or the computer account.
A user is granted access to a wired 802.1x network. It can be either a user account or the computer
account.
Logon events are essential to understanding user activity and detecting potential attacks.
Event volume: Low.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes Yes Yes Yes We recommend

Controller Success auditing,
to track possible
Kerberos replay
attacks, terminal
session connect
and disconnect
actions, network
authentication
events, and some
other events.
Volume of these
events is typically
very low.
Failure events will
show you when
requested
credentials
CredSSP
delegation was
disallowed by
policy. The
volume of these
events is very
low—typically
you will not get
any of these
events.

Member Server Yes Yes Yes Yes We recommend

Success auditing,
to track possible
terminal session
connect and
disconnect
actions, network
authentication
events, and some
other events.
Volume of these
events is typically
very low.
Failure events will
show you when
requested
credentials
CredSSP
delegation was
disallowed by
policy. The
volume of these
events is very
low—typically
you will not get
any of these
events.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation Yes Yes Yes Yes We recommend

Success auditing,
to track possible
terminal session
connect and
disconnect
actions, network
authentication
events, and some
other events.
Volume of these
events is typically
very low.
Failure events will
show you when
requested
credentials
CredSSP
delegation was
disallowed by
policy. The
volume of these
events is very
low—typically
you will not get
any of these
events.

Events List:
4649(S ): A replay attack was detected.
4778(S ): A session was reconnected to a Window Station.
4779(S ): A session was disconnected from a Window Station.
4800(S ): The workstation was locked.
4801(S ): The workstation was unlocked.
4802(S ): The screen saver was invoked.
4803(S ): The screen saver was dismissed.
5378(F ): The requested credentials delegation was disallowed by policy.
5632(S ): A request was made to authenticate to a wireless network.
5633(S ): A request was made to authenticate to a wired network.
 4649(S): A replay attack was detected.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event generates on ___domain controllers when KRB_AP_ERR_REPEAT Kerberos response was sent to the
client.
Domain controllers cache information from recently received tickets. If the server name, client name, time, and
microsecond fields from the Authenticator match recently seen entries in the cache, it will return
KRB_AP_ERR_REPEAT. You can read more about this in RFC -1510. One potential cause for this is a misconfigured
network device between the client and server that could send the same packet(s) repeatedly.
There is no example of this event in this document.
Subcategory: Audit Other Logon/Logoff Events
Event Schema:
A replay attack was detected.
Subject:

Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4

Credentials Which Were Replayed:

Account Name:%5
Account Domain:%6

Process Information:

Process ID:%12
Process Name:%13

Network Information:

Workstation Name:%10

Detailed Authentication Information:

Request Type:%7
 Logon Process:%8
Authentication Package:%9
Transited Services:%11

This event indicates that a Kerberos replay attack was detected - a request was received twice with identical
information. This condition could be caused by network misconfiguration."
Required Server Roles: Active Directory ___domain controller.
Minimum OS Version: Windows Server 2008.
Event Versions: 0.

Security Monitoring Recommendations

For 4649(S ): A replay attack was detected.
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or
routing problems. In both cases, we recommend triggering an alert and investigating the reason the event was
generated.
 4778(S): A session was reconnected to a Window
Station.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a user reconnects
to an existing Terminal Services session, or
when a user switches to an existing desktop
using Fast User Switching.
This event also generates when user
reconnects to virtual host Hyper-V Enhanced
Session, for example.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4778</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:05:29.743867200Z" />
<EventRecordID>237651</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="2212" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="AccountName">ladmin</Data>
<Data Name="AccountDomain">CONTOSO</Data>
<Data Name="LogonID">0x1e01f6</Data>
<Data Name="SessionName">RDP-Tcp\#6</Data>
<Data Name="ClientName">WIN81</Data>
<Data Name="ClientAddress">10.0.0.100</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Account Name [Type = UnicodeString]: the name of the account for which the session was reconnected.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session:
Session Name [Type = UnicodeString]: the name of the session to which the user was reconnected.
Examples:
RDP -Rcp#N, where N is a number of session – typical RDP session name.
 Console – console session, typical for Fast User Switching.
31C5CE94259D4006A9E4#3 – example of “Hyper-V Enhanced Session” session name.
You can see the list of current session’s using “query session” command in command prompt.
Example of output (see SESSIONNAME column):

Additional Information:
Client Name [Type = UnicodeString]: computer name from which the user was reconnected. Has
“Unknown” value for console session.
Client Address [Type = UnicodeString]: IP address of the computer from which the user was reconnected.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Has “LOCAL” value for console session.

Security Monitoring Recommendations

For 4778(S ): A session was reconnected to a Window Station.

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high-value ___domain or Monitor this event with the “Subject\Account Name” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Account Name” (with other information) to
malicious actions. For example, you might need to monitor for monitor how or when a particular account is being used.
use of an account outside of working hours.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Account Name” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Account Name” for accounts that are outside
corresponding to particular events. the whitelist.

Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Account Name”
for example, local or ___domain account, machine or user to see whether the account type is as expected.
account, vendor or employee account, and so on.
TYPE OF MONITORING REQUIRED RECOMMENDATION

External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another ___domain, or “external” accounts that are not allowed to corresponding to accounts from another ___domain or “external”
perform certain actions (represented by certain specific accounts.
events).

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Account Name” that you
people (accounts) should not typically perform any actions. are concerned about.

Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.

If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with
Session Name = Console.
If Remote Desktop Connections are not allowed for specific users (Subject\Account Name) or disabled on
some computers, then monitor for Session Name = RDP -Tcp# (substring).
If a specific computer or device (Client Name or Client Address) should never connect to this computer
(Computer), monitor for any event with that Client Name or Client Address.
Check that Additional Information\Client Address is from internal IP addresses list.
 4779(S): A session was disconnected from a Window
Station.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a user
disconnects from an existing Terminal Services
session, or when a user switches away from an
existing desktop using Fast User Switching.
This event also generated when user
disconnects from virtual host Hyper-V
Enhanced Session, for example.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4779</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:04:41.044489800Z" />
<EventRecordID>237646</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="AccountName">ladmin</Data>
<Data Name="AccountDomain">CONTOSO</Data>
<Data Name="LogonID">0x1e01f6</Data>
<Data Name="SessionName">RDP-Tcp\#3</Data>
<Data Name="ClientName">WIN81</Data>
<Data Name="ClientAddress">10.0.0.100</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Account Name [Type = UnicodeString]: the name of the account for which the session was disconnected.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session:
Session Name [Type = UnicodeString]: the name of disconnected session. Examples:
RDP -Rcp#N, where N is a number of session – typical RDP session name.
 Console – console session, typical for Fast User Switching.
31C5CE94259D4006A9E4#3 – example of “Hyper-V Enhanced Session” session name.
You can see the list of current session’s using “query session” command in command prompt.
Example of output (see SESSIONNAME column):

Additional Information:
Client Name [Type = UnicodeString]: machine name from which the session was disconnected. Has
“Unknown” value for console session.
Client Address [Type = UnicodeString]: IP address of the computer from which the session was
disconnected.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Has “LOCAL” value for console session.

Security Monitoring Recommendations

For 4779(S ): A session was disconnected from a Window Station.

TYPE OF MONITORING REQUIRED RECOMMENDATION

High-value accounts: You might have high-value ___domain or Monitor this event with the “Subject\Account Name” that
local accounts for which you need to monitor each action. corresponds to the high-value account or accounts.
Examples of high-value accounts are database administrators,
built-in local administrator account, ___domain administrators,
service accounts, ___domain controller accounts and so on.

Anomalies or malicious actions: You might have specific When you monitor for anomalies or malicious actions, use the
requirements for detecting anomalies or monitoring potential “Subject\Account Name” (with other information) to
malicious actions. For example, you might need to monitor for monitor how or when a particular account is being used.
use of an account outside of working hours.

Non-active accounts: You might have non-active, disabled, Monitor this event with the “Subject\Account Name” that
or guest accounts, or other accounts that should never be corresponds to the accounts that should never be used.
used.

Account whitelist: You might have a specific whitelist of If this event corresponds to a “whitelist-only” action, review
accounts that are the only ones allowed to perform actions the “Subject\Account Name” for accounts that are outside
corresponding to particular events. the whitelist.

Accounts of different types: You might want to ensure that If this event corresponds to an action you want to monitor for
certain actions are performed only by certain account types, certain account types, review the “Subject\Account Name”
for example, local or ___domain account, machine or user to see whether the account type is as expected.
account, vendor or employee account, and so on.
TYPE OF MONITORING REQUIRED RECOMMENDATION

External accounts: You might be monitoring accounts from Monitor this event for the “Subject\Account Domain”
another ___domain, or “external” accounts that are not allowed to corresponding to accounts from another ___domain or “external”
perform certain actions (represented by certain specific accounts.
events).

Restricted-use computers or devices: You might have Monitor the target Computer: (or other target device) for
certain computers, machines, or devices on which certain actions performed by the “Subject\Account Name” that you
people (accounts) should not typically perform any actions. are concerned about.
For example, you might have computers to which connections If you have a target Computer: (or other target device) to
should not be made from certain accounts or addresses. which connections should not be made from certain accounts
or addresses, monitor this event for the corresponding Client
Name or Client Address.

Account naming conventions: Your organization might have Monitor “Subject\Account Name” for names that don’t
specific naming conventions for account names. comply with naming conventions.

If Fast User Switching is disabled on workstations or specific computers, then monitor for any event with
Session Name = Console.
If Remote Desktop Connections are not allowed for specific users (Subject\Account Name) or disabled on
some computers, then monitor for Session Name = RDP -Tcp# (substring).
To ensure that connections are made only from your internal IP address list, monitor the Additional
Information\Client Address in this event.
 4800(S): The workstation was locked.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when a workstation
was locked.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4800</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:47:02.430644500Z" />
<EventRecordID>237655</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="2568" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “lock workstation” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “lock workstation”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of locked session. You can see the list of current session IDs using
“query session” command in command prompt. Example of output (see ID column):

Security Monitoring Recommendations

For 4800(S ): The workstation was locked.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Typically this is an informational event, and can give you information about when a machine was locked, and
which account was used to lock it.
 4801(S): The workstation was unlocked.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when workstation was
unlocked.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4801</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T23:47:05.886096400Z" />
<EventRecordID>237657</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="4540" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “unlock workstation” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “unlock workstation”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of unlocked session. You can see the list of current session IDs using
“query session” command in command prompt. Example of output (see ID column):

Security Monitoring Recommendations

For 4801(S ): The workstation was unlocked.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Typically this is an informational event, and can give you information about when a machine was unlocked, and
which account was used to unlock it.
 4802(S): The screen saver was invoked.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when screen saver was
invoked.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4802</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T00:16:32.377883700Z" />
<EventRecordID>237662</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="1676" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “invoke screensaver” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “invoke screensaver”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of a session for which screen saver was invoked. You can see the list
of current session IDs using “query session” command in command prompt. Example of output (see ID
column):

Security Monitoring Recommendations

For 4802(S ): The screen saver was invoked.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Typically this is an informational event, and can give you information about when a screen saver was invoked on
a machine, and which account invoked it.
 4803(S): The screen saver was dismissed.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event is generated when screen saver was
dismissed.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4803</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T00:19:09.576094500Z" />
<EventRecordID>237663</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x759a9</Data>
<Data Name="SessionId">3</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “dismiss screensaver” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “dismiss screensaver”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Session ID [Type = UInt32]: unique ID of a session for which screen saver was dismissed. You can see the
list of current session IDs using “query session” command in command prompt. Example of output (see ID
column):

Security Monitoring Recommendations

For 4803(S ): The screen saver was dismissed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Typically this is an informational event, and can give you information about when a screen saver was dismissed
on a machine, and which account dismissed it.
 5378(F): The requested credentials delegation was
disallowed by policy.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff
Events
Event Description:
This event generates requested CredSSP
credentials delegation was disallowed by
CredSSP delegation policy.
It typically occurs when CredSSP delegation
for WinRM double-hop session was not set
properly.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5378</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T03:23:48.502346900Z" />
<EventRecordID>1198733</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4308" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x2b1e04</Data>
<Data Name="Package">CREDSSP</Data>
<Data Name="UserUPN">dadmin@contoso</Data>
<Data Name="TargetServer">WSMAN/dc01.contoso.local</Data>
<Data Name="CredType">%%8098</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested credentials delegation. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested credentials delegation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Credential Delegation Information:
Security Package [Type = UnicodeString]: the name of Security Package which was used. Always
CREDSSP for this event.
User's UPN [Type = UnicodeString]: UPN of the account for which delegation was requested.
Target Server [Type = UnicodeString]: SPN of the target service for which delegation was requested.

Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.

Credential Type [Type = UnicodeString]: types of credentials which were presented for delegation:

CREDENTIALS TYPE DESCRIPTION

Default credentials The credentials obtained when the user first logs on to
Windows.

Fresh credentials The credentials that the user is prompted for when executing
an application.

Saved credentials The credentials that are saved using Credential Manager.

Security Monitoring Recommendations

For 5378(F ): The requested credentials delegation was disallowed by policy.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have defined CredSSP delegation policy, then this event will show you policy violations. We
recommend collecting these events and investigating every policy violation.
This event also can be used for CredSSP delegation troubleshooting.
 5632(S, F): A request was made to authenticate to a
wireless network.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Logon/Logoff Events
Event Description:
This event generates when 802.1x authentication
attempt was made for wireless network.
It typically generates when network adapter
connects to new wireless network.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5632</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-10T23:10:34.052054800Z" />
<EventRecordID>44113845</EventRecordID>
<Correlation />
<Execution ProcessID="712" ThreadID="4176" />
<Channel>Security</Channel>
<Computer>XXXXXXX.redmond.corp.microsoft.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SSID">Nokia</Data>
<Data Name="Identity">host/XXXXXXXX.redmond.corp.microsoft.com</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="PeerMac">18:64:72:F3:33:91</Data>
<Data Name="LocalMac">02:1A:C5:14:59:C9</Data>
<Data Name="IntfGuid">{2BB33827-6BB6-48DB-8DE6-DB9E0B9F9C9B}</Data>
<Data Name="ReasonCode">0x0</Data>
<Data Name="ReasonText">The operation was successful.</Data>
<Data Name="ErrorCode">0x0</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString" />
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = UnicodeString]: User Principal Name (UPN ) or another type of account identifier for
which 802.1x authentication request was made.

Note User principal name (UPN ) format is used to specify an Internet-style name, such as
[email protected].

Account Name [Type = UnicodeString]: the name of the account for which 802.1x authentication request
was made.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Name (SSID ) [Type = UnicodeString]: SSID of the wireless network to which authentication request was sent.

Note A service set identifier (SSID ) is a sequence of characters that uniquely names a wireless local area
network (WLAN ). An SSID is sometimes referred to as a "network name." This name allows stations to connect
to the desired network when multiple independent networks operate in the same physical area.

Interface GUID [Type = GUID ]: GUID of the network interface which was used for authentication request.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

You can see interface’s GUID using the following commands:

“netsh lan show interfaces” – for wired interfaces.
“netsh wlan show interfaces” – for wireless interfaces.

Local MAC Address [Type = UnicodeString]: local interface’s MAC -address.

Peer MAC Address [Type = UnicodeString]: peer’s (typically – access point) MAC -address.
Additional Information:
Reason Code [Type = UnicodeString]: contains Reason Text (explanation of Reason Code) and Reason
Code for wireless authentication results. See more information about reason codes for wireless
authentication here: https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx,
https://technet.microsoft.com/library/cc727747(v=ws.10).aspx.
Error Code [Type = HexInt32]: there is no information about this field in this document.
EAP Reason Code [Type = HexInt32]: there is no information about this field in this document. See
additional information here: https://technet.microsoft.com/library/dd197570(v=ws.10).aspx.
EAP Root Cause String [Type = UnicodeString]: there is no information about this field in this document.
 EAP Error Code [Type = HexInt32]: there is no information about this field in this document.

Security Monitoring Recommendations

For 5632(S, F ): A request was made to authenticate to a wireless network.
There is no recommendation for this event in this document.
 5633(S, F): A request was made to authenticate to a
wired network.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other
Logon/Logoff Events
Event Description:
This event generates when 802.1x
authentication attempt was made
for wired network.
It typically generates when network
adapter connects to new wired
network.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5633</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T01:26:59.679232500Z" />
<EventRecordID>1198715</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="2920" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="InterfaceName">Microsoft Hyper-V Network Adapter</Data>
<Data Name="Identity">-</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="ReasonCode">0x70003</Data>
<Data Name="ReasonText">The network does not support authentication</Data>
<Data Name="ErrorCode">0x0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = UnicodeString]: User Principal Name (UPN ) of account for which 802.1x authentication
request was made.

Note User principal name (UPN ) format is used to specify an Internet-style name, such as
[email protected].

Account Name [Type = UnicodeString]: the name of the account for which 802.1x authentication request
was made.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
 Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Interface:
Name [Type = UnicodeString]: the name (description) of network interface which was used for authentication
request. You can get the list of all available network adapters using “ipconfig /all” command. See “Description”
row for every network adapter:

Additional Information:
Reason Code [Type = UnicodeString]: contains Reason Text (explanation of Reason Code) and Reason Code
for wired authentication results. See more information about reason codes for wired authentication here:
https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx,
https://technet.microsoft.com/library/cc727747(v=ws.10).aspx.
Error Code [Type = HexInt32]: unique EAP error code.

Security Monitoring Recommendations

For 5633(S, F ): A request was made to authenticate to a wired network.
There is no recommendation for this event in this document.
 Audit Special Logon
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Special Logon determines whether the operating system generates audit events under special sign on (or
log on) circumstances.
This subcategory allows you to audit events generated by special logons such as the following:
The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to
elevate a process to a higher level.
A logon by a member of a Special Group. Special Groups enable you to audit events generated when a
member of a certain group has logged on to your network. You can configure a list of group security
identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the
subcategory is enabled, an event is logged.
Event volume:
Low on a client computer.
Medium on a ___domain controllers or network servers.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No This subcategory

Controller is very important
because of
Special Groups
related events,
you must enable
this subcategory
for Success audit
if you use this
feature.
At the same time
this subcategory
allows you to
track account
logon sessions to
which sensitive
privileges were
assigned.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server Yes No Yes No This subcategory

is very important
because of
Special Groups
related events,
you must enable
this subcategory
for Success audit
if you use this
feature.
At the same time
this subcategory
allows you to
track account
logon sessions to
which sensitive
privileges were
assigned.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Workstation Yes No Yes No This subcategory

is very important
because of
Special Groups
related events,
you must enable
this subcategory
for Success audit
if you use this
feature.
At the same time
this subcategory
allows you to
track account
logon sessions to
which sensitive
privileges were
assigned.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
4964(S ): Special groups have been assigned to a new logon.
4672(S ): Special privileges assigned to new logon.
 4964(S): Special groups have been assigned to a new
logon.
5/31/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Special Logon
Event Description:
This event occurs when an account that is a
member of any defined Special Group logs in.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4964</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T02:25:16.236443300Z" />
<EventRecordID>238923</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="5008" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xd972e</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-500</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x139faf</Data>
<Data Name="TargetLogonGuid">{B03B6192-09AE-E77F-DD10-2DC430766040}</Data>
<Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.

Note Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups
feature lets the administrator find out when a member of a certain group logs on to the computer. The Special
Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry.

> To add Special Groups perform the following actions:

> 1. Open Registry Editor.
> 2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit
> 3. On the Edit menu, point to New, and then click String Value.
> 4. Type SpecialGroups, and then press ENTER.
> 5. Right-click SpecialGroups, and then click Modify.
> 6. In the Value date box, type the group SIDs, and then click OK.
> A semicolon character (;) can be used to delimit the SID list. For example, you can use the following string that
contains a semicolon to delimit two SIDs:
> S -1-5-32-544;S -1-5-32-123-54-65
> For more information see: http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-
group-policy-preferences.aspx
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested logon for New Logon account. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested logon for New Logon
account.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID, “4769(S, F ): A Kerberos service ticket was requested event on a ___domain
controller.
It also can be used for correlation between a 4964 event and several other events (on the same computer)
that can contain the same Logon GUID, “4648(S ): A logon was attempted using explicit credentials” and
“4624(S ): An account was successfully logged on.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

New Logon:
Security ID [Type = SID ]: SID of account that performed the logon. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
 event.
Account Name [Type = UnicodeString]: the name of the account that performed the logon.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Logon GUID [Type = GUID ]: a GUID that can help you correlate this event with another event that can
contain the same Logon GUID, “4769(S, F ): A Kerberos service ticket was requested event on a ___domain
controller.
It also can be used for correlation between a 4964 event and several other events (on the same computer)
that can contain the same Logon GUID, “4648(S ): A logon was attempted using explicit credentials” and
“4624(S ): An account was successfully logged on.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.
Special Groups Assigned [Type = UnicodeString]: the list of special group SIDs, which New
Logon\Security ID is a member of.

Security Monitoring Recommendations

For 4964(S ): Special groups have been assigned to a new logon.
Generally speaking, every 4964 event should be monitored, because the purpose of Special Groups is to
define a list of critical or important groups (Domain Admins, Enterprise Admins, service account groups, and
so on) and trigger an event every time a member of these groups logs on to a computer. For example, you can
monitor for every Domain Administrators logon to a non-administrative workstation.
 4672(S): Special privileges assigned to new logon.
6/6/2019 • 7 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit Special Logon

Event Description:
This event generates for new account logons
if any of the following sensitive privileges are
assigned to the new logon session:
SeTcbPrivilege - Act as part of the
operating system
SeBackupPrivilege - Back up files and
directories
SeCreateTokenPrivilege - Create a token
object
SeDebugPrivilege - Debug programs
SeEnableDelegationPrivilege - Enable
computer and user accounts to be trusted
for delegation
SeAuditPrivilege - Generate security audits
SeImpersonatePrivilege - Impersonate a client after authentication
SeLoadDriverPrivilege - Load and unload device drivers
SeSecurityPrivilege - Manage auditing and security log
SeSystemEnvironmentPrivilege - Modify firmware environment values
SeAssignPrimaryTokenPrivilege - Replace a process-level token
SeRestorePrivilege - Restore files and directories,
SeTakeOwnershipPrivilege - Take ownership of files or other objects
You typically will see many of these events in the event log, because every logon of SYSTEM (Local System)
account triggers this event.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T01:10:57.091809600Z" />
<EventRecordID>237692</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x671101</Data>
<Data Name="PrivilegeList">SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege
SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege
SeImpersonatePrivilege</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account to which special privileges were assigned. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account to which special privileges were
assigned.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Privileges [Type = UnicodeString]: the list of sensitive privileges, assigned to the new logon. The following table
contains the list of possible privileges for this event:

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token

of a process.
With this privilege, the user can initiate
a process to replace the default token
associated with a started subprocess.

SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.

SeBackupPrivilege Back up files and directories - Required to perform backup

operations.
With this privilege, the user can bypass
file and directory, registry, and other
persistent object permissions for the
purposes of backing up the system.
This privilege causes the system to
grant all read access control to any file,
regardless of the access control list
(ACL) specified for the file. Any access
request other than read is still
evaluated with the ACL. The following
access rights are granted if this privilege
is held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE

SeCreateTokenPrivilege Create a token object Allows a process to create a token

which it can then use to get access to
any local resources when the process
uses NtCreateToken() or other token-
creation APIs.
When a process requires this privilege,
we recommend using the LocalSystem
account (which already includes the
privilege), rather than creating a
separate user account and assigning
this privilege to it.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeDebugPrivilege Debug programs Required to debug and adjust the

memory of a process owned by
another account.
With this privilege, the user can attach
a debugger to any process or to the
kernel. We recommend that
SeDebugPrivilege always be granted to
Administrators, and only to
Administrators. Developers who are
debugging their own applications do
not need this user right. Developers
who are debugging new system
components need this user right. This
user right provides complete access to
sensitive and critical operating system
components.

SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.

SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.

SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeRestorePrivilege Restore files and directories Required to perform restore operations.

This privilege causes the system to
grant all write access control to any file,
regardless of the ACL specified for the
file. Any access request other than write
is still evaluated with the ACL.
Additionally, this privilege enables you
to set any valid user or group SID as
the owner of a file. The following access
rights are granted if this privilege is
held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can bypass
file, directory, registry, and other
persistent objects permissions when
restoring backed up files and directories
and determines which users can set any
valid security principal as the owner of
an object.

SeSecurityPrivilege Manage auditing and security log Required to perform a number of

security-related functions, such as
controlling and viewing audit events in
security event log.
With this privilege, the user can specify
object access auditing options for
individual resources, such as files, Active
Directory objects, and registry keys.
A user with this privilege can also view
and clear the security log.

SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile

RAM of systems that use this type of
memory to store configuration
information.

SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values
that the holder may legitimately assign
as the owner of an object.
With this privilege, the user can take
ownership of any securable object in
the system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
 PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.

Security Monitoring Recommendations

For 4672(S ): Special privileges assigned to new logon.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Monitor for this event where “Subject\Security ID” is not one of these well-known security principals:
LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “Subject\Security ID” is not an
administrative account that is expected to have the listed Privileges.
If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for
example, SeDebugPrivilege), use this event to monitor for those “Privileges.”
If you are required to monitor any of the sensitive privileges in the Event Description for this event, search for
those specific privileges in the event.
 Audit Application Generated
12/20/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Application Generated generates events for actions related to Authorization Manager applications.
Audit Application Generated subcategory is out of scope of this document, because Authorization Manager is very
rarely in use and it is deprecated starting from Windows Server 2012.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF IF – if you use

Controller Authorization
Manager in your
environment and
you need to
monitor events
related to
Authorization
Manager
applications,
enable this
subcategory.

Member Server IF IF IF IF IF – if you use

Authorization
Manager in your
environment and
you need to
monitor events
related to
Authorization
Manager
applications,
enable this
subcategory.

Workstation IF IF IF IF IF – if you use

Authorization
Manager in your
environment and
you need to
monitor events
related to
Authorization
Manager
applications,
enable this
subcategory.

Events List:
4665: An attempt was made to create an application client context.
4666: An application attempted an operation.
4667: An application client context was deleted.
4668: An application was initialized.
 Audit Certification Services
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Certification Services determines whether the operating system generates events when Active Directory
Certificate Services (AD CS ) operations are performed.
Examples of AD CS operations include:
AD CS starts, shuts down, is backed up, or is restored.
Certificate revocation list (CRL )-related tasks are performed.
Certificates are requested, issued, or revoked.
Certificate manager settings for AD CS are changed.
The configuration and properties of the certification authority (CA) are changed.
AD CS templates are modified.
Certificates are imported.
A CA certificate is published to Active Directory Domain Services.
Security permissions for AD CS role services are modified.
Keys are archived, imported, or retrieved.
The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
Event volume: Low to medium on servers that provide AD CS role services.
Role-specific subcategories are outside the scope of this document.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF IF – if a server
Controller has the Active
Directory
Certificate
Services (AD CS)
role installed and
you need to
monitor AD CS
related events,
enable this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server IF IF IF IF IF – if a server

has the Active
Directory
Certificate
Services (AD CS)
role installed and
you need to
monitor AD CS
related events,
enable this
subcategory.

Workstation No No No No Active Directory

Certificate
Services (AD CS)
role cannot be
installed on client
OS.

4868: The certificate manager denied a pending certificate request.

4869: Certificate Services received a resubmitted certificate request.
4870: Certificate Services revoked a certificate.
4871: Certificate Services received a request to publish the certificate revocation list (CRL ).
4872: Certificate Services published the certificate revocation list (CRL ).
4873: A certificate request extension changed.
4874: One or more certificate request attributes changed.
4875: Certificate Services received a request to shut down.
4876: Certificate Services backup started.
4877: Certificate Services backup completed.
4878: Certificate Services restore started.
4879: Certificate Services restore completed.
4880: Certificate Services started.
4881: Certificate Services stopped.
4882: The security permissions for Certificate Services changed.
4883: Certificate Services retrieved an archived key.
4884: Certificate Services imported a certificate into its database.
4885: The audit filter for Certificate Services changed.
4886: Certificate Services received a certificate request.
4887: Certificate Services approved a certificate request and issued a certificate.
4888: Certificate Services denied a certificate request.
4889: Certificate Services set the status of a certificate request to pending.
4890: The certificate manager settings for Certificate Services changed.
4891: A configuration entry changed in Certificate Services.
4892: A property of Certificate Services changed.
4893: Certificate Services archived a key.
4894: Certificate Services imported and archived a key.
4895: Certificate Services published the CA certificate to Active Directory Domain Services.
4896: One or more rows have been deleted from the certificate database.
4897: Role separation enabled.
4898: Certificate Services loaded a template.
 Audit Detailed File Share
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting
only records one event for any connection established between a client and file share. Detailed File Share audit
events include detailed information about the permissions or other criteria used to grant or deny access.
There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all
shared files and folders on the system is audited.
Event volume:
High on file servers.
High on ___domain controllers because of SYSVOL network access required by Group Policy.
Low on member servers and workstations.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No Yes No Yes Audit Success for

Controller this subcategory
on ___domain
controllers
typically will lead
to very high
volume of events,
especially for
SYSVOL share.
We recommend
monitoring
Failure access
attempts: the
volume should
not be very high.
You will be able
to see who was
not able to get
access to a file or
folder on a
network share on
a computer.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server IF Yes IF Yes IF – If a server

has shared
network folders
which typically
get many access
requests (File
Server, for
example), the
volume of events
might be very
high. If you really
need to track all
successful access
events for every
file or folder
located on a
shared folder,
enable Success
auditing or use
the Audit File
System
subcategory,
although that
subcategory
excludes some
information in
Audit Detailed
File Share, for
example, the
client’s IP
address.
The volume of
Failure events for
member servers
should not be
very high (if they
are not File
Servers). With
Failure auditing,
you will be able
to see who was
not able to get
access to a file or
folder on a
network share on
this computer.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation IF Yes IF Yes IF – If a

workstation has
shared network
folders which
typically get
many access
requests, the
volume of events
might be very
high. If you really
need to track all
successful access
events for every
file or folder
located on a
shared folder,
enable Success
auditing or use
Audit File System
subcategory,
although that
subcategory
excludes some
information in
Audit Detailed
File Share, for
example, the
client’s IP
address.
The volume of
Failure events for
workstations
should not be
very high. With
Failure auditing,
you will be able
to see who was
not able to get
access to a file or
folder on a
network share on
this computer.

Events List:
5145(S, F ): A network share object was checked to see whether client can be granted desired access.
 5145(S, F): A network share object was checked to see
whether client can be granted desired access.
8/10/2019 • 9 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Detailed File Share
Event Description:
This event generates every
time network share object
(file or folder) was
accessed.
Important: Failure events
are generated only when
access is denied at the file
share level. No events are
generated if access was
denied on the file system
(NTFS ) level.

Note For
recommendations, see
Security Monitoring
Recommendations for
this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5145</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12811</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-17T23:54:48.941761700Z" />
<EventRecordID>267092</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d34</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">fe80::31ea:6c3c:f40d:1973</Data>
<Data Name="IpPort">56926</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="RelativeTargetName">Bginfo.exe</Data>
<Data Name="AccessMask">0x100081</Data>
<Data Name="AccessList">%%1541 %%4416 %%4423</Data>
<Data Name="AccessReason">%%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:
(A;;FA;;;WD)</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested access to network share object. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested access to network share
object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File” for this event.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Source Address [Type = UnicodeString]: source IP address from which access was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source TCP or UDP port which was used from remote or local
machine to request the access.
0 for local access attempts.
Share Information:
Share Name [Type = UnicodeString]: the name of accessed network share. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for accessed share. The format is: \\??
\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Relative Target Name [Type = UnicodeString]: relative name of the accessed target file or folder. This file-
path is relative to the network share. If access was requested for the share itself, then this field appears as “\”.
Access Request Information:
Access Mask [Type = HexInt32]: the sum of hexadecimal values of requested access rights. See “Table 13.
File access codes.” for different hexadecimal values for access rights.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type.

Table of file access codes

HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
a directory object, the right to read the
corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.

WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
object, the right to create a file in the
directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.

AppendData (or AddSubdirectory or 0x4, AppendData - For a file object, the

CreatePipeInstance) %%4418 right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory, the
right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8, The right to read extended file

%%4419 attributes.

WriteEA 0x10, The right to write extended file

%%4420 attributes.

Execute/Traverse 0x20, Execute - For a native code file, the

%%4421 right to execute the file. This access
right given to scripts may cause the
script to be executable, depending on
the script interpreter.
Traverse - For a directory, the right to
traverse the directory. By default, users
are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.
 HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

DeleteChild 0x40, For a directory, the right to delete a

%%4422 directory and all the files it contains,
including read-only files.

ReadAttributes 0x80, The right to read file attributes.

%%4423

WriteAttributes 0x100, The right to write file attributes.

%%4424

DELETE 0x10000, The right to delete the object.

%%1537

READ_CONTROL 0x20000, The right to read the information in the

%%1538 object's security descriptor, not
including the information in the system
access control list (SACL).

WRITE_DAC 0x40000, The right to modify the discretionary

%%1539 access control list (DACL) in the object's
security descriptor.

WRITE_OWNER 0x80000, The right to change the owner in the

%%1540 object's security descriptor

SYNCHRONIZE 0x100000, The right to use the object for

%%1541 synchronization. This enables a thread
to wait until the object is in the signaled
state. Some object types do not
support this access right.

ACCESS_SYS_SEC 0x1000000, The ACCESS_SYS_SEC access right

%%1542 controls the ability to get or set the
SACL in an object's security descriptor.

Table 13. File access codes.

Access Check Results [Type = UnicodeString]: the list of access check results. The format of the result is:

REQUESTED_ACCESS: RESULT ACE_WHICH_ ALLOWED_OR_DENIED_ACCESS.

REQUESTED_ACCESS – the name of requested access. See Table of file access codes, earlier in this topic.
RESULT:
Granted by – if access was granted.
Denied by – if access was denied.
ACE_WHICH_ ALLOWED_OR_DENIED_ACCESS: the Security Descriptor Definition Language (SDDL )
value for Access Control Entry (ACE ), which granted or denied access.

Note The Security Descriptor Definition Language (SDDL ) defines string elements for enumerating
information contained in the security descriptor.
 Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below.

SDDL values for Access Control Entry

VALUE DESCRIPTION VALUE DESCRIPTION

"AO" Account operators "PA" Group Policy administrators

"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000

"AN" Anonymous logon "LA" Local administrator

"AU" Authenticated users "LG" Local guest

"BA" Built-in administrators "LS" Local service account

"BG" Built-in guests "SY" Local system

"BO" Backup operators "NU" Network logon user

"BU" Built-in users "NO" Network configuration

operators

"CA" Certificate server "NS" Network service account

administrators

"CG" Creator group "PO" Printer operators

"CO" Creator owner "PS" Personal self

"DA" Domain administrators "PU" Power users

"DC" Domain computers "RS" RAS servers group

"DD" Domain controllers "RD" Terminal server users

"DG" Domain guests "RE" Replicator

"DU" Domain users "RC" Restricted code

"EA" Enterprise administrators "SA" Schema administrators

"ED" Enterprise ___domain "SO" Server operators

controllers
 VALUE DESCRIPTION VALUE DESCRIPTION

"WD" Everyone "SU" Service logon user

G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
 FX (File Execute), FW (File Write), etc.

VALUE DESCRIPTION VALUE DESCRIPTION

Generic access rights Directory service access

rights

"GA" GENERIC ALL "RC" Read Permissions

"GR" GENERIC READ "SD" Delete

"GW" GENERIC WRITE "WD" Modify Permissions

"GX" GENERIC EXECUTE "WO" Modify Owner

File access rights "RP" Read All Properties

"FA" FILE ALL ACCESS "WP" Write All Properties

"FR" FILE GENERIC READ "CC" Create All Child Objects

"FW" FILE GENERIC WRITE "DC" Delete All Child Objects

"FX" FILE GENERIC EXECUTE "LC" List Contents

Registry key access rights "SW" All Validated Writes

"KA" "LO" "LO" List Object

"K" KEY READ "DT" Delete Subtree

"KW" KEY WRITE "CR" All Extended Rights

"KX" KEY EXECUTE

object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

Security Monitoring Recommendations

For 5145(S, F ): A network share object was checked to see whether client can be granted desired access.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Monitor this event if the Network Information\Source Address is not from your internal IP range.
Monitor this event if the Network Information\Source Address should not be able to connect with the
specific computer (Computer:).
If you have critical files or folders on specific network shares, for which you need to monitor access attempts
(Success and Failure), monitor for specific Share Information\Share Name and Share
Information\Relative Target Name.
If you have ___domain or local accounts that should only be able to access a specific list of shared files or
folders, you can monitor for access attempts outside the allowed list.
We recommend that you monitor for these Access Request Information\Accesses rights (especially for
Failure):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
 Audit File Share
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access
attempts. Also, it shows failed SMB SPN checks.
There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all
shares on the system will be audited.
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the
source (IP address and port) of the request, and the user account that was used for the access.
Event volume:
High on file servers.
High on ___domain controllers because of SYSVOL network access required by Group Policy.
Low on member servers and workstations.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes Yes Yes Yes We recommend

Controller Success auditing
for ___domain
controllers,
because it’s
important to
track deletion,
creation, and
modification
events for
network shares.
We recommend
Failure auditing
to track failed
SMB SPN checks
and failed access
attempts to
network shares.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server Yes Yes Yes Yes We recommend

Success auditing
to track deletion,
creation,
modification, and
access attempts
to network share
objects.
We recommend
Failure auditing
to track failed
SMB SPN checks
and failed access
attempts to
network shares.

Workstation Yes Yes Yes Yes We recommend

Success auditing
to track deletion,
creation,
modification and
access attempts
to network share
objects.
We recommend
Failure auditing
to track failed
SMB SPN checks
and failed access
attempts to
network shares.

Events List:
5140(S, F ): A network share object was accessed.
5142(S ): A network share object was added.
5143(S ): A network share object was modified.
5144(S ): A network share object was deleted.
5168(F ): SPN check for SMB/SMB2 failed.
 5140(S, F): A network share object was accessed.
6/6/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File Share
Event Description:
This event generates every time network share
object was accessed.
This event generates once per session, when
first access attempt was made.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5140</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:45:13.581231400Z" />
<EventRecordID>268495</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="772" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x541f35</Data>
<Data Name="ObjectType">File</Data>
<Data Name="IpAddress">10.0.0.100</Data>
<Data Name="IpPort">49212</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">\\??\\C:\\Documents</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="AccessList">%%4416</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested access to network share object. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested access to network share
object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Network Information:
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File” for this event.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Source Address [Type = UnicodeString]: source IP address from which access was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source TCP or UDP port which was used from remote or local
machine to request the access.
0 for local access attempts.
Share Information:
Share Name [Type = UnicodeString]: the name of accessed network share. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for accessed share. The format is: \\??
\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Access Request Information:
Access Mask [Type = HexInt32]: the sum of hexadecimal values of requested access rights. See “Table 13.
 File access codes.” for different hexadecimal values for access rights. Has always “0x1” value for this event.
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. Has always “ReadData (or ListDirectory)” value for this
event.

Security Monitoring Recommendations

For 5140(S, F ): A network share object was accessed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have high-value computers for which you need to monitor all access to all shares or specific shares
(“Share Name”), monitor this event. For example, you could monitor share C$ on ___domain controllers.
Monitor this event if the Network Information\Source Address is not from your internal IP range.
Monitor this event if the Network Information\Source Address should not be able to connect with the
specific computer (Computer:).
If you need to monitor access attempts to local shares from a specific IP address (“Network
Information\Source Address”), use this event.
If you need to monitor for specific Access Types (for example, ReadData or WriteData), for all or specific
shares (“Share Name”), monitor this event for the “Access Type.”
 5142(S): A network share object was added.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File Share
Event Description:
This event generates every time network share
object was added.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5142</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:27:01.206646900Z" />
<EventRecordID>268462</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4304" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008 R2, Windows 7.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add network share object” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “add network share
object” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Share Name [Type = UnicodeString]: the name of the added share object. The format is:
\\*\SHARE_NAME.
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the added share object. The format is:
\\??\PATH.

Security Monitoring Recommendations

For 5142(S ): A network share object was added.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have high-value computers for which you need to monitor creation of new file shares, monitor this
event. For example, you could monitor ___domain controllers.
We recommend checking “Share Path”, because it should not point to system directories, such as
C:\Windows or C:\, or to critical local folders which contain private or high value information.
 5143(S): A network share object was modified.
8/10/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit File Share

Event Description:
This event generates every time network share object was modified.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5143</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:42:56.743298600Z" />
<EventRecordID>268483</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ObjectType">Directory</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
<Data Name="OldRemark">N/A</Data>
<Data Name="NewRemark">N/A</Data>
<Data Name="OldMaxUsers">0xffffffff</Data>
<Data Name="NewMaxUsers">0xffffffff</Data>
<Data Name="OldShareFlags">0x800</Data>
<Data Name="NewShareFlags">0x800</Data>
<Data Name="OldSD">O:S-1-5-21-3457937927-2839227994-823803824-1104G:DAD:(A;OICI;FA;;;BA)(A;OICI;FA;;;WD)
</Data>
<Data Name="NewSD">O:BAG:DAD:(D;;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICI;FA;;;WD)
(A;OICI;FA;;;BA)</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008 R2, Windows 7.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify network share object” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “modify network share
object” operation.
 Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Object Type [Type = UnicodeString]: The type of an object that was modified. Always “Directory” for this
event.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Share Name [Type = UnicodeString]: the name of the modified share object. The format is:
\\*\SHARE_NAME
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the added share object. The format is:
\\??\PATH. Can be empty, for example for Share Name: \\*\IPC$.
Old Remark [Type = UnicodeString]: the old value of network share “Comments:” field. Has “N/A” value if
it is not set.
New Remark [Type = UnicodeString]: the new value of network share “Comments:” field. Has “N/A” value
if it is not set.
Old MaxUsers [Type = HexInt32]: old hexadecimal value of “Limit the number of simultaneous user
to:” field. Has “0xFFFFFFFF” value if the number of connections is unlimited.
New Maxusers [Type = HexInt32]: new hexadecimal value of “Limit the number of simultaneous user
to:” field. Has “0xFFFFFFFF” value if the number of connections is unlimited.
Old ShareFlags [Type = HexInt32]: old hexadecimal value of “Offline Settings” caching settings window
flags.

New ShareFlags [Type = HexInt32]: new hexadecimal value of “Offline Settings” caching settings window
flags.
Old SD [Type = UnicodeString]: the old Security Descriptor Definition Language (SDDL ) value for network
share security descriptor.
New SD [Type = UnicodeString]: the new Security Descriptor Definition Language (SDDL ) value for
network share security descriptor.

Note The Security Descriptor Definition Language (SDDL ) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:

VALUE DESCRIPTION VALUE DESCRIPTION

"AO" Account operators "PA" Group Policy administrators

"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000

"AN" Anonymous logon "LA" Local administrator

"AU" Authenticated users "LG" Local guest

"BA" Built-in administrators "LS" Local service account

"BG" Built-in guests "SY" Local system

"BO" Backup operators "NU" Network logon user

"BU" Built-in users "NO" Network configuration

operators

"CA" Certificate server "NS" Network service account

administrators

"CG" Creator group "PO" Printer operators

"CO" Creator owner "PS" Personal self

"DA" Domain administrators "PU" Power users

"DC" Domain computers "RS" RAS servers group

"DD" Domain controllers "RD" Terminal server users

"DG" Domain guests "RE" Replicator

"DU" Domain users "RC" Restricted code

"EA" Enterprise administrators "SA" Schema administrators

"ED" Enterprise ___domain "SO" Server operators

controllers

"WD" Everyone "SU" Service logon user

G: = Primary Group.
D: = DACL Entries.
 S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.

VALUE DESCRIPTION VALUE DESCRIPTION

Generic access rights Directory service access

rights
 VALUE DESCRIPTION VALUE DESCRIPTION

"GA" GENERIC ALL "RC" Read Permissions

"GR" GENERIC READ "SD" Delete

"GW" GENERIC WRITE "WD" Modify Permissions

"GX" GENERIC EXECUTE "WO" Modify Owner

File access rights "RP" Read All Properties

"FA" FILE ALL ACCESS "WP" Write All Properties

"FR" FILE GENERIC READ "CC" Create All Child Objects

"FW" FILE GENERIC WRITE "DC" Delete All Child Objects

"FX" FILE GENERIC EXECUTE "LC" List Contents

Registry key access rights "SW" All Validated Writes

"KA" "LO" "LO" List Object

"K" KEY READ "DT" Delete Subtree

"KW" KEY WRITE "CR" All Extended Rights

"KX" KEY EXECUTE

object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

Security Monitoring Recommendations

For 5143(S ): A network share object was modified.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have high-value computers for which you need to monitor all modifications to all shares or specific
shares (“Share Name”), monitor this event. For example, you could monitor all changes to the SYSVOL share
on ___domain controllers.
 5144(S): A network share object was deleted.
6/6/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File Share
Event Description:
This event generates every time a network
share object is deleted.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5144</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T02:17:14.820551800Z" />
<EventRecordID>268368</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4656" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x38d12</Data>
<Data Name="ShareName">\\\\\*\\Documents</Data>
<Data Name="ShareLocalPath">C:\\Documents</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008 R2, Windows 7.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete network share object” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete network share
object” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Share Information:
Share Name [Type = UnicodeString]: the name of the deleted share object. The format is:
\\*\SHARE_NAME
Share Path [Type = UnicodeString]: the full system (NTFS ) path for the deleted share object. The format is:
\\??\PATH.

Security Monitoring Recommendations

For 5144(S ): A network share object was deleted.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have critical network shares for which you need to monitor all changes (especially, the deletion of that
share), monitor for specific “Share Information\Share Name”.
If you have high-value computers for which you need to monitor all changes (especially, deletion of file
shares), monitor for all 5144 events on these computers. For example, you could monitor file shares on
___domain controllers.
 5168(F): SPN check for SMB/SMB2 failed.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File
Share
Event Description:
This event generates when
SMB SPN check fails.
It often happens because of
NTLMv1 or LM protocols
usage from client side when
“Microsoft Network Server:
Server SPN target name
validation level” group policy
set to “Require from client”
on server side. SPN only
sent to server when
NTLMv2 or Kerberos
protocols are used, and after
that SPN can be validated.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5168</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T17:53:40.294859800Z" />
<EventRecordID>268946</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="80" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0xd0cd4</Data>
<Data Name="SpnName">N/A</Data>
<Data Name="ErrorCode">0xc0000022</Data>
<Data Name="ServerNames">CONTOSO;contoso.local;DC01.contoso.local;DC01;LocalHost;</Data>
<Data Name="ConfiguredNames">N/A</Data>
<Data Name="IpAddresses">127.0.0.1;::1;10.0.0.10;;fe80::31ea:6c3c:f40d:1973;;fe80::5efe:10.0.0.10;</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008 R2, Windows 7.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account for which SPN check operation was failed. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account for which SPN check operation was
failed.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
SPN:
SPN Name [Type = UnicodeString]: SPN which was used to access the server. If SPN was not provided, then
the value will be “N/A”.

Note Service Principal Name (SPN ) is the name by which a client uniquely identifies an instance of a
service. If you install multiple instances of a service on computers throughout a forest, each instance must have
its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might
use for authentication. For example, an SPN always includes the name of the host computer on which the
service instance is running, so a service instance might register an SPN for each name or alias of its host.

Error Code [Type = HexInt32]: hexadecimal error code, for example “0xC0000022” =
STATUS_ACCESS_DENIED. You can find description for all SMB error codes here:
https://msdn.microsoft.com/library/ee441884.aspx.
Server Information:
Server Names [Type = UnicodeString]: information about possible server names to use to access the target
server (NETBIOS, DNS, localhost, etc.).
Configured Names [Type = UnicodeString]: information about the names which were provided for
validation. If no information was provided the value will be “N/A”.
IP Addresses [Type = UnicodeString]: information about possible IP addresses to use to access the target
server (IPv4, IPv6).

Security Monitoring Recommendations

For 5168(F ): SPN check for SMB/SMB2 failed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

We recommend monitoring for any 5168 event, because it can be a sign of a configuration issue or a malicious
authentication attempt.
 Audit File System
1/2/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit File System determines whether the operating system generates audit events when users attempt to
access file system objects.
Audit events are generated only for objects that have configured system access control lists (SACLs), and only
if the type of access requested (such as Write, Read, or Modify) and the account making the request match the
settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file
system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra
monitoring.
Event volume: Varies, depending on how file system SACLs are configured.
No audit events are generated for the default file system SACLs.
This subcategory allows you to audit user attempts to access file system objects, file system object deletion
and permissions change operations and hard link creation actions.
Only one event, “4658: The handle to an object was closed,” depends on the Audit Handle Manipulation
subcategory (Success auditing must be enabled). All other events generate without any additional
configuration.

GENERAL STRONGER STRONGER

COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 GENERAL STRONGER STRONGER
COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF We strongly
Controller recommend that
you develop a
File System
Security
Monitoring
policy and define
appropriate
SACLs for file
system objects
for different
operating
system
templates and
roles. Do not
enable this
subcategory if
you have not
planned how to
use and analyze
the collected
information. It is
also important
to delete non-
effective, excess
SACLs.
Otherwise the
auditing log will
be overloaded
with useless
information.
Failure events
can show you
unsuccessful
attempts to
access specific
file system
objects.
Consider
enabling this
subcategory for
critical
computers first,
after you
develop a File
System Security
Monitoring
policy for them.

Member Server IF IF IF IF

Workstation IF IF IF IF

Events List:
4656(S, F ): A handle to an object was requested.
4658(S ): The handle to an object was closed.
4660(S ): An object was deleted.
4663(S ): An attempt was made to access an object.
4664(S ): An attempt was made to create a hard link.
4985(S ): The state of a transaction has changed.
5051(-): A file was virtualized.
4670(S ): Permissions on an object were changed.
 4656(S, F): A handle to an object was requested.
5/31/2019 • 16 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or
registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation
was performed. To see that the operation was performed, check “4663(S ): An attempt was made to access an
object.”

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012, Windows 8.
Added “Resource Attributes” field.
 Added “Access Reasons” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

 DIRECTORY EVENT TIMER DEVICE

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.

Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4660(S ): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.

HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.

WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
 HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

AppendData (or AddSubdirectory or 0x4, AppendData - For a file object, the

CreatePipeInstance) %%4418 right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory, the
right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8, The right to read extended file

(For registry objects, this is “Enumerate %%4419 attributes.
sub-keys.”)

WriteEA 0x10, The right to write extended file

%%4420 attributes.

Execute/Traverse 0x20, Execute - For a native code file, the

%%4421 right to execute the file. This access right
given to scripts may cause the script to
be executable, depending on the script
interpreter.
Traverse - For a directory, the right to
traverse the directory. By default, users
are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.

DeleteChild 0x40, For a directory, the right to delete a

%%4422 directory and all the files it contains,
including read-only files.

ReadAttributes 0x80, The right to read file attributes.

%%4423

WriteAttributes 0x100, The right to write file attributes.

%%4424

DELETE 0x10000, The right to delete the object.

%%1537

READ_CONTROL 0x20000, The right to read the information in the

%%1538 object's security descriptor, not including
the information in the system access
control list (SACL).

WRITE_DAC 0x40000, The right to modify the discretionary

%%1539 access control list (DACL) in the object's
security descriptor.
 HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

WRITE_OWNER 0x80000, The right to change the owner in the

%%1540 object's security descriptor

SYNCHRONIZE 0x100000, The right to use the object for

%%1541 synchronization. This enables a thread
to wait until the object is in the signaled
state. Some object types do not support
this access right.

ACCESS_SYS_SEC 0x1000000, The ACCESS_SYS_SEC access right

%%1542 controls the ability to get or set the
SACL in an object's security descriptor.

Table 14. File System objects access rights.

Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during
the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that
case appears as “-”. See full list of user privileges in the table below:

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token of

a process.
With this privilege, the user can initiate
a process to replace the default token
associated with a started subprocess.

SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.

SeBackupPrivilege Back up files and directories - Required to perform backup

operations.
With this privilege, the user can bypass
file and directory, registry, and other
persistent object permissions for the
purposes of backing up the system.
This privilege causes the system to
grant all read access control to any file,
regardless of the access control list
(ACL) specified for the file. Any access
request other than read is still evaluated
with the ACL. The following access
rights are granted if this privilege is
held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of

changes to files or directories. This
privilege also causes the system to skip
all traversal access checks.
With this privilege, the user can traverse
directory trees even though the user
may not have permissions on the
traversed directory. This privilege does
not allow the user to list the contents of
a directory, only to traverse directories.

SeCreateGlobalPrivilege Create global objects Required to create named file mapping

objects in the global namespace during
Terminal Services sessions.

SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.

SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent object.

This privilege is useful to kernel-mode
components that extend the object
namespace. Components that are
running in kernel mode already have
this privilege inherently; it is not
necessary to assign them the privilege.

SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.

SeCreateTokenPrivilege Create a token object Allows a process to create a token which

it can then use to get access to any local
resources when the process uses
NtCreateToken() or other token-creation
APIs.
When a process requires this privilege,
we recommend using the LocalSystem
account (which already includes the
privilege), rather than creating a
separate user account and assigning
this privilege to it.

SeDebugPrivilege Debug programs Required to debug and adjust the

memory of a process owned by another
account.
With this privilege, the user can attach a
debugger to any process or to the
kernel. Developers who are debugging
their own applications do not need this
user right. Developers who are
debugging new system components
need this user right. This user right
provides complete access to sensitive
and critical operating system
components.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.

SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.

SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority of

a process.
With this privilege, the user can use a
process with Write property access to
another process to increase the
execution priority assigned to the other
process. A user with this privilege can
change the scheduling priority of a
process through the Task Manager user
interface.

SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.

SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.

SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in

memory.
With this privilege, the user can use a
process to keep data in physical
memory, which prevents the system
from paging the data to virtual memory
on disk. Exercising this privilege could
significantly affect system performance
by decreasing the amount of available
random access memory (RAM).

SeMachineAccountPrivilege Add workstations to ___domain With this privilege, the user can create a
computer account.
This privilege is valid only on ___domain
controllers.

SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on a

volume, such as remote
defragmentation.

SeProfileSingleProcessPrivilege Profile single process Required to gather profiling information

for a single process.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of non-system
processes.

SeRelabelPrivilege Modify an object label Required to modify the mandatory

integrity level of an object.

SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.

SeRestorePrivilege Restore files and directories Required to perform restore operations.

This privilege causes the system to
grant all write access control to any file,
regardless of the ACL specified for the
file. Any access request other than write
is still evaluated with the ACL.
Additionally, this privilege enables you
to set any valid user or group SID as the
owner of a file. The following access
rights are granted if this privilege is
held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can bypass
file, directory, registry, and other
persistent objects permissions when
restoring backed up files and directories
and determines which users can set any
valid security principal as the owner of
an object.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeSecurityPrivilege Manage auditing and security log Required to perform a number of

security-related functions, such as
controlling and viewing audit events in
security event log.
With this privilege, the user can specify
object access auditing options for
individual resources, such as files, Active
Directory objects, and registry keys.
A user with this privilege can also view
and clear the security log.

SeShutdownPrivilege Shut down the system Required to shut down a local system.

SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on ___domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.

SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.

SeSystemProfilePrivilege Profile system performance Required to gather profiling information

for the entire system.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of system
processes.

SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.

SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
 PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.

SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.

SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted Required to access Credential Manager

caller as a trusted caller.

SeUndockPrivilege Remove computer from docking station Required to undock a laptop.

With this privilege, the user can undock
a portable computer from its docking
station without logging on.

SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input from

a terminal device.

Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.

Security Monitoring Recommendations

For 4656(S, F ): A handle to an object was requested.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or
analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the
Kernel objects level.
For other types of objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor
all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for
example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events
with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request Information\Accesses
rights (especially for Failure events):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
 4658(S): The handle to an object was closed.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object,
Audit Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
This event generates only if Success auditing is
enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any security
relevance.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “close object’s handle” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s handle”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

Security Monitoring Recommendations

For 4658(S ): The handle to an object was closed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
 4660(S): An object was deleted.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel
Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing is
set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is better
to use “4663(S ): An attempt was made to
access an object” with DELETE access to track
object deletion.
The advantage of this event is that it’s
generated only during real delete operations. In
contrast, “4663(S ): An attempt was made to
access an object” also generates during other
actions, such as object renaming.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID (PID )
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object
was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Security Monitoring Recommendations
For 4660(S ): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S ): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
 4663(S): An attempt was made to access an object.
5/31/2019 • 8 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System,
Audit Kernel Object, Audit Registry,
and Audit Removable Storage
Event Description:
This event indicates that a specific
operation was performed on an
object. The object could be a file
system, kernel, or registry object, or
a file system object on removable
storage or a device.
This event generates only if object’s
SACL has required ACE to handle
specific access right use.
The main difference with “4656: A
handle to an object was requested.”
event is that 4663 shows that
access right was used instead of
just requested and 4663 doesn’t
have Failure events.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012, Windows 8.
Added “Resource Attributes” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to access an object. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used for
correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an object was
requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
 rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.

HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.

WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.

AppendData (or AddSubdirectory or 0x4, AppendData - For a file object, the

CreatePipeInstance) %%4418 right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory, the
right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8, The right to read extended file

(For registry objects, this is “Enumerate %%4419 attributes.
sub-keys.”)

WriteEA 0x10, The right to write extended file

%%4420 attributes.

Execute/Traverse 0x20, Execute - For a native code file, the

%%4421 right to execute the file. This access right
given to scripts may cause the script to
be executable, depending on the script
interpreter.
Traverse - For a directory, the right to
traverse the directory. By default, users
are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.

DeleteChild 0x40, For a directory, the right to delete a

%%4422 directory and all the files it contains,
including read-only files.
 HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadAttributes 0x80, The right to read file attributes.

%%4423

WriteAttributes 0x100, The right to write file attributes.

%%4424

DELETE 0x10000, The right to delete the object.

%%1537

READ_CONTROL 0x20000, The right to read the information in the

%%1538 object's security descriptor, not including
the information in the system access
control list (SACL).

WRITE_DAC 0x40000, The right to modify the discretionary

%%1539 access control list (DACL) in the object's
security descriptor.

WRITE_OWNER 0x80000, The right to change the owner in the

%%1540 object's security descriptor

SYNCHRONIZE 0x100000, The right to use the object for

%%1541 synchronization. This enables a thread
to wait until the object is in the signaled
state. Some object types do not support
this access right.

ACCESS_SYS_SEC 0x1000000, The ACCESS_SYS_SEC access right

%%1542 controls the ability to get or set the
SACL in an object's security descriptor.

Table 15. File System objects access rights.

Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.

Security Monitoring Recommendations

For 4663(S ): An attempt was made to access an object.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or
analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the
Kernel objects level.
For other types of objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have critical file system objects for which you need to monitor all access attempts, monitor this event
for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for example,
write actions), monitor this event for Object Name in relation to Access Request Information\Accesses.
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes.
If Object Name is a sensitive or critical registry key for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4663 events with the corresponding Access Request
Information\Accesses.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
For file system objects, we recommend that you monitor for these Access Request Information\Accesses
rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
 4664(S): An attempt was made to create a hard link.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit File System
Event Description:
This event generates when an NTFS hard link
was successfully created.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4664</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-21T23:50:26.871375900Z" />
<EventRecordID>276680</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2624" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="FileName">C:\\notepad.exe</Data>
<Data Name="LinkName">C:\\Docs\\My.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to create the hard link. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made an attempt to create the hard
link.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Link Information:
File Name [Type = UnicodeString]: the name of a file or folder that new hard link refers to.
Link Name [Type = UnicodeString]: full path name with new hard link file name.
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4660(S ): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Security Monitoring Recommendations

For 4664(S ): An attempt was made to create a hard link.
We recommend monitoring for any 4664 event, because this action is not typical for normal operating system
behavior and can be a sign of malicious activity.
 4985(S): The state of a transaction has changed.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Non Sensitive Privilege Use, Audit Other
Privilege Use Events, and Audit Sensitive
Privilege Use
Event Description:
This is an informational event from file
system Transaction Manager.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4985</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-19T00:00:40.099093300Z" />
<EventRecordID>274277</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TransactionId">{17EF5E21-5E2C-11E5-810F-00155D987005}</Data>
<Data Name="NewState">52</Data>
<Data Name="ResourceManager">{5F5ED427-FCCA-11E3-BD73-B54AB417B853}</Data>
<Data Name="ProcessId">0x370</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account through which the state of the transaction was changed. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that changed the state of the transaction.
Account Domain [Type = UnicodeString]: ___domain or computer name. Formats vary, and include the
following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Transaction Information:
RM Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object was
requested.”

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

New State [Type = UInt32]: identifier of the new state of the transaction.
Resource Manager [Type = GUID ]: unique GUID -Identifier of the Resource Manager which associated
with this transaction.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the state of the
transaction was changed. Process ID (PID ) is a number used by the operating system to uniquely identify an
active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

Security Monitoring Recommendations

For 4985(S ): The state of a transaction has changed.
This event typically has no security relevance and used for Transaction Manager troubleshooting.
 5051(-): A file was virtualized.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event should be generated when file was virtualized using LUAFV.
This event occurs very rarely during standard LUAFV file virtualization.
There is no example of this event in this document.
Subcategory: Audit File System
Event Schema:
A file was virtualized.
Subject:

Security ID:%1%
Account Name:%2
Account Domain:%3
Logon ID:%4

Object:

File Name:%5
Virtual File Name:%6

Process Information:

Process ID:%7
Process Name%8

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 4670(S): Permissions on an object were changed.
8/10/2019 • 8 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions for
an object are changed. The object could be a
file system, registry, or security token object.
This event does not generate if the SACL
(Auditing ACL ) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For a
registry key, it generates only if “Write DAC"
and/or "Write Owner” are set in the object’s
SACL.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change object’s permissions” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for which
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.

Note The Security Descriptor Definition Language (SDDL ) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:

VALUE DESCRIPTION VALUE DESCRIPTION

"AO" Account operators "PA" Group Policy administrators

"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000

"AN" Anonymous logon "LA" Local administrator

"AU" Authenticated users "LG" Local guest

"BA" Built-in administrators "LS" Local service account

 VALUE DESCRIPTION VALUE DESCRIPTION

"BG" Built-in guests "SY" Local system

"BO" Backup operators "NU" Network logon user

"BU" Built-in users "NO" Network configuration

operators

"CA" Certificate server "NS" Network service account

administrators

"CG" Creator group "PO" Printer operators

"CO" Creator owner "PS" Personal self

"DA" Domain administrators "PU" Power users

"DC" Domain computers "RS" RAS servers group

"DD" Domain controllers "RD" Terminal server users

"DG" Domain guests "RE" Replicator

"DU" Domain users "RC" Restricted code

"EA" Enterprise administrators "SA" Schema administrators

"ED" Enterprise ___domain "SO" Server operators

controllers

"WD" Everyone "SU" Service logon user

G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.

VALUE DESCRIPTION VALUE DESCRIPTION

Generic access rights Directory service access

rights

"GA" GENERIC ALL "RC" Read Permissions

"GR" GENERIC READ "SD" Delete

"GW" GENERIC WRITE "WD" Modify Permissions

"GX" GENERIC EXECUTE "WO" Modify Owner

File access rights "RP" Read All Properties

"FA" FILE ALL ACCESS "WP" Write All Properties

"FR" FILE GENERIC READ "CC" Create All Child Objects

"FW" FILE GENERIC WRITE "DC" Delete All Child Objects

"FX" FILE GENERIC EXECUTE "LC" List Contents

 VALUE DESCRIPTION VALUE DESCRIPTION

Registry key access rights "SW" All Validated Writes

"KA" "LO" "LO" List Object

"K" KEY READ "DT" Delete Subtree

"KW" KEY WRITE "CR" All Extended Rights

"KX" KEY EXECUTE

object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

Security Monitoring Recommendations

For 4670(S ): Permissions on an object were changed.
For token objects, this is typically an informational event, and at the same time it is difficult to identify which token's
permission were changed. For token objects, there are no monitoring recommendations for this event in this
document.
For file system and registry objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on ___domain controllers.
 Audit Filtering Platform Connection
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Filtering Platform Connection determines whether the operating system generates audit events when
connections are allowed or blocked by the Windows Filtering Platform.
Windows Filtering Platform (WFP ) enables independent software vendors (ISVs) to filter and modify TCP/IP
packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter
remote procedure calls (RPCs).
This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked
and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming
connections applications.
Event volume: High.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No Yes IF Yes Success auditing

Controller for this
subcategory
typically
generates a very
high volume of
events, for
example, one
event for every
connection that
was made to the
system. It is
much more
important to
audit Failure
events (blocked
connections, for
example). For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
IF - Enable
Success audit in
case you need to
monitor
successful
outbound or
inbound
connections to
and from
untrusted IP
addresses on
high value
computers or
devices.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No Yes IF Yes Success auditing

for this
subcategory
typically
generates a very
high volume of
events, for
example, one
event for every
connection that
was made to the
system. It is
much more
important to
audit Failure
events (blocked
connections, for
example). For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
IF - Enable
Success audit in
case you need to
monitor
successful
outbound or
inbound
connections to
and from
untrusted IP
addresses on
high value
computers or
devices.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation No Yes IF Yes Success auditing

for this
subcategory
typically
generates a very
high volume of
events, for
example, one
event for every
connection that
was made to the
system. It is
much more
important to
audit Failure
events (blocked
connections, for
example). For
recommendation
s for using and
analyzing the
collected
information, see
the Security
Monitoring
Recommendatio
ns sections.
IF - Enable
Success audit in
case you need to
monitor
successful
outbound or
inbound
connections to
and from
untrusted IP
addresses on
high value
computers or
devices.

Events List:
5031(F ): The Windows Firewall Service blocked an application from accepting incoming connections on
the network.
5150(-): The Windows Filtering Platform blocked a packet.
5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
5154(S ): The Windows Filtering Platform has permitted an application or service to listen on a port for
incoming connections.
5155(F ): The Windows Filtering Platform has blocked an application or service from listening on a port for
incoming connections.
5156(S ): The Windows Filtering Platform has permitted a connection.
5157(F ): The Windows Filtering Platform has blocked a connection.
5158(S ): The Windows Filtering Platform has permitted a bind to a local port.
5159(F ): The Windows Filtering Platform has blocked a bind to a local port.
 5031(F): The Windows Firewall Service blocked an
application from accepting incoming connections on
the network.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates when an application was
blocked from accepting incoming connections
on the network by Windows Filtering Platform.
If you don’t have any firewall rules (Allow or
Deny) in Windows Firewall for specific
applications, you will get this event from
Windows Filtering Platform layer, because by
default this layer is denying any incoming
connections.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5031</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T03:46:36.634473000Z" />
<EventRecordID>304373</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="2976" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Profiles">Domain</Data>
<Data Name="Application">C:\\documents\\listener.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Profiles [Type = UnicodeString]: network profile using which application was blocked. Possible values:
Domain
Public
Private
Application [Type = UnicodeString]: full path and file name of executable file for blocked application.

Security Monitoring Recommendations

For 5031(F ): The Windows Firewall Service blocked an application from accepting incoming connections on the
network.
You can use this event to detect applications for which no Windows Firewall rules were created.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
 5150(-): The Windows Filtering Platform blocked a
packet.
8/10/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event is logged if the Windows Filtering Platform MAC filter blocked a packet.
There is no example of this event in this document.
Subcategory: Audit Filtering Platform Connection
Event Schema:
The Windows Filtering Platform has blocked a packet.
Network Information:

Direction:%1
Source Address:%2
Destination Address:%3
EtherType:%4
MediaType:%5
InterfaceType:%6
VlanTag:%7

Filter Information:

Filter Run-Time ID:%8

Layer Name:%9
Layer Run-Time ID:%10

Required Server Roles: None.

Minimum OS Version: Windows Server 2012, Windows 8.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 5151(-): A more restrictive Windows Filtering Platform
filter has blocked a packet.
8/10/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event is logged if a more restrictive Windows Filtering Platform MAC filter has blocked a packet.
There is no example of this event in this document.
Subcategory: Audit Filtering Platform Connection
Event Schema:
A more restrictive Windows Filtering Platform filter has blocked a packet.
Network Information:

Direction:%1
Source Address:%2
Destination Address:%3
EtherType:%4
MediaType:%5
InterfaceType:%6
VlanTag:%7

Filter Information:

Filter Run-Time ID:%8

Layer Name:%9
Layer Run-Time ID:%10

Required Server Roles: None.

Minimum OS Version: Windows Server 2012, Windows 8.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 5154(S): The Windows Filtering Platform has
permitted an application or service to listen on a port
for incoming connections.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates every time
Windows Filtering Platform permits an
application or service to listen on a port.

Note For recommendations, see

Security Monitoring Recommendations
for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5154</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T02:04:25.757462900Z" />
<EventRecordID>287929</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3968" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4152</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">4444</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14609</Data>
<Data Name="LayerRTID">40</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was permitted to listen on the
port. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
 You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:

Network Information:
Source Address [Type = UnicodeString]: local IP address on which application requested to listen on the
port.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: source TCP\UDP port number which was requested for listening by
application.
Protocol [Type = UInt32]: protocol number. For example:
6 – TCP.
17 – UDP.
More information about possible values for this field:
https://technet.microsoft.com/library/cc959827.aspx.
Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allows application to listen on the specific port.
By default Windows firewall won't prevent a port from being listened by an application and if this
application doesn’t match any filters you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Security Monitoring Recommendations
For 5154(S ): The Windows Filtering Platform has permitted an application or service to listen on a port for
incoming connections.
If you have a “whitelist” of applications that are associated with certain operating systems or server roles,
and that are expected to listen on specific ports, monitor this event for “Application Name” and other
relevant information.
If a certain application is allowed to listen only on specific port numbers, monitor this event for
“Application Name” and “Network Information\Source Port.”
If a certain application is allowed to listen only on a specific IP address, monitor this event for “Application
Name” and “Network Information\Source Address.”
If a certain application is allowed to use only TCP or UDP protocols, monitor this event for “Application
Name” and the protocol number in “Network Information\Protocol.”
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Typically this event has an informational purpose.
 5155(F): The Windows Filtering Platform has blocked
an application or service from listening on a port for
incoming connections.
9/10/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
By default Windows firewall won't prevent a port from being listened by an application. In the other word,
Windows system will not generate Event 5155 by itself.
You can add your own filters using the WFP APIs to block listen to reproduce this event:
https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx.
Subcategory: Audit Filtering Platform Connection
Event Description:
This event generates every time the Windows Filtering Platform blocks an application or service from listening on
a port for incoming connections.

Event XML:

<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5155</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-18T03:49:08.507780900Z" />
<EventRecordID>42196</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2788" />
<Channel>Security</Channel>
<Computer>NATHAN-AGENT2</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessId">2628</Data>
<Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">5555</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">84576</Data>
<Data Name="LayerName">%%14609</Data>
<Data Name="LayerRTID">40</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: Hexadecimal Process ID (PID ) of the process which was permitted to bind to
the local port. The PID is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: Full path and the name of the executable for the process.
Logical disk is displayed in the format \device\harddiskvolume#. You can get all local volume numbers by
using the diskpart utility. The command to get volume numbers using diskpart is “list volume”:

Network Information:
Source Address [Type = UnicodeString]: The local IP address of the computer running the application.
IPv4 Address
IPv6 Address
 :: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: The port number used by the application.
Protocol [Type = UInt32]: the protocol number being used.

SERVICE PROTOCOL NUMBER

Internet Control Message Protocol (ICMP) 1

Transmission Control Protocol (TCP) 6

User Datagram Protocol (UDP) 17

General Routing Encapsulation (PPTP data over GRE) 47

Authentication Header (AH) IPSec 51

Encapsulation Security Payload (ESP) IPSec 50

Exterior Gateway Protocol (EGP) 8

Gateway-Gateway Protocol (GGP) 3

Host Monitoring Protocol (HMP) 20

Internet Group Management Protocol (IGMP) 88

MIT Remote Virtual Disk (RVD) 66

OSPF Open Shortest Path First 89

PARC Universal Packet Protocol (PUP) 12

Reliable Datagram Protocol (RDP) 27

Reservation Protocol (RSVP) QoS 46

Filter Information:
Filter Run-Time ID [Type = UInt64]: A unique filter ID which blocks the application from binding to the
port. By default, Windows firewall won't prevent a port from binding to an application, and if this application
doesn’t match any filters, you will get a 0 value in this field.
To find a specific Windows Filtering Platform filter by ID, you need to execute the following command:
netsh wfp show filters. As a result of this command, a filters.xml file will be generated. You need to open
this file and find the specific substring with the required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find a specific
Windows Filtering Platform layer ID, you need to execute the following command: netsh wfp show state.
As result of this command, a wfpstate.xml file will be generated. You need to open this file and find the
specific substring with the required layer ID (<layerId>), for example:
Security Monitoring Recommendations
If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you
can use this event for troubleshooting and monitoring.
 5156(S): The Windows Filtering Platform has
permitted a connection.
10/23/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates when Windows
Filtering Platform has allowed a
connection.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5156</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T05:24:22.622090200Z" />
<EventRecordID>308129</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3712" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.10</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="DestAddress">10.0.0.100</Data>
<Data Name="DestPort">49278</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">70201</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which received the connection. Process
ID (PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for
a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:

Network Information:
Direction [Type = UnicodeString]: direction of allowed connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: IP address from which the connection was initiated.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number from which the connection was initiated.
Destination Address [Type = UnicodeString]: IP address where the connection was received.
 IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number where the connection was received.
Protocol [Type = UInt32]: number of protocol which was used.

SERVICE PROTOCOL NUMBER

Internet Control Message Protocol (ICMP) 1

Transmission Control Protocol (TCP) 6

User Datagram Protocol (UDP) 17

General Routing Encapsulation (PPTP data over GRE) 47

Authentication Header (AH) IPSec 51

Encapsulation Security Payload (ESP) IPSec 50

Exterior Gateway Protocol (EGP) 8

Gateway-Gateway Protocol (GGP) 3

Host Monitoring Protocol (HMP) 20

Internet Group Management Protocol (IGMP) 88

MIT Remote Virtual Disk (RVD) 66

OSPF Open Shortest Path First 89

PARC Universal Packet Protocol (PUP) 12

Reliable Datagram Protocol (RDP) 27

Reservation Protocol (RSVP) QoS 46

Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allowed the connection.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Security Monitoring Recommendations
For 5156(S ): The Windows Filtering Platform has permitted a connection.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Check that “Source Address” is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5156 events where “Destination Address” is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address.”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5156 events with that
“Source Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or computer, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Port,” monitor for any other “Destination Port.”
 5157(F): The Windows Filtering Platform has blocked
a connection.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates when Windows
Filtering Platform has blocked a
connection.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5157</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T03:46:51.662750400Z" />
<EventRecordID>304390</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessID">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.10</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="DestAddress">10.0.0.100</Data>
<Data Name="DestPort">49218</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">110398</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted to create the
connection. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:

Network Information:
Direction [Type = UnicodeString]: direction of blocked connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the connection.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number on which application received the connection.
Destination Address [Type = UnicodeString]: IP address from which connection was received or initiated.
 IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number which was used from remote machine to initiate
connection.
Protocol [Type = UInt32]: number of protocol which was used.

SERVICE PROTOCOL NUMBER

Internet Control Message Protocol (ICMP) 1

Transmission Control Protocol (TCP) 6

User Datagram Protocol (UDP) 17

General Routing Encapsulation (PPTP data over GRE) 47

Authentication Header (AH) IPSec 51

Encapsulation Security Payload (ESP) IPSec 50

Exterior Gateway Protocol (EGP) 8

Gateway-Gateway Protocol (GGP) 3

Host Monitoring Protocol (HMP) 20

Internet Group Management Protocol (IGMP) 88

MIT Remote Virtual Disk (RVD) 66

OSPF Open Shortest Path First 89

PARC Universal Packet Protocol (PUP) 12

Reliable Datagram Protocol (RDP) 27

Reservation Protocol (RSVP) QoS 46

Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocked the connection.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result
of this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Security Monitoring Recommendations
For 5157(F ): The Windows Filtering Platform has blocked a connection.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Check that “Source Address” is one of the addresses assigned to the computer.
If the` computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5157 events where “Destination Address” is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address.”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5157 events with that
“Source Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or compter, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Port,” monitor for any other “Destination Port.”
 5158(S): The Windows Filtering Platform has
permitted a bind to a local port.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event generates every time
Windows Filtering Platform permits an
application or service to bind to a local
port.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5158</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T05:24:03.376171200Z" />
<EventRecordID>308122</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3712" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">3333</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14608</Data>
<Data Name="LayerRTID">36</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was permitted to bind to the
local port. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
 You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:

Network Information:
Source Address [Type = UnicodeString]: local IP address on which application was bind the port.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number which application was bind.
Protocol [Type = UInt32]: number of protocol which was used.

SERVICE PROTOCOL NUMBER

Internet Control Message Protocol (ICMP) 1

Transmission Control Protocol (TCP) 6

User Datagram Protocol (UDP) 17

General Routing Encapsulation (PPTP data over GRE) 47

Authentication Header (AH) IPSec 51

Encapsulation Security Payload (ESP) IPSec 50

Exterior Gateway Protocol (EGP) 8

Gateway-Gateway Protocol (GGP) 3

Host Monitoring Protocol (HMP) 20

 SERVICE PROTOCOL NUMBER

Internet Group Management Protocol (IGMP) 88

MIT Remote Virtual Disk (RVD) 66

OSPF Open Shortest Path First 89

PARC Universal Packet Protocol (PUP) 12

Reliable Datagram Protocol (RDP) 27

Reservation Protocol (RSVP) QoS 46

Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which allows application to bind the port. By default
Windows firewall won't prevent a port from being binded by an application and if this application doesn’t
match any filters you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
 Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:

Security Monitoring Recommendations

For 5158(S ): The Windows Filtering Platform has permitted a bind to a local port.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Check that “Source Address” is one of the addresses assigned to the computer.
If you need to monitor all actions with a specific local port, monitor for 5158 events with that “Source
Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or compter, for
example, anything other than 6 or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Port,” monitor for any other “Destination Port.”
 5159(F): The Windows Filtering Platform has blocked
a bind to a local port.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Connection
Event Description:
This event is logged if the Windows
Filtering Platform has blocked a bind to a
local port.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5159</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2019-04-19T07:36:55.955388300Z" />
<EventRecordID>44097</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="6480" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">7924</Data>
<Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
<Data Name="SourceAddress">0.0.0.0</Data>
<Data Name="SourcePort">5555</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">84614</Data>
<Data Name="LayerName">%%14608</Data>
<Data Name="LayerRTID">36</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process which was permitted to bind to the
local port. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
 You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:

Network Information:
Source Address [Type = UnicodeString]: the local IP address of the computer running the application.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: the port number used by the application.
Protocol [Type = UInt32]: the protocol number being used.

SERVICE PROTOCOL NUMBER

Internet Control Message Protocol (ICMP) 1

Transmission Control Protocol (TCP) 6

User Datagram Protocol (UDP) 17

General Routing Encapsulation (PPTP data over GRE) 47

Authentication Header (AH) IPSec 51

Encapsulation Security Payload (ESP) IPSec 50

Exterior Gateway Protocol (EGP) 8

Gateway-Gateway Protocol (GGP) 3

Host Monitoring Protocol (HMP) 20

 SERVICE PROTOCOL NUMBER

Internet Group Management Protocol (IGMP) 88

MIT Remote Virtual Disk (RVD) 66

OSPF Open Shortest Path First 89

PARC Universal Packet Protocol (PUP) 12

Reliable Datagram Protocol (RDP) 27

Reservation Protocol (RSVP) QoS 46

Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocks the application from binding to the port.
By default, Windows firewall won't prevent a port from binding by an application, and if this application
doesn’t match any filters, you will get value 0 in this field.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As a result of this command, filters.xml file will be generated. You need to open this file
and find the specific substring with the required filter ID (<filterId>), for example:
 Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 Audit Filtering Platform Packet Drop
12/24/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when
packets are dropped by the Windows Filtering Platform.
Windows Filtering Platform (WFP ) enables independent software vendors (ISVs) to filter and modify TCP/IP
packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter
remote procedure calls (RPCs).
A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to
computers on your network.
Event volume: High.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No No No Failure events

Controller volume typically
is very high for
this subcategory
and typically used
for
troubleshooting.
If you need to
monitor blocked
connections, it is
better to use
“5157(F): The
Windows Filtering
Platform has
blocked a
connection,”
because it
contains almost
the same
information and
generates per-
connection, not
per-packet.
There is no
recommendation
to enable Success
auditing, because
Success events in
this subcategory
rarely occur.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No No No No Failure events

volume typically
is very high for
this subcategory
and typically used
for
troubleshooting.
If you need to
monitor blocked
connections, it is
better to use
“5157(F): The
Windows Filtering
Platform has
blocked a
connection,”
because it
contains almost
the same
information and
generates per-
connection, not
per-packet.
There is no
recommendation
to enable Success
auditing, because
Success events in
this subcategory
rarely occur.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation No No No No Failure events

volume typically
is very high for
this subcategory
and typically used
for
troubleshooting.
If you need to
monitor blocked
connections, it is
better to use
“5157(F): The
Windows Filtering
Platform has
blocked a
connection,”
because it
contains almost
the same
information and
generates per-
connection, not
per-packet.
There is no
recommendation
to enable Success
auditing, because
Success events in
this subcategory
rarely occur.

Events List:
5152(F ): The Windows Filtering Platform blocked a packet.
5153(S ): A more restrictive Windows Filtering Platform filter has blocked a packet.
 5152(F): The Windows Filtering Platform blocked a
packet.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Filtering Platform
Packet Drop
Event Description:
This event generates when Windows
Filtering Platform has blocked a
network packet.
This event is generated for every
received network packet.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5152</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12809</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T16:52:37.274367300Z" />
<EventRecordID>321323</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4456" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="ProcessId">4556</Data>
<Data Name="Application">\\device\\harddiskvolume2\\documents\\listener.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">10.0.0.100</Data>
<Data Name="SourcePort">49278</Data>
<Data Name="DestAddress">10.0.0.10</Data>
<Data Name="DestPort">3333</Data>
<Data Name="Protocol">6</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Application Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process to which blocked network packet was
sent. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Application Name [Type = UnicodeString]: full path and the name of the executable for the process.
Logical disk is displayed in format \device\harddiskvolume#. You can get all local volume numbers by using
diskpart utility. The command to get volume numbers using diskpart is “list volume”:

Network Information:
Direction [Type = UnicodeString]: direction of blocked connection.
Inbound – for inbound connections.
Outbound – for unbound connections.
Source Address [Type = UnicodeString]: local IP address on which application received the packet.
IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Source Port [Type = UnicodeString]: port number on which application received the packet.
Destination Address [Type = UnicodeString]: IP address from which packet was received or initiated.
 IPv4 Address
IPv6 Address
:: - all IP addresses in IPv6 format
0.0.0.0 - all IP addresses in IPv4 format
127.0.0.1 , ::1 - localhost
Destination Port [Type = UnicodeString]: port number which was used from remote machine to send the
packet.
Protocol [Type = UInt32]: number of protocol which was used.

SERVICE PROTOCOL NUMBER

Internet Control Message Protocol (ICMP) 1

Transmission Control Protocol (TCP) 6

User Datagram Protocol (UDP) 17

General Routing Encapsulation (PPTP data over GRE) 47

Authentication Header (AH) IPSec 51

Encapsulation Security Payload (ESP) IPSec 50

Exterior Gateway Protocol (EGP) 8

Gateway-Gateway Protocol (GGP) 3

Host Monitoring Protocol (HMP) 20

Internet Group Management Protocol (IGMP) 88

MIT Remote Virtual Disk (RVD) 66

OSPF Open Shortest Path First 89

PARC Universal Packet Protocol (PUP) 12

Reliable Datagram Protocol (RDP) 27

Reservation Protocol (RSVP) QoS 46

Filter Information:
Filter Run-Time ID [Type = UInt64]: unique filter ID which blocked the packet.
To find specific Windows Filtering Platform filter by ID you need to execute the following command: netsh
wfp show filters. As result of this command filters.xml file will be generated. You need to open this file
and find specific substring with required filter ID (<filterId>), for example:
Layer Name [Type = UnicodeString]: Application Layer Enforcement layer name.
Layer Run-Time ID [Type = UInt64]: Windows Filtering Platform layer identifier. To find specific Windows
Filtering Platform layer ID you need to execute the following command: netsh wfp show state. As result of
this command wfpstate.xml file will be generated. You need to open this file and find specific substring
with required layer ID (<layerId>), for example:
Security Monitoring Recommendations
For 5152(F ): The Windows Filtering Platform blocked a packet.
If you have a pre-defined application which should be used to perform the operation that was reported by
this event, monitor events with “Application” not equal to your defined application.
You can monitor to see if “Application” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in application names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Application.”
Check that Source Address is one of the addresses assigned to the computer.
If the computer or device should not have access to the Internet, or contains only applications that don’t
connect to the Internet, monitor for 5152 events where Destination Address is an IP address from the
Internet (not from private IP ranges).
If you know that the computer should never contact or be contacted by certain network IP addresses,
monitor for these addresses in “Destination Address.”
If you have a “whitelist” of IP addresses that the computer or device is expected to contact or be contacted
by, monitor for IP addresses in “Destination Address” that are not in the whitelist.
If you need to monitor all inbound connections to a specific local port, monitor for 5152 events with that
“Source Port.”
Monitor for all connections with a “Protocol Number” that is not typical for this device or compter, for
example, anything other than 1, 6, or 17.
If the computer’s communication with “Destination Address” should always use a specific “Destination
Port,” monitor for any other “Destination Port.”
 5153(S): A more restrictive Windows Filtering Platform
filter has blocked a packet.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
There is no example of this event in this document.
Subcategory: Audit Filtering Platform Packet Drop
Event Schema:
A more restrictive Windows Filtering Platform filter has blocked a packet.
Application Information:

Process ID:%1
Application Name:%2

Network Information:

Source Address:%3
Source Port:%4
Protocol:%5

Filter Information:

Filter Run-Time ID:%6

Layer Name:%7
Layer Run-Time ID:%8

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 Audit Handle Manipulation
1/2/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in Audit File
System, Audit Kernel Object, Audit Registry, Audit Removable Storage and Audit SAM subcategories, and shows
object’s handle duplication and close actions.
Event volume: High.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No No No Typically,
Controller information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or
Failure auditing,
unless you know
exactly what you
need to monitor
in Object’s
Handles level.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No No No No Typically,

information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or
Failure auditing,
unless you know
exactly what you
need to monitor
in Object’s
Handles level.

Workstation No No No No Typically,
information
about the
duplication or
closing of an
object handle
has little to no
security
relevance and is
hard to parse or
analyze.
There is no
recommendation
to enable this
subcategory for
Success or
Failure auditing,
unless you know
exactly what you
need to monitor
in Object’s
Handles level.

Events List:
4658(S ): The handle to an object was closed.
4690(S ): An attempt was made to duplicate a handle to an object.
4658(S ): The handle to an object was closed. For a description of the event, see 4658 (S ): The handle to an
object was closed. in the Audit File System subcategory. This event doesn’t generate in the Audit Handle
Manipulation subcategory, but you can use this subcategory to enable it.
 4690(S): An attempt was made to duplicate a handle
to an object.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Handle Manipulation
Event Description:
This event generates if an attempt was made to
duplicate a handle to an object.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4690</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12807</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T00:17:41.755998800Z" />
<EventRecordID>338632</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="1100" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="SourceHandleId">0x438</Data>
<Data Name="SourceProcessId">0x674</Data>
<Data Name="TargetHandleId">0xd9c</Data>
<Data Name="TargetProcessId">0x4</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to duplicate a handle to an object. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made an attempt to duplicate a
handle to an object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Source Handle Information:
Source Handle ID [Type = Pointer]: hexadecimal value of a handle which was duplicated. This field can
help you correlate this event with other events, for example “4663: An attempt was made to access an
object” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage or Audit SAM
subcategories.
Source Process ID [Type = Pointer]: hexadecimal Process ID of the process which opened the Source
Handle ID before it was duplicated. Process ID (PID ) is a number used by the operating system to uniquely
identify an active process. To see the PID for a specific process you can, for example, use Task Manager
(Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
New Handle Information:
Target Handle ID [Type = Pointer]: hexadecimal value of the new handle (the copy of Source Handle ID ).
This field can help you correlate this event with other events, for example “4663: An attempt was made to
access an object” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage or
Audit SAM subcategories.
Target Process ID [Type = Pointer]: hexadecimal Process ID of the process which opened the Target
Handle ID. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID field.

Security Monitoring Recommendations

For 4690(S ): An attempt was made to duplicate a handle to an object.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
 Audit Kernel Object
1/3/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Kernel Object determines whether the operating system generates audit events when users attempt to
access the system kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list (SACL ) generate security audit events. The audits
generated are usually useful only to developers.
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options
are enabled.
The “Audit: Audit the access of global system objects” policy setting controls the default SACL of kernel objects.
Event volume: High.

GENERAL STRONGER STRONGER

COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain No No No No Typically Kernel

Controller object auditing
events have little
to no security
relevance and
are hard to parse
or analyze. Also,
the volume of
these events is
typically very
high.
There is no
recommendation
to enable this
subcategory,
unless you know
exactly what you
need to monitor
at the Kernel
objects level.
 GENERAL STRONGER STRONGER
COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server No No No No Typically Kernel

object auditing
events have little
to no security
relevance and
are hard to parse
or analyze. Also,
the volume of
these events is
typically very
high.
There is no
recommendation
to enable this
subcategory,
unless you know
exactly what you
need to monitor
at the Kernel
objects level.

Workstation No No No No Typically Kernel

object auditing
events have little
to no security
relevance and
are hard to parse
or analyze. Also,
the volume of
these events is
typically very
high.
There is no
recommendation
to enable this
subcategory,
unless you know
exactly what you
need to monitor
at the Kernel
objects level.

Events List:
4656(S, F ): A handle to an object was requested.
4658(S ): The handle to an object was closed.
4660(S ): An object was deleted.
4663(S ): An attempt was made to access an object.
 4656(S, F): A handle to an object was requested.
5/31/2019 • 16 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or
registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation
was performed. To see that the operation was performed, check “4663(S ): An attempt was made to access an
object.”

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012, Windows 8.
Added “Resource Attributes” field.
 Added “Access Reasons” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer automatically tries
to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

 DIRECTORY EVENT TIMER DEVICE

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.

Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4660(S ): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.

HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.

WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
 HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

AppendData (or AddSubdirectory or 0x4, AppendData - For a file object, the

CreatePipeInstance) %%4418 right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory, the
right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8, The right to read extended file

(For registry objects, this is “Enumerate %%4419 attributes.
sub-keys.”)

WriteEA 0x10, The right to write extended file

%%4420 attributes.

Execute/Traverse 0x20, Execute - For a native code file, the

%%4421 right to execute the file. This access right
given to scripts may cause the script to
be executable, depending on the script
interpreter.
Traverse - For a directory, the right to
traverse the directory. By default, users
are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.

DeleteChild 0x40, For a directory, the right to delete a

%%4422 directory and all the files it contains,
including read-only files.

ReadAttributes 0x80, The right to read file attributes.

%%4423

WriteAttributes 0x100, The right to write file attributes.

%%4424

DELETE 0x10000, The right to delete the object.

%%1537

READ_CONTROL 0x20000, The right to read the information in the

%%1538 object's security descriptor, not including
the information in the system access
control list (SACL).

WRITE_DAC 0x40000, The right to modify the discretionary

%%1539 access control list (DACL) in the object's
security descriptor.
 HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

WRITE_OWNER 0x80000, The right to change the owner in the

%%1540 object's security descriptor

SYNCHRONIZE 0x100000, The right to use the object for

%%1541 synchronization. This enables a thread
to wait until the object is in the signaled
state. Some object types do not support
this access right.

ACCESS_SYS_SEC 0x1000000, The ACCESS_SYS_SEC access right

%%1542 controls the ability to get or set the
SACL in an object's security descriptor.

Table 14. File System objects access rights.

Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used during
the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that
case appears as “-”. See full list of user privileges in the table below:

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token of

a process.
With this privilege, the user can initiate
a process to replace the default token
associated with a started subprocess.

SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.

SeBackupPrivilege Back up files and directories - Required to perform backup

operations.
With this privilege, the user can bypass
file and directory, registry, and other
persistent object permissions for the
purposes of backing up the system.
This privilege causes the system to
grant all read access control to any file,
regardless of the access control list
(ACL) specified for the file. Any access
request other than read is still evaluated
with the ACL. The following access
rights are granted if this privilege is
held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of

changes to files or directories. This
privilege also causes the system to skip
all traversal access checks.
With this privilege, the user can traverse
directory trees even though the user
may not have permissions on the
traversed directory. This privilege does
not allow the user to list the contents of
a directory, only to traverse directories.

SeCreateGlobalPrivilege Create global objects Required to create named file mapping

objects in the global namespace during
Terminal Services sessions.

SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.

SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent object.

This privilege is useful to kernel-mode
components that extend the object
namespace. Components that are
running in kernel mode already have
this privilege inherently; it is not
necessary to assign them the privilege.

SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.

SeCreateTokenPrivilege Create a token object Allows a process to create a token which

it can then use to get access to any local
resources when the process uses
NtCreateToken() or other token-creation
APIs.
When a process requires this privilege,
we recommend using the LocalSystem
account (which already includes the
privilege), rather than creating a
separate user account and assigning
this privilege to it.

SeDebugPrivilege Debug programs Required to debug and adjust the

memory of a process owned by another
account.
With this privilege, the user can attach a
debugger to any process or to the
kernel. Developers who are debugging
their own applications do not need this
user right. Developers who are
debugging new system components
need this user right. This user right
provides complete access to sensitive
and critical operating system
components.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.

SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.

SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority of

a process.
With this privilege, the user can use a
process with Write property access to
another process to increase the
execution priority assigned to the other
process. A user with this privilege can
change the scheduling priority of a
process through the Task Manager user
interface.

SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota assigned
to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.

SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.

SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in

memory.
With this privilege, the user can use a
process to keep data in physical
memory, which prevents the system
from paging the data to virtual memory
on disk. Exercising this privilege could
significantly affect system performance
by decreasing the amount of available
random access memory (RAM).

SeMachineAccountPrivilege Add workstations to ___domain With this privilege, the user can create a
computer account.
This privilege is valid only on ___domain
controllers.

SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on a

volume, such as remote
defragmentation.

SeProfileSingleProcessPrivilege Profile single process Required to gather profiling information

for a single process.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of non-system
processes.

SeRelabelPrivilege Modify an object label Required to modify the mandatory

integrity level of an object.

SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using a
network request.

SeRestorePrivilege Restore files and directories Required to perform restore operations.

This privilege causes the system to
grant all write access control to any file,
regardless of the ACL specified for the
file. Any access request other than write
is still evaluated with the ACL.
Additionally, this privilege enables you
to set any valid user or group SID as the
owner of a file. The following access
rights are granted if this privilege is
held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can bypass
file, directory, registry, and other
persistent objects permissions when
restoring backed up files and directories
and determines which users can set any
valid security principal as the owner of
an object.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeSecurityPrivilege Manage auditing and security log Required to perform a number of

security-related functions, such as
controlling and viewing audit events in
security event log.
With this privilege, the user can specify
object access auditing options for
individual resources, such as files, Active
Directory objects, and registry keys.
A user with this privilege can also view
and clear the security log.

SeShutdownPrivilege Shut down the system Required to shut down a local system.

SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on ___domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.

SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile RAM
of systems that use this type of
memory to store configuration
information.

SeSystemProfilePrivilege Profile system performance Required to gather profiling information

for the entire system.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of system
processes.

SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are assigned
this user right can affect the appearance
of event logs. If the system time is
changed, events that are logged will
reflect this new time, not the actual time
that the events occurred.

SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values that
the holder may legitimately assign as
the owner of an object.
With this privilege, the user can take
ownership of any securable object in the
system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.
 PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as part
of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.

SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.

SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted Required to access Credential Manager

caller as a trusted caller.

SeUndockPrivilege Remove computer from docking station Required to undock a laptop.

With this privilege, the user can undock
a portable computer from its docking
station without logging on.

SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input from

a terminal device.

Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.

Security Monitoring Recommendations

For 4656(S, F ): A handle to an object was requested.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or
analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the
Kernel objects level.
For other types of objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt, monitor
all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts (for
example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656 events
with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request Information\Accesses
rights (especially for Failure events):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
 4658(S): The handle to an object was closed.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object,
Audit Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
This event generates only if Success auditing is
enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any security
relevance.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “close object’s handle” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s handle”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process. To
see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

Security Monitoring Recommendations

For 4658(S ): The handle to an object was closed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
 4660(S): An object was deleted.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit Kernel
Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing is
set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is better
to use “4663(S ): An attempt was made to
access an object” with DELETE access to track
object deletion.
The advantage of this event is that it’s
generated only during real delete operations. In
contrast, “4663(S ): An attempt was made to
access an object” also generates during other
actions, such as object renaming.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID (PID )
is a number used by the operating system to uniquely identify an active process. To see the PID for a specific
process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an object
was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Security Monitoring Recommendations
For 4660(S ): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S ): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
 4663(S): An attempt was made to access an object.
5/31/2019 • 8 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System,
Audit Kernel Object, Audit Registry,
and Audit Removable Storage
Event Description:
This event indicates that a specific
operation was performed on an
object. The object could be a file
system, kernel, or registry object, or
a file system object on removable
storage or a device.
This event generates only if object’s
SACL has required ACE to handle
specific access right use.
The main difference with “4656: A
handle to an object was requested.”
event is that 4663 shows that
access right was used instead of
just requested and 4663 doesn’t
have Failure events.

Note For recommendations, see

Security Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012, Windows 8.
Added “Resource Attributes” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to access an object. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for which
access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used for
correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an object was
requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For some
objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID. These
access rights depend on Object Type. The following table contains information about the most common access
 rights for file system objects. Access rights for registry objects are often similar to file system objects, but the
table contains a few notes about how they vary.

HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data. For
(For registry objects, this is “Query key a directory object, the right to read the
value.”) corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.

WriteData (or AddFile) 0x2, WriteData - For a file object, the right
%%4417 to write data to the file. For a directory
(For registry objects, this is “Set key object, the right to create a file in the
value.”) directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.

AppendData (or AddSubdirectory or 0x4, AppendData - For a file object, the

CreatePipeInstance) %%4418 right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory, the
right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8, The right to read extended file

(For registry objects, this is “Enumerate %%4419 attributes.
sub-keys.”)

WriteEA 0x10, The right to write extended file

%%4420 attributes.

Execute/Traverse 0x20, Execute - For a native code file, the

%%4421 right to execute the file. This access right
given to scripts may cause the script to
be executable, depending on the script
interpreter.
Traverse - For a directory, the right to
traverse the directory. By default, users
are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.

DeleteChild 0x40, For a directory, the right to delete a

%%4422 directory and all the files it contains,
including read-only files.
 HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadAttributes 0x80, The right to read file attributes.

%%4423

WriteAttributes 0x100, The right to write file attributes.

%%4424

DELETE 0x10000, The right to delete the object.

%%1537

READ_CONTROL 0x20000, The right to read the information in the

%%1538 object's security descriptor, not including
the information in the system access
control list (SACL).

WRITE_DAC 0x40000, The right to modify the discretionary

%%1539 access control list (DACL) in the object's
security descriptor.

WRITE_OWNER 0x80000, The right to change the owner in the

%%1540 object's security descriptor

SYNCHRONIZE 0x100000, The right to use the object for

%%1541 synchronization. This enables a thread
to wait until the object is in the signaled
state. Some object types do not support
this access right.

ACCESS_SYS_SEC 0x1000000, The ACCESS_SYS_SEC access right

%%1542 controls the ability to get or set the
SACL in an object's security descriptor.

Table 15. File System objects access rights.

Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.

Security Monitoring Recommendations

For 4663(S ): An attempt was made to access an object.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or
analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the
Kernel objects level.
For other types of objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have critical file system objects for which you need to monitor all access attempts, monitor this event
for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for example,
write actions), monitor this event for Object Name in relation to Access Request Information\Accesses.
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes.
If Object Name is a sensitive or critical registry key for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4663 events with the corresponding Access Request
Information\Accesses.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
For file system objects, we recommend that you monitor for these Access Request Information\Accesses
rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
 Audit Other Object Access Events
1/2/2020 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and
indirect object access requests.
Event volume: Low.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes Yes Yes Yes We recommend

Controller Success auditing
first of all
because of
scheduled tasks
events.
We recommend
Failure auditing
to get events
about possible
ICMP DoS
attack.

Member Server Yes Yes Yes Yes We recommend

Success auditing
first of all
because of
scheduled tasks
events.
We recommend
Failure auditing
to get events
about possible
ICMP DoS
attack.

Workstation Yes Yes Yes Yes We recommend

Success auditing
first of all
because of
scheduled tasks
events.
We recommend
Failure auditing
to get events
about possible
ICMP DoS
attack.

Events List:
4671(-): An application attempted to access a blocked ordinal through the TBS.
4691(S ): Indirect access to an object was requested.
5148(F ): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode;
packets associated with this attack will be discarded.
5149(F ): The DoS attack has subsided and normal processing is being resumed.
4698(S ): A scheduled task was created.
4699(S ): A scheduled task was deleted.
4700(S ): A scheduled task was enabled.
4701(S ): A scheduled task was disabled.
4702(S ): A scheduled task was updated.
5888(S ): An object in the COM+ Catalog was modified.
5889(S ): An object was deleted from the COM+ Catalog.
5890(S ): An object was added to the COM+ Catalog.
 4671(-): An application attempted to access a blocked
ordinal through the TBS.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
Subcategory: Audit Other Object Access Events
 4691(S): Indirect access to an object was requested.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event indicates that indirect access to
an object was requested.
These events are generated for ALPC
Ports access request actions.

Note For recommendations, see

Security Monitoring Recommendations
for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4691</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T01:03:49.834912100Z" />
<EventRecordID>344382</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2928" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x36509</Data>
<Data Name="ObjectType">ALPC Port</Data>
<Data Name="ObjectName">\\Sessions\\2\\Windows\\DwmApiPort</Data>
<Data Name="AccessList">%%4464</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="ProcessId">0xe60</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested an access to the object. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested an access to the object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Type [Type = UnicodeString]: The type of an object for which access was requested.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: full path and name of the object for which access was requested.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. “Table 13. File access codes.” contains information about the
most common access rights for file system objects. For information about ALPC ports access rights, use
https://technet.microsoft.com/ or other informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed. See
“Table 13. File access codes.” for more information about file access rights. For information about ALPC
ports access rights, use https://technet.microsoft.com/ or other informational resources.

Security Monitoring Recommendations

For 4691(S ): Indirect access to an object was requested.
Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
 5148(F): The Windows Filtering Platform has detected
a DoS attack and entered a defensive mode; packets
associated with this attack will be discarded.
12/30/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack
starts or was detected.
There is no example of this event in this document.
Subcategory: Audit Other Object Access Events
Event Schema:
The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with
this attack will be discarded.
Network Information:

Type:%1

Required Server Roles: None.

Minimum OS Version: Windows Server 2008 R2, Windows 7.
Event Versions: 0.

Security Monitoring Recommendations

This event can be a sign of ICMP DoS attack or, among other things, hardware or network device related
problems. In both cases, we recommend triggering an alert and investigating the reason the event was
generated.
 5149(F): The DoS attack has subsided and normal
processing is being resumed.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack
ended.
There is no example of this event in this document.
Subcategory: Audit Other Object Access Events
Event Schema:
The DoS attack has subsided and normal processing is being resumed.
Network Information:

Type:%1
Packets Discarded:%2

Required Server Roles: None.

Minimum OS Version: Windows Server 2008 R2, Windows 7.
Event Versions: 0.

Security Monitoring Recommendations

This event can be a sign of ICMP DoS attack or, among other things, hardware or network device related
problems. In both cases, we recommend triggering an alert and investigating the reason the event was
generated.
 4698(S): A scheduled task was created.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time a new scheduled task is
created.

Note For recommendations, see Security Monitoring

Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:03:06.944522200Z" />
<EventRecordID>344740</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “create scheduled task” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that requested the “create scheduled task”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: new scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:

Task Content [Type = UnicodeString]: the XML content of the new task. For more information about the XML
format for scheduled tasks, see “XML Task Definition Format.”

Security Monitoring Recommendations

For 4698(S ): A scheduled task was created.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

We recommend monitoring all scheduled task creation events, especially on critical computers or devices.
Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
Monitor for new tasks located in the Task Scheduler Library root node, that is, where Task Name looks
like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located in the Task
Scheduler Library root node.
In the new task, if the Task Content: XML contains <LogonType>Password</LogonType> value, trigger
an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in
Credential Manager in cleartext format, and can be extracted using Administrative privileges.
 4699(S): A scheduled task was deleted.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task was
deleted.

Note For recommendations, see Security Monitoring

Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4699</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:13:30.044244500Z" />
<EventRecordID>344827</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="5048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\My</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-08-
25T13:56:10.5315552</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>Password</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Windows\\notepad.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete scheduled task” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that requested the “delete scheduled task”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: deleted scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:

Task Content [Type = UnicodeString]: the XML of the deleted task. Here “XML Task Definition Format” you
can read more about the XML format for scheduled tasks.

Security Monitoring Recommendations

For 4699(S ): A scheduled task was deleted.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

We recommend monitoring all scheduled task deletion events, especially on critical computers or devices.
Scheduled tasks are often used by malware to stay in the system after reboot or for other malicious actions.
However, this event does not often happen.
Monitor for deleted tasks located in the Task Scheduler Library root node, that is, where Task Name looks
like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located in the Task
Scheduler Library root node. Deletion of such tasks can be a sign of malicious activity.
If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for
4699 events with the corresponding Task Name.
 4700(S): A scheduled task was enabled.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task is
enabled.

Note For recommendations, see Security Monitoring

Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4700</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:32:47.606423000Z" />
<EventRecordID>344861</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="756" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enable scheduled task” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that requested the “enable scheduled
task” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: enabled scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:

Task Content [Type = UnicodeString]: the XML of the enabled task. Here “XML Task Definition Format” you
can read more about the XML format for scheduled tasks.

Security Monitoring Recommendations

For 4700(S ): A scheduled task was enabled.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled,
monitor for 4700 events with the corresponding Task Name.
 4701(S): A scheduled task was disabled.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time a scheduled task is
disabled.

Note For recommendations, see Security Monitoring

Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4701</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T02:32:45.844066600Z" />
<EventRecordID>344860</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4364" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>LeastPrivilege</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “enable scheduled task” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that requested the “enable scheduled
task” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: disabled scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:

Task Content [Type = UnicodeString]: the XML of the disabled task. Here “XML Task Definition Format” you
can read more about the XML format for scheduled tasks.

Security Monitoring Recommendations

For 4701(S ): A scheduled task was disabled.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for 4701
events with the corresponding Task Name.
 4702(S): A scheduled task was updated.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access Events
Event Description:
This event generates every time scheduled task was
updated/changed.

Note For recommendations, see Security Monitoring

Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4702</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T03:00:59.343820000Z" />
<EventRecordID>344863</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="596" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="TaskName">\\Microsoft\\StartListener</Data>
<Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2"
xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-09-
22T19:03:06.9258653</Date> <Author>CONTOSO\\dadmin</Author> </RegistrationInfo> <Triggers /> <Principals>
<Principal id="Author"> <RunLevel>HighestAvailable</RunLevel> <UserId>CONTOSO\\dadmin</UserId>
<LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec>
<Command>C:\\Documents\\listener.exe</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change/update scheduled task” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that requested the “change/update
scheduled task” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Task Information:
Task Name [Type = UnicodeString]: updated/changed scheduled task name. The format of this value is
“\task_path\task_name”, where task_path is a path in Microsoft Task Scheduler tree starting from “Task
Scheduler Library” node:

Task New Content [Type = UnicodeString]: the new XML for the updated task. Here “XML Task Definition
Format” you can read more about the XML format for scheduled tasks.

Security Monitoring Recommendations

For 4702(S ): A scheduled task was updated.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

Monitor for updated scheduled tasks located in the Task Scheduler Library root node, that is, where Task
Name looks like ‘\TASK_NAME’. Scheduled tasks that are created manually or by malware are often located
in the Task Scheduler Library root node.
In the updated scheduled task, if the Task Content: XML contains
<LogonType>Password</LogonType> value, trigger an alert. In this case, the password for the account
that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can
be extracted using Administrative privileges.
 5888(S): An object in the COM+ Catalog was
modified.
5/31/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event generates when the object in
COM+ Catalog was modified.
For some reason this event belongs to Audit
System Integrity subcategory, but generation
of this event enables in this subcategory.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5888</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T20:37:22.400120200Z" />
<EventRecordID>344994</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1352" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Applications</Data>
<Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID =
{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data>
<Data Name="ModifiedObjectProperties">Name = 'COMApp' -> 'COMApp-New' cCOL\_SecurityDescriptor = '<Opaque>' ->
'<Opaque>'</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify/change object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “modify/change
object” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection in which the object was
modified. Here is the list of possible collection values with descriptions:

COLLECTION DESCRIPTION

ApplicationCluster Contains a list of the servers in the application cluster.

ApplicationInstances Contains an object for each instance of a running COM+

application.

Applications Contains an object for each COM+ application installed on the

local computer.

Components Contains an object for each component in the application to

which it is related.

ComputerList Contains a list of the computers found in the Computers

folder of the Component Services administration tool.

DCOMProtocols Contains a list of the protocols to be used by DCOM. It

contains an object for each protocol.

ErrorInfo Retrieves extended error information regarding methods that

deal with multiple objects.

EventClassesForIID Retrieves information regarding event classes.

FilesForImport Retrieves information from its MSI file about an application

that can be imported.

InprocServers Contains a list of the in-process servers registered with the

system. It contains an object for each component.

InterfacesForComponent Contains an object for each interface exposed by the

component to which the collection is related.

LegacyComponents Contains an object for each unconfigured component in the

application to which it is related.

LegacyServers Identical to the InprocServers collection except that this

collection also includes local servers.
COLLECTION DESCRIPTION

LocalComputer Contains a single object that holds computer level settings

information for the computer whose catalog you are
accessing.

MethodsForInterface Contains an object for each method on the interface to which

the collection is related.

Partitions Used to specify the applications contained in each partition.

PartitionUsers Used to specify the users contained in each partition.

PropertyInfo Retrieves information about the properties that a specified

collection supports.

PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.

RelatedCollectionInfo Retrieves information about other collections related to the

collection from which it is called.

Roles Contains an object for each role assigned to the application to

which it is related.

RolesForComponent Contains an object for each role assigned to the component to

which the collection is related.

RolesForInterface Contains an object for each role assigned to the interface to

which the collection is related.

RolesForMethod Contains an object for each role assigned to the method to

which the collection is related.

RolesForPartition Contains an object for each role assigned to the partition to

which the collection is related.

Root Contains the top-level collections on the catalog.

SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.

SubscriptionsForComponent Contains an object for each subscription for the parent

Components collection.

TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.

TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.

TransientSubscriptions Contains an object for each transient subscription.

UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.
 COLLECTION DESCRIPTION

UsersInRole Contains an object for each user in the role to which the
collection is related.

WOWInprocServers Contains a list of the in-process servers registered with the

system for 32-bit components on 64-bit computers.

WOWLegacyServers Identical to the LegacyServers collection except that this

collection is drawn from the 32-bit registry on 64-bit
computers.

Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the modified
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
AppPartitionID - A GUID representing the application partition ID.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Object Properties Modified [Type = UnicodeString]: the list of object’s (Object Name) properties which
were modified.
The items have the following format: Property_Name = ‘OLD_VALUE’ -> ‘NEW_VALUE’
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.

Security Monitoring Recommendations

For 5888(S ): An object in the COM+ Catalog was modified.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a specific COM+ object for which you need to monitor all modifications, monitor all 5888 events
with the corresponding Object Name.
 5889(S): An object was deleted from the COM+
Catalog.
5/31/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event generates when the object in the
COM+ Catalog was deleted.
For some reason this event belongs to
Audit System Integrity subcategory, but
generation of this event enables in this
subcategory.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5889</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T20:44:42.948569400Z" />
<EventRecordID>344998</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4756" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Applications</Data>
<Data Name="ObjectIdentifyingProperties">ID = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} AppPartitionID =
{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}</Data>
<Data Name="ObjectProperties">Name = COMApp-New ApplicationProxyServerName = ProcessType = 2 CommandLine =
ServiceName = <null> RunAsUserType = 1 Identity = Interactive User Description = IsSystem = N Authentication =
4 ShutdownAfter = 3 RunForever = N Password = \*\*\*\*\*\*\*\* Activation = Local Changeable = Y Deleteable = Y
CreatedBy = AccessChecksLevel = 1 ApplicationAccessChecksEnabled = 1 cCOL\_SecurityDescriptor = <Opaque>
ImpersonationLevel = 3 AuthenticationCapability = 64 CRMEnabled = 0 3GigSupportEnabled = 0 QueuingEnabled = 0
QueueListenerEnabled = N EventsEnabled = 1 ProcessFlags = 0 ThreadMax = 0 ApplicationProxy = 0 CRMLogFile =
DumpEnabled = 0 DumpOnException = 0 DumpOnFailfast = 0 MaxDumpCount = 5 DumpPath =
%systemroot%\\system32\\com\\dmp IsEnabled = 1 AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}
ConcurrentApps = 1 RecycleLifetimeLimit = 0 RecycleCallLimit = 0 RecycleActivationLimit = 0 RecycleMemoryLimit
= 0 RecycleExpirationTimeout = 15 QCListenerMaxThreads = 0 QCAuthenticateMsgs = 0 ApplicationDirectory =
SRPTrustLevel = 262144 SRPEnabled = 0 SoapActivated = 0 SoapVRoot = SoapMailTo = SoapBaseUrl = Replicable =
1</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection in which COM+ object was
deleted. Here is the list of possible collection values with descriptions:

COLLECTION DESCRIPTION

ApplicationCluster Contains a list of the servers in the application cluster.

ApplicationInstances Contains an object for each instance of a running COM+

application.

Applications Contains an object for each COM+ application installed on the

local computer.

Components Contains an object for each component in the application to

which it is related.

ComputerList Contains a list of the computers found in the Computers

folder of the Component Services administration tool.

DCOMProtocols Contains a list of the protocols to be used by DCOM. It

contains an object for each protocol.

ErrorInfo Retrieves extended error information regarding methods that

deal with multiple objects.

EventClassesForIID Retrieves information regarding event classes.

FilesForImport Retrieves information from its MSI file about an application

that can be imported.

InprocServers Contains a list of the in-process servers registered with the

system. It contains an object for each component.

InterfacesForComponent Contains an object for each interface exposed by the

component to which the collection is related.
COLLECTION DESCRIPTION

LegacyComponents Contains an object for each unconfigured component in the

application to which it is related.

LegacyServers Identical to the InprocServers collection except that this

collection also includes local servers.

LocalComputer Contains a single object that holds computer level settings

information for the computer whose catalog you are
accessing.

MethodsForInterface Contains an object for each method on the interface to which

the collection is related.

Partitions Used to specify the applications contained in each partition.

PartitionUsers Used to specify the users contained in each partition.

PropertyInfo Retrieves information about the properties that a specified

collection supports.

PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.

RelatedCollectionInfo Retrieves information about other collections related to the

collection from which it is called.

Roles Contains an object for each role assigned to the application to

which it is related.

RolesForComponent Contains an object for each role assigned to the component to

which the collection is related.

RolesForInterface Contains an object for each role assigned to the interface to

which the collection is related.

RolesForMethod Contains an object for each role assigned to the method to

which the collection is related.

RolesForPartition Contains an object for each role assigned to the partition to

which the collection is related.

Root Contains the top-level collections on the catalog.

SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.

SubscriptionsForComponent Contains an object for each subscription for the parent

Components collection.

TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.
 COLLECTION DESCRIPTION

TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.

TransientSubscriptions Contains an object for each transient subscription.

UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.

UsersInRole Contains an object for each user in the role to which the
collection is related.

WOWInprocServers Contains a list of the in-process servers registered with the

system for 32-bit components on 64-bit computers.

WOWLegacyServers Identical to the LegacyServers collection except that this

collection is drawn from the 32-bit registry on 64-bit
computers.

Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the deleted
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method is
called on an object of this collection.
AppPartitionID - A GUID representing the application partition ID.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Object Details [Type = UnicodeString]: the list of deleted object’s (Object Name) properties.
The items have the following format: Property_Name = VALUE
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.

Security Monitoring Recommendations

For 5889(S ): An object was deleted from the COM+ Catalog.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a specific COM+ object for which you need to monitor all modifications (especially delete
operations), monitor all 5889 events with the corresponding Object Name.
 5890(S): An object was added to the COM+ Catalog.
5/31/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Other Object Access
Events
Event Description:
This event generates when new object was
added to the COM+ Catalog.
For some reason this event belongs to Audit
System Integrity subcategory, but generation
of this event enables in this subcategory.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5890</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T19:45:04.239886800Z" />
<EventRecordID>344980</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="2856" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectUserDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">222443</Data>
<Data Name="ObjectCollectionName">Roles</Data>
<Data Name="ObjectIdentifyingProperties">ApplId = {1D34B2DC-0E43-4040-BA7B-2F1C181FD86A} Name =
CreatorOwner</Data>
<Data Name="ObjectProperties">Description =</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “add object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “add object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
COM+ Catalog Collection [Type = UnicodeString]: the name of COM+ collection to which the new object
was added. Here is the list of possible collection values with descriptions:

COLLECTION DESCRIPTION

ApplicationCluster Contains a list of the servers in the application cluster.

ApplicationInstances Contains an object for each instance of a running COM+

application.

Applications Contains an object for each COM+ application installed on

the local computer.

Components Contains an object for each component in the application to

which it is related.

ComputerList Contains a list of the computers found in the Computers

folder of the Component Services administration tool.

DCOMProtocols Contains a list of the protocols to be used by DCOM. It

contains an object for each protocol.

ErrorInfo Retrieves extended error information regarding methods that

deal with multiple objects.

EventClassesForIID Retrieves information regarding event classes.

FilesForImport Retrieves information from its MSI file about an application

that can be imported.

InprocServers Contains a list of the in-process servers registered with the

system. It contains an object for each component.

InterfacesForComponent Contains an object for each interface exposed by the

component to which the collection is related.

LegacyComponents Contains an object for each unconfigured component in the

application to which it is related.

LegacyServers Identical to the InprocServers collection except that this

collection also includes local servers.
COLLECTION DESCRIPTION

LocalComputer Contains a single object that holds computer level settings

information for the computer whose catalog you are
accessing.

MethodsForInterface Contains an object for each method on the interface to which

the collection is related.

Partitions Used to specify the applications contained in each partition.

PartitionUsers Used to specify the users contained in each partition.

PropertyInfo Retrieves information about the properties that a specified

collection supports.

PublisherProperties Contains an object for each publisher property for the parent
SubscriptionsForComponent collection.

RelatedCollectionInfo Retrieves information about other collections related to the

collection from which it is called.

Roles Contains an object for each role assigned to the application to

which it is related.

RolesForComponent Contains an object for each role assigned to the component

to which the collection is related.

RolesForInterface Contains an object for each role assigned to the interface to

which the collection is related.

RolesForMethod Contains an object for each role assigned to the method to

which the collection is related.

RolesForPartition Contains an object for each role assigned to the partition to

which the collection is related.

Root Contains the top-level collections on the catalog.

SubscriberProperties Contains an object for each subscriber property for the parent
SubscriptionsForComponent collection.

SubscriptionsForComponent Contains an object for each subscription for the parent

Components collection.

TransientPublisherProperties Contains an object for each publisher property for the parent
TransientSubscriptions collection.

TransientSubscriberProperties Contains an object for each subscriber property for the parent
TransientSubscriptions collection.

TransientSubscriptions Contains an object for each transient subscription.

UsersInPartitionRole Contains an object for each user in the partition role to which
the collection is related.
 COLLECTION DESCRIPTION

UsersInRole Contains an object for each user in the role to which the
collection is related.

WOWInprocServers Contains a list of the in-process servers registered with the

system for 32-bit components on 64-bit computers.

WOWLegacyServers Identical to the LegacyServers collection except that this

collection is drawn from the 32-bit registry on 64-bit
computers.

Object Name [Type = UnicodeString]: object-specific fields with the names and identifiers for the new
object. It depends on COM+ Catalog Collection value, for example, if COM+ Catalog Collection =
Applications, then you can find that:
ID - A GUID representing the application. This property is returned when the Key property method
is called on an object of this collection.
AppPartitionID - A GUID representing the application partition ID.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Object Details [Type = UnicodeString]: the list of new object’s (Object Name) properties.
The items have the following format: Property_Name = VALUE
Check description for specific COM+ Catalog Collection to see the list of object’s properties and
descriptions.

Security Monitoring Recommendations

For 5890(S ): An object was added to the COM+ Catalog.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all 5890
events with the corresponding COM+ Catalog Collection field value.
 Audit Registry
12/23/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only
for objects that have system access control lists (SACLs) specified, and only if the type of access requested,
such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a
registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time
any user unsuccessfully attempts to access a registry object that has a matching SACL.
Event volume: Low to Medium, depending on how registry SACLs are configured.

GENERAL STRONGER STRONGER

COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 GENERAL STRONGER STRONGER
COMPUTER TYPE SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF IF IF IF We strongly
Controller recommend that
you develop a
Registry Objects
Security
Monitoring
policy and define
appropriate
SACLs for
registry objects
for different
operating
system
templates and
roles. Do not
enable this
subcategory if
you have not
planned how to
use and analyze
the collected
information. It is
also important
to delete non-
effective, excess
SACLs.
Otherwise the
auditing log will
be overloaded
with useless
information.
Failure events
can show you
unsuccessful
attempts to
access specific
registry objects.
Consider
enabling this
subcategory for
critical
computers first,
after you
develop a
Registry Objects
Security
Monitoring
policy for them.

Member Server IF IF IF IF

Workstation IF IF IF IF

Events List:
4663(S ): An attempt was made to access an object.
4656(S, F ): A handle to an object was requested.
4658(S ): The handle to an object was closed.
4660(S ): An object was deleted.
4657(S ): A registry value was modified.
5039(-): A registry key was virtualized.
4670(S ): Permissions on an object were changed.
 4663(S): An attempt was made to access an
object.
5/31/2019 • 8 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File
System, Audit Kernel Object,
Audit Registry, and Audit
Removable Storage
Event Description:
This event indicates that a
specific operation was
performed on an object. The
object could be a file system,
kernel, or registry object, or a
file system object on
removable storage or a
device.
This event generates only if
object’s SACL has required
ACE to handle specific access
right use.
The main difference with
“4656: A handle to an object
was requested.” event is that
4663 shows that access right
was used instead of just
requested and 4663 doesn’t have Failure events.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012, Windows 8.
Added “Resource Attributes” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to access an object. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory
___domain controller, and stored in a security database. Each time a user logs on, the system retrieves the
SID for that user from the database and places it in the access token for that user. The system uses the
SID in the access token to identify the user in all subsequent interactions with Windows security. When a
SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify
another user or group. For more information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that made an attempt to access an
object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully logged
on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for
which access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can be used
for correlation with other events, for example with Handle ID field in “4656(S, F ): A handle to an
object was requested.” This parameter might not be captured in the event, and in that case appears as
“0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For
some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;
 ("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.

Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that accessed the object. Process
ID (PID ) is a number used by the operating system to uniquely identify an active process. To see the
PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Accesses [Type = UnicodeString]: the list of access rights which were used by Subject\Security ID.
These access rights depend on Object Type. The following table contains information about the most
common access rights for file system objects. Access rights for registry objects are often similar to file
system objects, but the table contains a few notes about how they vary.

HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data.
(For registry objects, this is “Query For a directory object, the right to
key value.”) read the corresponding directory
data.
ListDirectory - For a directory, the
right to list the contents of the
directory.

WriteData (or AddFile) 0x2, WriteData - For a file object, the

%%4417 right to write data to the file. For a
(For registry objects, this is “Set key directory object, the right to create a
value.”) file in the directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.

AppendData (or AddSubdirectory or 0x4, AppendData - For a file object, the

CreatePipeInstance) %%4418 right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory,
the right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8, The right to read extended file

(For registry objects, this is %%4419 attributes.
“Enumerate sub-keys.”)

WriteEA 0x10, The right to write extended file

%%4420 attributes.

Execute/Traverse 0x20, Execute - For a native code file, the

%%4421 right to execute the file. This access
right given to scripts may cause the
script to be executable, depending on
the script interpreter.
Traverse - For a directory, the right
to traverse the directory. By default,
users are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.
 HEX VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

DeleteChild 0x40, For a directory, the right to delete a

%%4422 directory and all the files it contains,
including read-only files.

ReadAttributes 0x80, The right to read file attributes.

%%4423

WriteAttributes 0x100, The right to write file attributes.

%%4424

DELETE 0x10000, The right to delete the object.

%%1537

READ_CONTROL 0x20000, The right to read the information in

%%1538 the object's security descriptor, not
including the information in the
system access control list (SACL).

WRITE_DAC 0x40000, The right to modify the discretionary

%%1539 access control list (DACL) in the
object's security descriptor.

WRITE_OWNER 0x80000, The right to change the owner in the

%%1540 object's security descriptor

SYNCHRONIZE 0x100000, The right to use the object for

%%1541 synchronization. This enables a thread
to wait until the object is in the
signaled state. Some object types do
not support this access right.

ACCESS_SYS_SEC 0x1000000, The ACCESS_SYS_SEC access right

%%1542 controls the ability to get or set the
SACL in an object's security descriptor.

Table 15. File System objects access rights.

Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For more
information, see the preceding table.

Security Monitoring Recommendations

For 4663(S ): An attempt was made to access an object.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
For other types of objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.
If you have critical file system objects for which you need to monitor all access attempts, monitor this
event for Object Name.
If you have critical file system objects for which you need to monitor certain access attempts (for
example, write actions), monitor this event for Object Name in relation to Access Request
Information\Accesses.
If you have file system objects with specific attributes, for which you need to monitor access attempts,
monitor this event for Resource Attributes.
If Object Name is a sensitive or critical registry key for which you need to monitor specific access
attempts (for example, only write actions), monitor for all 4663 events with the corresponding Access
Request Information\Accesses.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events
with “Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32
or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Process Name.”
For file system objects, we recommend that you monitor for these Access Request
Information\Accesses rights:
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
 4656(S, F): A handle to an object was requested.
5/31/2019 • 16 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategories: Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage
Event Description:
This event indicates that specific access was requested for an object. The object could be a file system, kernel,
or registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the object’s SACL has the required ACE to handle the use of specific access
rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the
operation was performed. To see that the operation was performed, check “4663(S ): An attempt was made to
access an object.”

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:
(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:
(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
0 - Windows Server 2008, Windows Vista.
1 - Windows Server 2012, Windows 8.
 Added “Resource Attributes” field.
Added “Access Reasons” field.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see
the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory
___domain controller, and stored in a security database. Each time a user logs on, the system retrieves the
SID for that user from the database and places it in the access token for that user. The system uses the
SID in the access token to identify the user in all subsequent interactions with Windows security. When a
SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify
another user or group. For more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested a handle to an
object.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS
LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this
account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent
events that might contain the same Logon ID, for example, “4624: An account was successfully logged
on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

 DIRECTORY EVENT TIMER DEVICE

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for
which access was requested. For example, for a file, the path would be included.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ):
An attempt was made to access an object.” This parameter might not be captured in the event, and in
that case appears as “0x0”.
Resource Attributes [Type = UnicodeString] [Version 1]: attributes associated with the object. For
some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;
("Impact_MS",TI,0x10020,3000))
Impact_MS: Resource Property ID.
3000: Recourse Property Value.

Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new
process has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this
event with other events that might contain the same Transaction ID, such as “4660(S ): An object was
deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-
0000-0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to
identify resources, activities or instances.

Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. The following table contains information about the most
common access rights for file system objects. Access rights for registry objects are often similar to file
system objects, but the table contains a few notes about how they vary.

HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1, ReadData - For a file object, the right
%%4416 to read the corresponding file data.
(For registry objects, this is “Query For a directory object, the right to
key value.”) read the corresponding directory
data.
ListDirectory - For a directory, the
right to list the contents of the
directory.
 HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

WriteData (or AddFile) 0x2, WriteData - For a file object, the

%%4417 right to write data to the file. For a
(For registry objects, this is “Set key directory object, the right to create a
value.”) file in the directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.

AppendData (or AddSubdirectory or 0x4, AppendData - For a file object, the

CreatePipeInstance) %%4418 right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory,
the right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8, The right to read extended file

(For registry objects, this is %%4419 attributes.
“Enumerate sub-keys.”)

WriteEA 0x10, The right to write extended file

%%4420 attributes.

Execute/Traverse 0x20, Execute - For a native code file, the

%%4421 right to execute the file. This access
right given to scripts may cause the
script to be executable, depending on
the script interpreter.
Traverse - For a directory, the right
to traverse the directory. By default,
users are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.

DeleteChild 0x40, For a directory, the right to delete a

%%4422 directory and all the files it contains,
including read-only files.

ReadAttributes 0x80, The right to read file attributes.

%%4423

WriteAttributes 0x100, The right to write file attributes.

%%4424

DELETE 0x10000, The right to delete the object.

%%1537
 HEXADECIMAL VALUE,
ACCESS SCHEMA VALUE DESCRIPTION

READ_CONTROL 0x20000, The right to read the information in

%%1538 the object's security descriptor, not
including the information in the
system access control list (SACL).

WRITE_DAC 0x40000, The right to modify the discretionary

%%1539 access control list (DACL) in the
object's security descriptor.

WRITE_OWNER 0x80000, The right to change the owner in the

%%1540 object's security descriptor

SYNCHRONIZE 0x100000, The right to use the object for

%%1541 synchronization. This enables a thread
to wait until the object is in the
signaled state. Some object types do
not support this access right.

ACCESS_SYS_SEC 0x1000000, The ACCESS_SYS_SEC access right

%%1542 controls the ability to get or set the
SACL in an object's security descriptor.

Table 14. File System objects access rights.

Access Reasons [Type = UnicodeString] [Version 1]: the list of access check results. The format of this
varies, depending on the object. For kernel objects, this field does not apply.
Access Mask [Type = HexInt32]: hexadecimal mask for the requested or performed operation. For
more information, see the preceding table.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token

of a process.
With this privilege, the user can
initiate a process to replace the
default token associated with a
started subprocess.

SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeBackupPrivilege Back up files and directories - Required to perform backup

operations.
With this privilege, the user can
bypass file and directory, registry, and
other persistent object permissions
for the purposes of backing up the
system.
This privilege causes the system to
grant all read access control to any
file, regardless of the access control
list (ACL) specified for the file. Any
access request other than read is still
evaluated with the ACL. The following
access rights are granted if this
privilege is held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE

SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of

changes to files or directories. This
privilege also causes the system to
skip all traversal access checks.
With this privilege, the user can
traverse directory trees even though
the user may not have permissions
on the traversed directory. This
privilege does not allow the user to
list the contents of a directory, only to
traverse directories.

SeCreateGlobalPrivilege Create global objects Required to create named file

mapping objects in the global
namespace during Terminal Services
sessions.

SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.

SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent

object.
This privilege is useful to kernel-mode
components that extend the object
namespace. Components that are
running in kernel mode already have
this privilege inherently; it is not
necessary to assign them the
privilege.

SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeCreateTokenPrivilege Create a token object Allows a process to create a token

which it can then use to get access to
any local resources when the process
uses NtCreateToken() or other token-
creation APIs.
When a process requires this
privilege, we recommend using the
LocalSystem account (which already
includes the privilege), rather than
creating a separate user account and
assigning this privilege to it.

SeDebugPrivilege Debug programs Required to debug and adjust the

memory of a process owned by
another account.
With this privilege, the user can
attach a debugger to any process or
to the kernel. Developers who are
debugging their own applications do
not need this user right. Developers
who are debugging new system
components need this user right. This
user right provides complete access
to sensitive and critical operating
system components.

SeEnableDelegationPrivilege Enable computer and user accounts Required to mark user and computer
to be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set
the Trusted for Delegation setting
on a user or computer object.
The user or object that is granted this
privilege must have write access to
the account control flags on the user
or computer object. A server process
running on a computer (or under a
user context) that is trusted for
delegation can access resources on
another computer using the
delegated credentials of a client, as
long as the account of the client does
not have the Account cannot be
delegated account control flag set.

SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.

SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority

of a process.
With this privilege, the user can use a
process with Write property access to
another process to increase the
execution priority assigned to the
other process. A user with this
privilege can change the scheduling
priority of a process through the Task
Manager user interface.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota
assigned to a process.
With this privilege, the user can
change the maximum memory that
can be consumed by a process.

SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory

for applications that run in the
context of users.

SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel
mode. This user right does not apply
to Plug and Play device drivers.

SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in

memory.
With this privilege, the user can use a
process to keep data in physical
memory, which prevents the system
from paging the data to virtual
memory on disk. Exercising this
privilege could significantly affect
system performance by decreasing
the amount of available random
access memory (RAM).

SeMachineAccountPrivilege Add workstations to ___domain With this privilege, the user can create
a computer account.
This privilege is valid only on ___domain
controllers.

SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on

a volume, such as remote
defragmentation.

SeProfileSingleProcessPrivilege Profile single process Required to gather profiling

information for a single process.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of non-
system processes.

SeRelabelPrivilege Modify an object label Required to modify the mandatory

integrity level of an object.

SeRemoteShutdownPrivilege Force shutdown from a remote Required to shut down a system

system using a network request.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeRestorePrivilege Restore files and directories Required to perform restore

operations. This privilege causes the
system to grant all write access
control to any file, regardless of the
ACL specified for the file. Any access
request other than write is still
evaluated with the ACL. Additionally,
this privilege enables you to set any
valid user or group SID as the owner
of a file. The following access rights
are granted if this privilege is held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can
bypass file, directory, registry, and
other persistent objects permissions
when restoring backed up files and
directories and determines which
users can set any valid security
principal as the owner of an object.

SeSecurityPrivilege Manage auditing and security log Required to perform a number of

security-related functions, such as
controlling and viewing audit events
in security event log.
With this privilege, the user can
specify object access auditing options
for individual resources, such as files,
Active Directory objects, and registry
keys.
A user with this privilege can also
view and clear the security log.

SeShutdownPrivilege Shut down the system Required to shut down a local system.

SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to
read all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on ___domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.

SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile

RAM of systems that use this type of
memory to store configuration
information.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeSystemProfilePrivilege Profile system performance Required to gather profiling

information for the entire system.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of system
processes.

SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can
change the time and date on the
internal clock of the computer. Users
that are assigned this user right can
affect the appearance of event logs. If
the system time is changed, events
that are logged will reflect this new
time, not the actual time that the
events occurred.

SeTakeOwnershipPrivilege Take ownership of files or other Required to take ownership of an

objects object without being granted
discretionary access. This privilege
allows the owner value to be set only
to those values that the holder may
legitimately assign as the owner of an
object.
With this privilege, the user can take
ownership of any securable object in
the system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.

SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same
local resources as that user.

SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's
internal clock.

SeTrustedCredManAccessPrivilege Access Credential Manager as a Required to access Credential

trusted caller Manager as a trusted caller.

SeUndockPrivilege Remove computer from docking Required to undock a laptop.

station With this privilege, the user can
undock a portable computer from its
docking station without logging on.

SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input

from a terminal device.

Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only
specific Object Types.
Security Monitoring Recommendations
For 4656(S, F ): A handle to an object was requested.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to
monitor at the Kernel objects level.
For other types of objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events
with “Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32
or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example,
“mimikatz” or “cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical object for which you need to monitor any access attempt,
monitor all 4656 events.
If Object Name is a sensitive or critical object for which you need to monitor specific access attempts
(for example, only write actions), monitor for all 4656 events with the corresponding Access Request
Information\Accesses values.
If you need to monitor files and folders with specific Resource Attribute values, monitor for all 4656
events with specific Resource Attributes field values.
For file system objects, we recommend that you monitor these Access Request
Information\Accesses rights (especially for Failure events):
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
DeleteChild
WriteAttributes
DELETE
WRITE_DAC
WRITE_OWNER
 4658(S): The handle to an object was closed.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Handle Manipulation, Audit Kernel Object,
Audit Registry, and Audit Removable Storage
Event Description:
This event generates when the handle to an
object is closed. The object could be a file
system, kernel, or registry object, or a file
system object on removable storage or a
device.
This event generates only if Success auditing
is enabled for Audit Handle Manipulation
subcategory.
Typically this event is needed if you need to
know how long the handle to the object was
open. Otherwise, it might not have any
security relevance.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “close object’s handle” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “close object’s
handle” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested that the handle be
closed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.

Security Monitoring Recommendations

For 4658(S ): The handle to an object was closed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit
events.

Typically this event has little to no security relevance and is hard to parse or analyze. There is no
recommendation for this event, unless you know exactly what you need to monitor with it.
This event can be used to track all actions or operations related to a specific object handle.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
 4660(S): An object was deleted.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Kernel Object, and Audit Registry
Event Description:
This event generates when an object was
deleted. The object could be a file system,
kernel, or registry object.
This event generates only if “Delete" auditing
is set in object’s SACL.
This event doesn’t contain the name of the
deleted object (only the Handle ID ). It is
better to use “4663(S ): An attempt was made
to access an object” with DELETE access to
track object deletion.
The advantage of this event is that it’s
generated only during real delete operations.
In contrast, “4663(S ): An attempt was made
to access an object” also generates during
other actions, such as object renaming.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “delete object” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “delete object”
operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and
include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that deleted the object. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this
event with other events that might contain the same Transaction ID, such as “4656(S, F ): A handle to an
object was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.
Security Monitoring Recommendations
For 4660(S ): An object was deleted.
This event doesn’t contains the name of deleted object (only Handle ID ). It is better to use “4663(S ): An
attempt was made to access an object.” events with DELETE access to track object deletion actions.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to
parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need
to monitor at the Kernel objects level.
 4657(S): A registry value was modified.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Registry
Event Description:
This event generates when a registry key
value was modified. It doesn’t generate when
a registry key was modified.
This event generates only if “Set Value"
auditing is set in registry key’s SACL.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4657</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-24T01:28:43.639634100Z" />
<EventRecordID>744725</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4824" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE</Data>
<Data Name="ObjectValueName">Name\_New</Data>
<Data Name="HandleId">0x54</Data>
<Data Name="OperationType">%%1905</Data>
<Data Name="OldValueType">%%1873</Data>
<Data Name="OldValue" />
<Data Name="NewValueType">%%1873</Data>
<Data Name="NewValue">Andrei</Data>
<Data Name="ProcessId">0xce4</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “modify registry value” operation. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “modify registry
value” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
 the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Name [Type = UnicodeString]: full path and name of the registry key which value was modified.
The format is: \REGISTRY\HIVE\PATH where:
HIVE:
HKEY_LOCAL_MACHINE = \REGISTRY\MACHINE
HKEY_CURRENT_USER = \REGISTRY\USER\[USER_SID ], where [USER_SID ] is the SID of
current user.
HKEY_CLASSES_ROOT = \REGISTRY\MACHINE\SOFTWARE\Classes
HKEY_USERS = \REGISTRY\USER
HKEY_CURRENT_CONFIG = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current
PATH – path to the registry key.
Object Value Name [Type = UnicodeString]: the name of modified registry key value.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle
to an object was requested.” This parameter might not be captured in the event, and in that case appears as
“0x0”.
Operation Type [Type = UnicodeString]: the type of performed operation with registry key value. Most
common operations are:
New registry value created
Registry value deleted
Existing registry value modified
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the registry key value
was modified. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Change Information:
Old Value Type [Type = UnicodeString]: old type of changed registry key value. Registry key value types:

VALUE TYPE DESCRIPTION

REG_SZ String

REG_BINARY Binary

REG_DWORD DWORD (32-bit) Value

REG_QWORD QWORD (64-bit) Value

REG_MULTI_SZ Multi-String Value

REG_EXPAND_SZ Expandable String Value

Old Value [Type = UnicodeString]: old value for changed registry key value.
New Value Type [Type = UnicodeString]: new type of changed registry key value. See table above for
possible values.
New Value [Type = UnicodeString]: new value for changed registry key value.

Security Monitoring Recommendations

For 4657(S ): A registry value was modified.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”
or “cain.exe”), check for these substrings in “Process Name.”
If Object Name is a sensitive or critical registry key for which you need to monitor any modification of its
values, monitor all 4657 events.
If Object Name has specific values (Object Value Name) and you need to monitor modifications of these
values, monitor for all 4657 events.
 5039(-): A registry key was virtualized.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
This event should be generated when registry key was virtualized using LUAFV.
This event occurs very rarely during standard LUAFV registry key virtualization.
There is no example of this event in this document.
Subcategory: Audit Registry
Event Schema:
A registry key was virtualized.
Subject:

Security ID:%1%
Account Name:%2
Account Domain:%3
Logon ID:%4

Object:

Key Name:%5
Virtual Key Name:%6

Process Information:

Process ID:%7
Process Name%8

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.

Security Monitoring Recommendations

There is no recommendation for this event in this document.
 4670(S): Permissions on an object were changed.
8/10/2019 • 8 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions for
an object are changed. The object could be a
file system, registry, or security token object.
This event does not generate if the SACL
(Auditing ACL ) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For a
registry key, it generates only if “Write DAC"
and/or "Write Owner” are set in the object’s
SACL.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change object’s permissions” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for which
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.

Note The Security Descriptor Definition Language (SDDL ) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:

VALUE DESCRIPTION VALUE DESCRIPTION

"AO" Account operators "PA" Group Policy administrators

"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000

"AN" Anonymous logon "LA" Local administrator

"AU" Authenticated users "LG" Local guest

"BA" Built-in administrators "LS" Local service account

 VALUE DESCRIPTION VALUE DESCRIPTION

"BG" Built-in guests "SY" Local system

"BO" Backup operators "NU" Network logon user

"BU" Built-in users "NO" Network configuration

operators

"CA" Certificate server "NS" Network service account

administrators

"CG" Creator group "PO" Printer operators

"CO" Creator owner "PS" Personal self

"DA" Domain administrators "PU" Power users

"DC" Domain computers "RS" RAS servers group

"DD" Domain controllers "RD" Terminal server users

"DG" Domain guests "RE" Replicator

"DU" Domain users "RC" Restricted code

"EA" Enterprise administrators "SA" Schema administrators

"ED" Enterprise ___domain "SO" Server operators

controllers

"WD" Everyone "SU" Service logon user

G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.

VALUE DESCRIPTION VALUE DESCRIPTION

Generic access rights Directory service access

rights

"GA" GENERIC ALL "RC" Read Permissions

"GR" GENERIC READ "SD" Delete

"GW" GENERIC WRITE "WD" Modify Permissions

"GX" GENERIC EXECUTE "WO" Modify Owner

File access rights "RP" Read All Properties

"FA" FILE ALL ACCESS "WP" Write All Properties

"FR" FILE GENERIC READ "CC" Create All Child Objects

"FW" FILE GENERIC WRITE "DC" Delete All Child Objects

"FX" FILE GENERIC EXECUTE "LC" List Contents

 VALUE DESCRIPTION VALUE DESCRIPTION

Registry key access rights "SW" All Validated Writes

"KA" "LO" "LO" List Object

"K" KEY READ "DT" Delete Subtree

"KW" KEY WRITE "CR" All Extended Rights

"KX" KEY EXECUTE

object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

Security Monitoring Recommendations

For 4670(S ): Permissions on an object were changed.
For token objects, this is typically an informational event, and at the same time it is difficult to identify which token's
permission were changed. For token objects, there are no monitoring recommendations for this event in this
document.
For file system and registry objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on ___domain controllers.
 Audit Removable Storage
12/24/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable
storage device. A security audit event is generated for all objects and all types of access requested, with no
dependency on object’s SACL.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes Yes Yes Yes This subcategory

Controller will help identify
when and which
files or folders
were accessed or
modified on
removable
devices.
It is often useful
to track actions
with removable
storage devices
and the files or
folders on them,
because
malicious
software very
often uses
removable
devices as a
method to get
into the system.
At the same
time, you will be
able to track
which files were
written or
executed from a
removable
storage device.
You can track,
for example,
actions with files
or folders on
USB flash drives
or sticks that
were inserted
into ___domain
controllers or
high value
servers, which is
typically not
allowed.
We recommend
Failure auditing
to track failed
access attempts.

Member Server Yes Yes Yes Yes

Workstation Yes Yes Yes Yes

Events List:
4656(S, F ): A handle to an object was requested.
4658(S ): The handle to an object was closed.
4663(S ): An attempt was made to access an object.
 Audit SAM
12/23/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account
Manager (SAM ) objects.
The Security Account Manager (SAM ) is a database that is present on computers running Windows operating
systems that stores user accounts and security descriptors for users on the local computer.
SAM objects include the following:
SAM_ALIAS: A local group
SAM_GROUP: A group that is not a local group
SAM_USER: A user account
SAM_DOMAIN: A ___domain
SAM_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits
record successful attempts, and failure audits record unsuccessful attempts.
Only a SACL for SAM_SERVER can be modified.
Changes to user and group objects are tracked by the Account Management audit category. However, user
accounts with enough privileges could potentially alter the files in which the account and password information
is stored in the system, bypassing any Account Management events.
Event volume: High on ___domain controllers.
For information about reducing the number of events generated in this subcategory, see KB841001.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain - - - - There is no
Controller recommendation
for this
subcategory in
this document,
unless you know
exactly what you
need to monitor
at Security
Account
Manager level.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server - - - - There is no

recommendation
for this
subcategory in
this document,
unless you know
exactly what you
need to monitor
at Security
Account
Manager level.

Workstation - - - - There is no
recommendation
for this
subcategory in
this document,
unless you know
exactly what you
need to monitor
at Security
Account
Manager level.

Events List:
4661(S, F ): A handle to an object was requested.
 4661(S, F): A handle to an object was requested.
6/6/2019 • 12 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit Directory Service
Access and Audit SAM
Event Description:
This event indicates that a handle was
requested for either an Active Directory object
or a Security Account Manager (SAM ) object.
If access was declined, then Failure event is
generated.
This event generates only if Success auditing
is enabled for the Audit Handle Manipulation
subcategory.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}
</Data>
</EventData>
</Event>

Required Server Roles: For an Active Directory object, the ___domain controller role is required. For a SAM object,
there is no required role.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested a handle to an object. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that
user from the database and places it in the access token for that user. The system uses the SID in the access
token to identify the user in all subsequent interactions with Windows security. When a SID has been used as
the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For
more information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested a handle to an object.
 Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security Account Manager” value for this event.
Object Type [Type = UnicodeString]: the type or class of the object that was accessed. The following list
contains possible values for this field:
SAM_ALIAS - a local group.
SAM_GROUP - a group that is not a local group.
SAM_USER - a user account.
SAM_DOMAIN - a ___domain. For Active Directory events, this is the typical value.
SAM_SERVER - a computer account.
Object Name [Type = UnicodeString]: the name of an object for which access was requested. Depends on
Object Type. This event can have the following format:
SAM_ALIAS – SID of the group.
SAM_GROUP - SID of the group.
SAM_USER - SID of the account.
SAM_DOMAIN – distinguished name of the accessed object.
SAM_SERVER - distinguished name of the accessed object.

Note The LDAP API references an LDAP object by its distinguished name (DN ). A DN is a sequence of
relative distinguished names (RDN ) connected by commas.
An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs
attributes:
• DC - domainComponent
• CN - commonName
• OU - organizationalUnitName
• O - organizationName

Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate
 this event with other events that might contain the same Handle ID, for example, “4662: An operation was
performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that requested the handle. Process ID
(PID ) is a number used by the operating system to uniquely identify an active process. To see the PID for a
specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Access Request Information:
Transaction ID [Type = GUID ]: unique GUID of the transaction. This field can help you correlate this event
with other events that might contain the same the Transaction ID, such as “4660(S ): An object was
deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-
0000-000000000000}”.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Accesses [Type = UnicodeString]: the list of access rights which were requested by Subject\Security ID.
These access rights depend on Object Type. See “Table 13. File access codes.” for more information about
file access rights. For information about SAM object access right use https://technet.microsoft.com/ or
other informational resources.
Access Mask [Type = HexInt32]: hexadecimal mask for the operation that was requested or performed.
See “Table 13. File access codes.” for more information about file access rights. For information about SAM
object access right use https://technet.microsoft.com/ or other informational resources.
Privileges Used for Access Check [Type = UnicodeString]: the list of user privileges which were used
during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event,
and in that case appears as “-”. See full list of user privileges in the table below:
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeAssignPrimaryTokenPrivilege Replace a process-level token Required to assign the primary token

of a process.
With this privilege, the user can initiate
a process to replace the default token
associated with a started subprocess.

SeAuditPrivilege Generate security audits With this privilege, the user can add
entries to the security log.

SeBackupPrivilege Back up files and directories - Required to perform backup

operations.
With this privilege, the user can bypass
file and directory, registry, and other
persistent object permissions for the
purposes of backing up the system.
This privilege causes the system to
grant all read access control to any file,
regardless of the access control list
(ACL) specified for the file. Any access
request other than read is still
evaluated with the ACL. The following
access rights are granted if this privilege
is held:
READ_CONTROL
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_READ
FILE_TRAVERSE

SeChangeNotifyPrivilege Bypass traverse checking Required to receive notifications of

changes to files or directories. This
privilege also causes the system to skip
all traversal access checks.
With this privilege, the user can
traverse directory trees even though
the user may not have permissions on
the traversed directory. This privilege
does not allow the user to list the
contents of a directory, only to traverse
directories.

SeCreateGlobalPrivilege Create global objects Required to create named file mapping

objects in the global namespace during
Terminal Services sessions.

SeCreatePagefilePrivilege Create a pagefile With this privilege, the user can create
and change the size of a pagefile.

SeCreatePermanentPrivilege Create permanent shared objects Required to create a permanent object.

This privilege is useful to kernel-mode
components that extend the object
namespace. Components that are
running in kernel mode already have
this privilege inherently; it is not
necessary to assign them the privilege.

SeCreateSymbolicLinkPrivilege Create symbolic links Required to create a symbolic link.

PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeCreateTokenPrivilege Create a token object Allows a process to create a token

which it can then use to get access to
any local resources when the process
uses NtCreateToken() or other token-
creation APIs.
When a process requires this privilege,
we recommend using the LocalSystem
account (which already includes the
privilege), rather than creating a
separate user account and assigning
this privilege to it.

SeDebugPrivilege Debug programs Required to debug and adjust the

memory of a process owned by
another account.
With this privilege, the user can attach
a debugger to any process or to the
kernel. Developers who are debugging
their own applications do not need this
user right. Developers who are
debugging new system components
need this user right. This user right
provides complete access to sensitive
and critical operating system
components.

SeEnableDelegationPrivilege Enable computer and user accounts to Required to mark user and computer
be trusted for delegation accounts as trusted for delegation.
With this privilege, the user can set the
Trusted for Delegation setting on a
user or computer object.
The user or object that is granted this
privilege must have write access to the
account control flags on the user or
computer object. A server process
running on a computer (or under a user
context) that is trusted for delegation
can access resources on another
computer using the delegated
credentials of a client, as long as the
account of the client does not have the
Account cannot be delegated
account control flag set.

SeImpersonatePrivilege Impersonate a client after With this privilege, the user can
authentication impersonate other accounts.

SeIncreaseBasePriorityPrivilege Increase scheduling priority Required to increase the base priority of

a process.
With this privilege, the user can use a
process with Write property access to
another process to increase the
execution priority assigned to the other
process. A user with this privilege can
change the scheduling priority of a
process through the Task Manager user
interface.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeIncreaseQuotaPrivilege Adjust memory quotas for a process Required to increase the quota
assigned to a process.
With this privilege, the user can change
the maximum memory that can be
consumed by a process.

SeIncreaseWorkingSetPrivilege Increase a process working set Required to allocate more memory for
applications that run in the context of
users.

SeLoadDriverPrivilege Load and unload device drivers Required to load or unload a device
driver.
With this privilege, the user can
dynamically load and unload device
drivers or other code in to kernel mode.
This user right does not apply to Plug
and Play device drivers.

SeLockMemoryPrivilege Lock pages in memory Required to lock physical pages in

memory.
With this privilege, the user can use a
process to keep data in physical
memory, which prevents the system
from paging the data to virtual
memory on disk. Exercising this
privilege could significantly affect
system performance by decreasing the
amount of available random access
memory (RAM).

SeMachineAccountPrivilege Add workstations to ___domain With this privilege, the user can create a
computer account.
This privilege is valid only on ___domain
controllers.

SeManageVolumePrivilege Perform volume maintenance tasks Required to run maintenance tasks on a

volume, such as remote
defragmentation.

SeProfileSingleProcessPrivilege Profile single process Required to gather profiling information

for a single process.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of non-
system processes.

SeRelabelPrivilege Modify an object label Required to modify the mandatory

integrity level of an object.

SeRemoteShutdownPrivilege Force shutdown from a remote system Required to shut down a system using
a network request.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeRestorePrivilege Restore files and directories Required to perform restore operations.

This privilege causes the system to
grant all write access control to any file,
regardless of the ACL specified for the
file. Any access request other than write
is still evaluated with the ACL.
Additionally, this privilege enables you
to set any valid user or group SID as
the owner of a file. The following access
rights are granted if this privilege is
held:
WRITE_DAC
WRITE_OWNER
ACCESS_SYSTEM_SECURITY
FILE_GENERIC_WRITE
FILE_ADD_FILE
FILE_ADD_SUBDIRECTORY
DELETE
With this privilege, the user can bypass
file, directory, registry, and other
persistent objects permissions when
restoring backed up files and directories
and determines which users can set any
valid security principal as the owner of
an object.

SeSecurityPrivilege Manage auditing and security log Required to perform a number of

security-related functions, such as
controlling and viewing audit events in
security event log.
With this privilege, the user can specify
object access auditing options for
individual resources, such as files, Active
Directory objects, and registry keys.
A user with this privilege can also view
and clear the security log.

SeShutdownPrivilege Shut down the system Required to shut down a local system.

SeSyncAgentPrivilege Synchronize directory service data This privilege enables the holder to read
all objects and properties in the
directory, regardless of the protection
on the objects and properties. By
default, it is assigned to the
Administrator and LocalSystem
accounts on ___domain controllers.
With this privilege, the user can
synchronize all directory service data.
This is also known as Active Directory
synchronization.

SeSystemEnvironmentPrivilege Modify firmware environment values Required to modify the nonvolatile

RAM of systems that use this type of
memory to store configuration
information.
PRIVILEGE NAME USER RIGHT GROUP POLICY NAME DESCRIPTION

SeSystemProfilePrivilege Profile system performance Required to gather profiling information

for the entire system.
With this privilege, the user can use
performance monitoring tools to
monitor the performance of system
processes.

SeSystemtimePrivilege Change the system time Required to modify the system time.
With this privilege, the user can change
the time and date on the internal clock
of the computer. Users that are
assigned this user right can affect the
appearance of event logs. If the system
time is changed, events that are logged
will reflect this new time, not the actual
time that the events occurred.

SeTakeOwnershipPrivilege Take ownership of files or other objects Required to take ownership of an object
without being granted discretionary
access. This privilege allows the owner
value to be set only to those values
that the holder may legitimately assign
as the owner of an object.
With this privilege, the user can take
ownership of any securable object in
the system, including Active Directory
objects, files and folders, printers,
registry keys, processes, and threads.

SeTcbPrivilege Act as part of the operating system This privilege identifies its holder as
part of the trusted computer base.
This user right allows a process to
impersonate any user without
authentication. The process can
therefore gain access to the same local
resources as that user.

SeTimeZonePrivilege Change the time zone Required to adjust the time zone
associated with the computer's internal
clock.

SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted Required to access Credential Manager

caller as a trusted caller.

SeUndockPrivilege Remove computer from docking station Required to undock a laptop.

With this privilege, the user can undock
a portable computer from its docking
station without logging on.

SeUnsolicitedInputPrivilege Not applicable Required to read unsolicited input from

a terminal device.

Properties [Type = UnicodeString]: depends on Object Type. This field can be empty or contain the list of
the object properties that were accessed. See more detailed information in “4661: A handle to an object
was requested” from Audit SAM subcategory.
Restricted SID Count [Type = UInt32]: Number of restricted SIDs in the token. Applicable to only specific
Object Types.
Security Monitoring Recommendations
For 4661(S, F ): A handle to an object was requested.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

You can get almost the same information from “4662: An operation was performed on an object.” There are no
additional recommendations for this event in this document.
 Audit Central Access Policy Staging
12/20/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a
proposed policy differs from the current central access policy on an object.
If you configure this policy setting, an audit event is generated each time a user accesses an object and the
permission granted by the current central access policy on the object differs from that granted by the proposed
policy. The resulting audit event is generated as follows:
Success audits, when configured, record access attempts when the current central access policy grants
access, but the proposed policy denies access.
Failure audits, when configured, record access attempts when:
The current central access policy does not grant access, but the proposed policy grants access.
A principal requests the maximum access rights they are allowed and the access rights granted by
the current central access policy are different than the access rights granted by the proposed policy.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain IF No IF No IF - Enable this

Controller subcategory if
you need to test
or troubleshoot
Dynamic Access
Control Proposed
Central Access
Policies.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Member Server IF No IF No IF - Enable this

subcategory if
you need to test
or troubleshoot
Dynamic Access
Control Proposed
Central Access
Policies.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Workstation IF No IF No IF - Enable this

subcategory if
you need to test
or troubleshoot
Dynamic Access
Control Proposed
Central Access
Policies.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Events List:
4818(S ): Proposed Central Access Policy does not grant the same access permissions as the current Central
Access Policy.
 4818(S): Proposed Central Access Policy does not
grant the same access permissions as the current
Central Access Policy.
5/31/2019 • 8 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit Central Policy Staging

Event Description:
This event generates when Dynamic Access Control Proposed Central Access Policy is enabled and access was not
granted by Proposed Central Access Policy.

Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4818</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12813</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T16:37:29.473472100Z" />
<EventRecordID>1049324</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="SubjectUserName">Auditor</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x1e5f21</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Finance Documents\\desktop.ini</Data>
<Data Name="HandleId">0xc64</Data>
<Data Name="ProcessId">0x4</Data>
<Data Name="ProcessName" />
<Data Name="AccessReason">%%1538: %%1801 D:(A;ID;0x1200a9;;;BU) %%1541: %%1801 D:(A;ID;0x1200a9;;;BU) %%4416:
%%1801 D:(A;ID;0x1200a9;;;BU) %%4419: %%1801 D:(A;ID;0x1200a9;;;BU) %%4423: %%1801 D:(A;ID;0x1200a9;;;BU)
</Data>
<Data Name="StagingReason">%%1538: %%1814Finance Documents Rule %%1541: %%1814Finance Documents Rule %%4416:
%%1814Finance Documents Rule %%4419: %%1814Finance Documents Rule %%4423: %%1814Finance Documents Rule</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2012, Windows 8.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an access request. Event Viewer automatically tries to
resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the
event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.
 Account Name [Type = UnicodeString]: the name of the account that made an access request.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation. Always
“File” for this event.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: full path and name of the file or folder for which access was
requested.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the access was
requested. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Current Central Access Policy results:
Access Reasons [Type = UnicodeString]: the list of access check results for Current Access Policy. The format of
the result is:

REQUESTED_ACCESS: RESULT ACE_WHICH_PROVIDED_OR_DENIED_ACCESS.

The possible REQUESTED_ACCESS values are listed in the table below.

Table of file access codes

ACCESS HEXADECIMAL VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1 ReadData - For a file object, the right
to read the corresponding file data. For
a directory object, the right to read the
corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.

WriteData (or AddFile) 0x2 WriteData - For a file object, the right
to write data to the file. For a directory
object, the right to create a file in the
directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
ACCESS HEXADECIMAL VALUE DESCRIPTION

AppendData (or AddSubdirectory or 0x4 AppendData - For a file object, the

CreatePipeInstance) right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory, the
right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8 The right to read extended file

attributes.

WriteEA 0x10 The right to write extended file

attributes.

Execute/Traverse 0x20 Execute - For a native code file, the

right to execute the file. This access
right given to scripts may cause the
script to be executable, depending on
the script interpreter.
Traverse - For a directory, the right to
traverse the directory. By default, users
are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.

DeleteChild 0x40 For a directory, the right to delete a

directory and all the files it contains,
including read-only files.

ReadAttributes 0x80 The right to read file attributes.

WriteAttributes 0x100 The right to write file attributes.

DELETE 0x10000 The right to delete the object.

READ_CONTROL 0x20000 The right to read the information in the

object's security descriptor, not
including the information in the system
access control list (SACL).

WRITE_DAC 0x40000 The right to modify the discretionary

access control list (DACL) in the object's
security descriptor.

WRITE_OWNER 0x80000 The right to change the owner in the

object's security descriptor
 ACCESS HEXADECIMAL VALUE DESCRIPTION

SYNCHRONIZE 0x100000 The right to use the object for

synchronization. This enables a thread
to wait until the object is in the signaled
state. Some object types do not
support this access right.

ACCESS_SYS_SEC 0x1000000 The ACCESS_SYS_SEC access right

controls the ability to get or set the
SACL in an object's security descriptor.

RESULT:
Granted by
Denied by
Granted by ACE on parent folder
Not granted due to missing – after this sentence you will typically see missing user rights, for
example SeSecurityPrivilege.
Unknown or unchecked
ACE_WHICH_PROVIDED_OR_DENIED_ACCESS:
Ownership – if access was granted because of ownership of an object.
User Right name, for example SeSecurityPrivilege.
The Security Descriptor Definition Language (SDDL ) value for the Access Control Entry (ACE ) that
granted or denied access.
Proposed Central Access Policy results that differ from the current Central Access Policy results:
Access Reasons [Type = UnicodeString]: the list of access check results for Proposed Central Access Policy.
Here you will see only denied requests. The format of the result is:

REQUESTED_ACCESS: NOT Granted by RULE_NAME Rule.

The possible REQUESTED_ACCESS values are listed in the table below:

ACCESS HEXADECIMAL VALUE DESCRIPTION

ReadData (or ListDirectory) 0x1 ReadData - For a file object, the right
to read the corresponding file data. For
a directory object, the right to read the
corresponding directory data.
ListDirectory - For a directory, the
right to list the contents of the
directory.

WriteData (or AddFile) 0x2 WriteData - For a file object, the right
to write data to the file. For a directory
object, the right to create a file in the
directory (FILE_ADD_FILE).
AddFile - For a directory, the right to
create a file in the directory.
ACCESS HEXADECIMAL VALUE DESCRIPTION

AppendData (or AddSubdirectory or 0x4 AppendData - For a file object, the

CreatePipeInstance) right to append data to the file. (For
local files, write operations will not
overwrite existing data if this flag is
specified without FILE_WRITE_DATA.)
For a directory object, the right to
create a subdirectory
(FILE_ADD_SUBDIRECTORY).
AddSubdirectory - For a directory, the
right to create a subdirectory.
CreatePipeInstance - For a named
pipe, the right to create a pipe.

ReadEA 0x8 The right to read extended file

attributes.

WriteEA 0x10 The right to write extended file

attributes.

Execute/Traverse 0x20 Execute - For a native code file, the

right to execute the file. This access
right given to scripts may cause the
script to be executable, depending on
the script interpreter.
Traverse - For a directory, the right to
traverse the directory. By default, users
are assigned the
BYPASS_TRAVERSE_CHECKING 
privilege, which ignores the
FILE_TRAVERSE  access right. See the
remarks in File Security and Access
Rights for more information.

DeleteChild 0x40 For a directory, the right to delete a

directory and all the files it contains,
including read-only files.

ReadAttributes 0x80 The right to read file attributes.

WriteAttributes 0x100 The right to write file attributes.

DELETE 0x10000 The right to delete the object.

READ_CONTROL 0x20000 The right to read the information in the

object's security descriptor, not
including the information in the system
access control list (SACL).

WRITE_DAC 0x40000 The right to modify the discretionary

access control list (DACL) in the object's
security descriptor.

WRITE_OWNER 0x80000 The right to change the owner in the

object's security descriptor
 ACCESS HEXADECIMAL VALUE DESCRIPTION

SYNCHRONIZE 0x100000 The right to use the object for

synchronization. This enables a thread
to wait until the object is in the signaled
state. Some object types do not
support this access right.

ACCESS_SYS_SEC 0x1000000 The ACCESS_SYS_SEC access right

controls the ability to get or set the
SACL in an object's security descriptor.

RULE_NAME: the name of Central Access Rule which denied the access.

Security Monitoring Recommendations

For 4818(S ): Proposed Central Access Policy does not grant the same access permissions as the current Central
Access Policy.
This event typically used for troubleshooting and testing of Proposed Central Access Policies for Dynamic
Access Control.
 Audit Audit Policy Change
12/23/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Audit Audit Policy Change determines whether the operating system generates audit events when changes are
made to audit policy.
Event volume: Low.

STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Domain Yes No Yes No Almost all events

Controller in this
subcategory
have security
relevance and
should be
monitored.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Member Server Yes No Yes No Almost all events

in this
subcategory
have security
relevance and
should be
monitored.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.
 STRONGER STRONGER
COMPUTER TYPE GENERAL SUCCESS GENERAL FAILURE SUCCESS FAILURE COMMENTS

Workstation Yes No Yes No Almost all events

in this
subcategory
have security
relevance and
should be
monitored.
This subcategory
doesn’t have
Failure events, so
there is no
recommendation
to enable Failure
auditing for this
subcategory.

Changes to audit policy that are audited include:

Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd”
command).
Changing the system audit policy.
Registering and unregistering security event sources.
Changing per-user audit settings.
Changing the value of CrashOnAuditFail.
Changing audit settings on an object (for example, modifying the system access control list (SACL ) for a
file or registry key).

Note SACL change auditing is performed when a SACL for an object has changed and the Policy Change
category is configured. Discretionary access control list (DACL ) and owner change auditing are performed
when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner
change.

Changing anything in the Special Groups list.

The following events will be enabled with Success auditing in this subcategory:
4902(S ): The Per-user audit policy table was created.
4907(S ): Auditing settings on object were changed.
4904(S ): An attempt was made to register a security event source.
4905(S ): An attempt was made to unregister a security event source.
All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
Events List:
4715(S ): The audit policy (SACL ) on an object was changed.
4719(S ): System audit policy was changed.
4817(S ): Auditing settings on object were changed.
4902(S ): The Per-user audit policy table was created.
4906(S ): The CrashOnAuditFail value has changed.
4907(S ): Auditing settings on object were changed.
4908(S ): Special Groups Logon table modified.
4912(S ): Per User Audit Policy was changed.
4904(S ): An attempt was made to register a security event source.
4905(S ): An attempt was made to unregister a security event source.
 4670(S): Permissions on an object were changed.
8/10/2019 • 8 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategories: Audit File System, Audit
Registry, Audit Authentication Policy Change,
and Audit Authorization Policy Change
Event Description:
This event generates when the permissions for
an object are changed. The object could be a
file system, registry, or security token object.
This event does not generate if the SACL
(Auditing ACL ) was changed.
Before this event can generate, certain ACEs
might need to be set in the object’s SACL. For
example, for a file system object, it generates
only if “Change Permissions" and/or "Take
Ownership” are set in the object’s SACL. For a
registry key, it generates only if “Write DAC"
and/or "Write Owner” are set in the object’s
SACL.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-
3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)
(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change object’s permissions” operation. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique
identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change object’s
permissions” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Adapter

Key WaitablePort Callback Semaphore

Job Port FilterConnectionPort ALPC Port

Object Name [Type = UnicodeString]: name and other identifying information for the object for which
permissions were changed. For example, for a file, the path would be included. For Token objects, this field
typically equals “-“.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4663(S ): An
attempt was made to access an object.” This parameter might not be captured in the event, and in that case
appears as “0x0”.
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the permissions were
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
 If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Permissions Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.

Note The Security Descriptor Definition Language (SDDL ) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:

VALUE DESCRIPTION VALUE DESCRIPTION

"AO" Account operators "PA" Group Policy administrators

"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000

"AN" Anonymous logon "LA" Local administrator

"AU" Authenticated users "LG" Local guest

"BA" Built-in administrators "LS" Local service account

 VALUE DESCRIPTION VALUE DESCRIPTION

"BG" Built-in guests "SY" Local system

"BO" Backup operators "NU" Network logon user

"BU" Built-in users "NO" Network configuration

operators

"CA" Certificate server "NS" Network service account

administrators

"CG" Creator group "PO" Printer operators

"CO" Creator owner "PS" Personal self

"DA" Domain administrators "PU" Power users

"DC" Domain computers "RS" RAS servers group

"DD" Domain controllers "RD" Terminal server users

"DG" Domain guests "RE" Replicator

"DU" Domain users "RC" Restricted code

"EA" Enterprise administrators "SA" Schema administrators

"ED" Enterprise ___domain "SO" Server operators

controllers

"WD" Everyone "SU" Service logon user

G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.

VALUE DESCRIPTION VALUE DESCRIPTION

Generic access rights Directory service access

rights

"GA" GENERIC ALL "RC" Read Permissions

"GR" GENERIC READ "SD" Delete

"GW" GENERIC WRITE "WD" Modify Permissions

"GX" GENERIC EXECUTE "WO" Modify Owner

File access rights "RP" Read All Properties

"FA" FILE ALL ACCESS "WP" Write All Properties

"FR" FILE GENERIC READ "CC" Create All Child Objects

"FW" FILE GENERIC WRITE "DC" Delete All Child Objects

"FX" FILE GENERIC EXECUTE "LC" List Contents

 VALUE DESCRIPTION VALUE DESCRIPTION

Registry key access rights "SW" All Validated Writes

"KA" "LO" "LO" List Object

"K" KEY READ "DT" Delete Subtree

"KW" KEY WRITE "CR" All Extended Rights

"KX" KEY EXECUTE

object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

Security Monitoring Recommendations

For 4670(S ): Permissions on an object were changed.
For token objects, this is typically an informational event, and at the same time it is difficult to identify which token's
permission were changed. For token objects, there are no monitoring recommendations for this event in this
document.
For file system and registry objects, the following recommendations apply.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with
“Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or
Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or
“cain.exe”), check for these substrings in “Process Name.”
If you have critical registry objects for which you need to monitor all modifications (especially permissions
changes and owner changes), monitor for the specific Object\Object Name.
If you have high-value computers for which you need to monitor all changes for all or specific objects (for
example, file system or registry objects), monitor for all 4670 events on these computers. For example, you
could monitor the ntds.dit file on ___domain controllers.
 4715(S): The audit policy (SACL) on an object was
changed.
8/10/2019 • 5 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit Policy Change

Event Description:
This event generates every time local audit policy security descriptor changes.
This event is always logged regardless of the "Audit Policy Change" sub-category setting.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4715</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T19:59:39.964601800Z" />
<EventRecordID>1049425</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4668" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x11ae30</Data>
<Data Name="OldSd">D:(A;;DCSWRPDTRC;;;BA)(D;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL</Data>
<Data Name="NewSd">D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that requested the “change local audit policy security descriptor
(SACL )” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID
cannot be resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that requested the “change local audit
policy security descriptor (SACL )” operation.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Audit Policy Change:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the audit policy.
New Security Descriptor [Type = UnicodeString]: new Security Descriptor Definition Language (SDDL )
value for the audit policy.

Note The Security Descriptor Definition Language (SDDL ) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:

VALUE DESCRIPTION VALUE DESCRIPTION

"AO" Account operators "PA" Group Policy administrators

"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000

"AN" Anonymous logon "LA" Local administrator

"AU" Authenticated users "LG" Local guest

"BA" Built-in administrators "LS" Local service account

"BG" Built-in guests "SY" Local system

"BO" Backup operators "NU" Network logon user

"BU" Built-in users "NO" Network configuration

operators

"CA" Certificate server "NS" Network service account

administrators

"CG" Creator group "PO" Printer operators

"CO" Creator owner "PS" Personal self

 VALUE DESCRIPTION VALUE DESCRIPTION

"DA" Domain administrators "PU" Power users

"DC" Domain computers "RS" RAS servers group

"DD" Domain controllers "RD" Terminal server users

"DG" Domain guests "RE" Replicator

"DU" Domain users "RC" Restricted code

"EA" Enterprise administrators "SA" Schema administrators

"ED" Enterprise ___domain "SO" Server operators

controllers

"WD" Everyone "SU" Service logon user

G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
 ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.

VALUE DESCRIPTION VALUE DESCRIPTION

Generic access rights Directory service access

rights

"GA" GENERIC ALL "RC" Read Permissions

"GR" GENERIC READ "SD" Delete

"GW" GENERIC WRITE "WD" Modify Permissions

"GX" GENERIC EXECUTE "WO" Modify Owner

File access rights "RP" Read All Properties

"FA" FILE ALL ACCESS "WP" Write All Properties

"FR" FILE GENERIC READ "CC" Create All Child Objects

"FW" FILE GENERIC WRITE "DC" Delete All Child Objects

"FX" FILE GENERIC EXECUTE "LC" List Contents

Registry key access rights "SW" All Validated Writes

"KA" "LO" "LO" List Object

"K" KEY READ "DT" Delete Subtree

"KW" KEY WRITE "CR" All Extended Rights

"KX" KEY EXECUTE

object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
 SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

Security Monitoring Recommendations

For 4715(S ): The audit policy (SACL ) on an object was changed.
Monitor for all events of this type, especially on high value assets or computers, because any change of the local
audit policy security descriptor should be planned. If this action was not planned, investigate the reason for the
change.
 4719(S): System audit policy was changed.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates when the computer's
audit policy changes.
This event is always logged regardless of
the "Audit Policy Change" sub-category
setting.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4719</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T19:57:09.668217100Z" />
<EventRecordID>1049418</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="4668" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CategoryId">%%8274</Data>
<Data Name="SubcategoryId">%%12807</Data>
<Data Name="SubcategoryGuid">{0CCE9223-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8448, %%8450</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to local audit policy. Event Viewer automatically
tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in
the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made a change to local audit policy.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
 For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Audit Policy Change:
Category: the name of auditing Category which subcategory was changed. Possible values:
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
Subcategory: the name of auditing Subcategory which was changed. Possible values:

CREDENTIAL VALIDATION PROCESS TERMINATION NETWORK POLICY SERVER

Kerberos Authentication Service RPC Events Other Logon/Logoff Events

Kerberos Service Ticket Operations Detailed Directory Service Replication Special Logon

Other Logon/Logoff Events Directory Service Access Application Generated

Application Group Management Directory Service Changes Certification Services

Computer Account Management Directory Service Replication Detailed File Share

Distribution Group Management Account Lockout File Share

Other Account Management Events IPsec Extended Mode File System

Security Group Management IPsec Main Mode Filtering Platform Connection

User Account Management IPsec Quick Mode Filtering Platform Packet Drop

DPAPI Activity Logoff Handle Manipulation

Process Creation Logon Kernel Object

Other Object Access Events Filtering Platform Policy Change IPsec Driver
 CREDENTIAL VALIDATION PROCESS TERMINATION NETWORK POLICY SERVER

Registry MPSSVC Rule-Level Policy Change Other System Events

SAM Other Policy Change Events Security State Change

Policy Change Non-Sensitive Privilege Use Security System Extension

Authentication Policy Change Sensitive Privilege Use System Integrity

Authorization Policy Change Other Privilege Use Events Plug and Play Events

Group Membership

Subcategory GUID: the unique subcategory GUID. To see Subcategory GUIDs you can use this command:
auditpol /list /subcategory:* /v.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

Changes: changes which were made for “Subcategory”. Possible values:

Success removed
Failure removed
Success added
Failure added
It can be also a combination of any of the items above, separated by coma.

Security Monitoring Recommendations

For 4719(S ): System audit policy was changed.
Monitor for all events of this type, especially on high value assets or computers, because any change in local
audit policy should be planned. If this action was not planned, investigate the reason for the change.
 4817(S): Auditing settings on object were changed.
8/10/2019 • 6 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit
Policy Change
Event Description:
This event generates
when the Global
Object Access Auditing
policy is changed on a
computer.
Separate events will be
generated for
“Registry” and “File
system” policy
changes.

Note For
recommendations,
see Security
Monitoring
Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4817</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-10T01:26:33.191368500Z" />
<EventRecordID>1192270</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3048" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ObjectServer">LSA</Data>
<Data Name="ObjectType">Global SACL</Data>
<Data Name="ObjectName">Key</Data>
<Data Name="OldSd" />
<Data Name="NewSd">S:(AU;SA;RC;;;S-1-5-21-3457937927-2839227994-823803824-1104)</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008 R2, Windows 7.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to Global Object Access Auditing policy. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made a change to Global Object
Access Auditing policy.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “LSA” value for this event.
Object Type [Type = UnicodeString]: The type of an object to which this event applies. Always “Global
SACL” for this event.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent Central Access Policies

Key WaitablePort Callback Global SACL

Job Port FilterConnectionPort

ALPC Port Semaphore Adapter

Object Name:
Key – if “Registry” Global Object Access Auditing policy was changed.
File – if “File system” Global Object Access Auditing policy was changed.
Auditing Settings:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the Global Object Access Auditing policy. Empty if Global Object Access Auditing policy
SACL was not set.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the Global Object Access Auditing policy.

Note The Security Descriptor Definition Language (SDDL ) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
in the table below:

VALUE DESCRIPTION VALUE DESCRIPTION

"AO" Account operators "PA" Group Policy administrators

"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000

"AN" Anonymous logon "LA" Local administrator

"AU" Authenticated users "LG" Local guest

"BA" Built-in administrators "LS" Local service account

"BG" Built-in guests "SY" Local system

"BO" Backup operators "NU" Network logon user

"BU" Built-in users "NO" Network configuration

operators

"CA" Certificate server "NS" Network service account

administrators

"CG" Creator group "PO" Printer operators

"CO" Creator owner "PS" Personal self

"DA" Domain administrators "PU" Power users

"DC" Domain computers "RS" RAS servers group

"DD" Domain controllers "RD" Terminal server users

"DG" Domain guests "RE" Replicator

"DU" Domain users "RC" Restricted code

"EA" Enterprise administrators "SA" Schema administrators

"ED" Enterprise ___domain "SO" Server operators

controllers

"WD" Everyone "SU" Service logon user

G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.

VALUE DESCRIPTION VALUE DESCRIPTION

Generic access rights Directory service access

rights

"GA" GENERIC ALL "RC" Read Permissions

 VALUE DESCRIPTION VALUE DESCRIPTION

"GR" GENERIC READ "SD" Delete

"GW" GENERIC WRITE "WD" Modify Permissions

"GX" GENERIC EXECUTE "WO" Modify Owner

File access rights "RP" Read All Properties

"FA" FILE ALL ACCESS "WP" Write All Properties

"FR" FILE GENERIC READ "CC" Create All Child Objects

"FW" FILE GENERIC WRITE "DC" Delete All Child Objects

"FX" FILE GENERIC EXECUTE "LC" List Contents

Registry key access rights "SW" All Validated Writes

"KA" "LO" "LO" List Object

"K" KEY READ "DT" Delete Subtree

"KW" KEY WRITE "CR" All Extended Rights

"KX" KEY EXECUTE

object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

Security Monitoring Recommendations

For 4817(S ): Auditing settings on object were changed.
If you use Global Object Access Auditing policies, then this event should be always monitored, especially on
high value assets or computers. If this change was not planned, investigate the reason for the change.
If you don’t use Global Object Access Auditing policies, then this event should be always monitored because
it indicates use of Global Object Access Auditing policies outside of your standard procedures.
 4902(S): The Per-user audit policy table was created.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates during system startup if
Per-user audit policy is defined on the
computer.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4902</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T00:05:25.814466500Z" />
<EventRecordID>1049490</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="556" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="PuaCount">1</Data>
<Data Name="PuaPolicyId">0x703e</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Number of Elements [Type = UInt32]: number of users for which Per-user policies were defined (number of
unique users). You can get the list of users for which Per-user policies are defined using “auditpol /list /user”
command:

Policy ID [Type = HexInt64]: unique per-User Audit Policy hexadecimal identifier.

Security Monitoring Recommendations

For 4902(S ): The Per-user audit policy table was created.
If you don’t expect to see any per-User Audit Policies enabled on specific computers (Computer), monitor
for these events.
If you don’t use per-User Audit Policies in your network, monitor for these events.
Typically this is an informational event and has little to no security relevance.
 4906(S): The CrashOnAuditFail value has changed.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time
CrashOnAuditFail audit flag value was
modified.
This event is always logged regardless of the
"Audit Policy Change" sub-category setting.
More information about CrashOnAuditFail
flag can be found here.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4906</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T00:45:07.048458800Z" />
<EventRecordID>1049529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="CrashOnAuditFailValue">1</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
New Value of CrashOnAuditFail [Type = UInt32]: contains new value of CrashOnAuditFail flag. Possible
values are:
0 - The feature is off. The system does not halt, even when it cannot record events in the Security Log.
1 - The feature is on. The system halts when it cannot record an event in the Security Log.
2 - The feature is on and has been triggered. The system halted because it could not record an auditable
event in the Security Log. Only members of the Administrators group can log on.

Security Monitoring Recommendations

For 4906(S ): The CrashOnAuditFail value has changed.
Any changes of CrashOnAuditFail audit flag that are reported by this event must be monitored, and an alert
should be triggered. If this change was not planned, investigate the reason for the change.
 4907(S): Auditing settings on object were changed.
8/10/2019 • 7 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016

Subcategory: Audit Policy Change

Event Description:
This event generates when the SACL of an object (for example, a registry key or file) was changed.
This event doesn't generate for Active Directory objects.

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4907</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T18:18:19.458828800Z" />
<EventRecordID>1049732</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x138eb0</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">Key</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\EventLog\\Internet
Explorer</Data>
<Data Name="HandleId">0x2f8</Data>
<Data Name="OldSd">S:AI</Data>
<Data Name="NewSd">S:ARAI(AU;CISA;KA;;;S-1-5-21-3457937927-2839227994-823803824-1104)</Data>
<Data Name="ProcessId">0x120c</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to object’s auditing settings. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made a change to object’s auditing
settings.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
 Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Object:
Object Server [Type = UnicodeString]: has “Security” value for this event.
Object Type [Type = UnicodeString]: The type of an object that was accessed during the operation.
The following table contains the list of the most common Object Types:

DIRECTORY EVENT TIMER DEVICE

Mutant Type File Token

Thread Section WindowStation DebugObject

FilterCommunicationPort EventPair Driver IoCompletion

Controller SymbolicLink WmiGuid Process

Profile Desktop KeyedEvent SC_MANAGER OBJECT

Key WaitablePort Callback

Job Port FilterConnectionPort

ALPC Port Semaphore Adapter

Object Name [Type = UnicodeString]: full path and name of the object for which the SACL was modified.
Depends on Object Type. Here are some examples:
The format for Object Type = “Key” is: \REGISTRY\HIVE\PATH where:
HIVE:
HKEY_LOCAL_MACHINE = \REGISTRY\MACHINE
HKEY_CURRENT_USER = \REGISTRY\USER\[USER_SID ], where [USER_SID ] is the
SID of current user.
HKEY_CLASSES_ROOT = \REGISTRY\MACHINE\SOFTWARE\Classes
HKEY_USERS = \REGISTRY\USER
HKEY_CURRENT_CONFIG =
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current
 PATH – path to the registry key.
The format for Object Type = “File” is: full path and name of the file or folder for which SACL was
modified.
Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you
correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle
to an object was requested.” Event for registry keys or with Handle ID field in “4656(S, F ): A handle to an
object was requested.” Event for file system objects. This parameter might not be captured in the event, and
in that case appears as “0x0”.
Process Information:
Process ID [Type = Pointer]: hexadecimal Process ID of the process through which the object’s SACL was
changed. Process ID (PID ) is a number used by the operating system to uniquely identify an active process.
To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Auditing Settings:
Original Security Descriptor [Type = UnicodeString]: the old Security Descriptor Definition Language
(SDDL ) value for the object.
New Security Descriptor [Type = UnicodeString]: the new Security Descriptor Definition Language
(SDDL ) value for the object.

Note The Security Descriptor Definition Language (SDDL ) defines string elements for enumerating
information contained in the security descriptor.
Example:
O:BAG:SYD:(D;;0xf0007;;;AN )(D;;0xf0007;;;BG )(A;;0xf0007;;;SY )
(A;;0×7;;;BA)S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD )
O: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA
(BUILTIN_ADMINISTRATORS ), WD (Everyone), SY (LOCAL_SYSTEM ), etc. See the list of possible values
 in the table below:

VALUE DESCRIPTION VALUE DESCRIPTION

"AO" Account operators "PA" Group Policy administrators

"RU" Alias to allow previous "IU" Interactively logged-on user

Windows 2000

"AN" Anonymous logon "LA" Local administrator

"AU" Authenticated users "LG" Local guest

"BA" Built-in administrators "LS" Local service account

"BG" Built-in guests "SY" Local system

"BO" Backup operators "NU" Network logon user

"BU" Built-in users "NO" Network configuration

operators

"CA" Certificate server "NS" Network service account

administrators

"CG" Creator group "PO" Printer operators

"CO" Creator owner "PS" Personal self

"DA" Domain administrators "PU" Power users

"DC" Domain computers "RS" RAS servers group

"DD" Domain controllers "RD" Terminal server users

"DG" Domain guests "RE" Replicator

"DU" Domain users "RC" Restricted code

"EA" Enterprise administrators "SA" Schema administrators

"ED" Enterprise ___domain "SO" Server operators

controllers

"WD" Everyone "SU" Service logon user

G: = Primary Group.
D: = DACL Entries.
S: = SACL Entries.
DACL/SACL entry format:
entry_type:inheritance_flags(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
Example: D:(A;;FA;;;WD )
 entry_type:
“D” - DACL
“S” - SACL
inheritance_flags:
"P” - SDDL_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL_AUTO_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL_AUTO_INHERIT_REQ, Child objects inherit permissions from this object.
ace_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
ace_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit
ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access),
FX (File Execute), FW (File Write), etc.

VALUE DESCRIPTION VALUE DESCRIPTION

Generic access rights Directory service access

rights

"GA" GENERIC ALL "RC" Read Permissions

"GR" GENERIC READ "SD" Delete

"GW" GENERIC WRITE "WD" Modify Permissions

 VALUE DESCRIPTION VALUE DESCRIPTION

"GX" GENERIC EXECUTE "WO" Modify Owner

File access rights "RP" Read All Properties

"FA" FILE ALL ACCESS "WP" Write All Properties

"FR" FILE GENERIC READ "CC" Create All Child Objects

"FW" FILE GENERIC WRITE "DC" Delete All Child Objects

"FX" FILE GENERIC EXECUTE "LC" List Contents

Registry key access rights "SW" All Validated Writes

"KA" "LO" "LO" List Object

"K" KEY READ "DT" Delete Subtree

"KW" KEY WRITE "CR" All Extended Rights

"KX" KEY EXECUTE

object_guid: N/A
inherit_object_guid: N/A
account_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone),
SY (LOCAL_SYSTEM ), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: https://msdn.microsoft.com/library/cc230374.aspx,
https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx.

Security Monitoring Recommendations

For 4907(S ): Auditing settings on object were changed.

Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

If you need to monitor events related to specific Windows object types (“Object Type”), for example File or
Key, monitor this event for the corresponding “Object Type.”
If you need to monitor all SACL changes for specific files, folders, registry keys, or other object types,
monitor for “Object Name” field value which has specific object name.
If you have critical file or registry objects and you need to monitor all modifications (especially changes in
SACL ), monitor for specific “Object\Object Name”.
If you have high-value computers for which you need to monitor all changes for all or specific file or registry
objects, monitor for all 4907 events on these computers.
 4908(S): Special Groups Logon table modified.
5/31/2019 • 2 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time Special
Groups logon table was modified.
This event also generates during system
startup.
This event is always logged regardless of the
"Audit Policy Change" sub-category setting.
More information about Special Groups
auditing can be found here:

http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx
https://support.microsoft.com/kb/947223

Note For recommendations, see Security Monitoring Recommendations for this event.

Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4908</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T00:20:40.210246600Z" />
<EventRecordID>1049511</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="532" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SidList">%{S-1-5-21-3457937927-2839227994-823803824-512}</Data>
</EventData>
</Event>
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Special Groups [Type = UnicodeString]: contains current list of SIDs (groups or accounts) which are members of
Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be
resolved, you will see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Audit\SpecialGroups” registry value contains

current list of SIDs which are included in Special Groups:

Security Monitoring Recommendations

For 4908(S ): Special Groups Logon table modified.
If you use the Special Groups feature, then this event should be always monitored, especially on high value
assets or computers. If this change was not planned, investigate the reason for the change.
If you don’t use the Special Groups feature, then this event should be always monitored because it indicates
use of the Special Groups feature outside of your standard procedures.
 4912(S): Per User Audit Policy was changed.
5/31/2019 • 4 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time Per User
Audit Policy was changed.
This event is always logged regardless of
the "Audit Policy Change" sub-category
setting.

Note For recommendations, see Security

Monitoring Recommendations for this
event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4912</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T23:43:07.363195100Z" />
<EventRecordID>1049452</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1660" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x11ae30</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data>
<Data Name="CategoryId">%%8276</Data>
<Data Name="SubcategoryId">%%13312</Data>
<Data Name="SubcategoryGuid">{0CCE922B-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8452</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made a change to per-user audit policy. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made a change to per-user audit
policy.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Policy For Account:
Security ID [Type = SID ]: SID of account for which the Per User Audit Policy was changed. Event Viewer
automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the
source data in the event.
Policy Change Details:
Category [Type = UnicodeString]: the name of auditing category which subcategory state was changed.
Possible values are:
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System
Subcategory [Type = UnicodeString]: the name of auditing subcategory which state was changed. Possible
values:

AUDIT CREDENTIAL VALIDATION AUDIT PROCESS TERMINATION AUDIT OTHER LOGON/LOGOFF EVENTS

Audit Kerberos Authentication Service Audit RPC Events Audit Special Logon

Audit Kerberos Service Ticket Audit Detailed Directory Service Audit Application Generated
Operations Replication

Audit Other Logon/Logoff Events Audit Directory Service Access Audit Certification Services

Audit Application Group Management Audit Directory Service Changes Audit Detailed File Share

Audit Computer Account Management Audit Directory Service Replication Audit File Share

Audit Distribution Group Management Audit Account Lockout Audit File System
 AUDIT CREDENTIAL VALIDATION AUDIT PROCESS TERMINATION AUDIT OTHER LOGON/LOGOFF EVENTS

Audit Other Account Management Audit IPsec Extended Mode Audit Filtering Platform Connection
Events

Audit Security Group Management Audit IPsec Main Mode Audit Filtering Platform Packet Drop

Audit User Account Management Audit IPsec Quick Mode Audit Handle Manipulation

Audit DPAPI Activity Audit Logoff Audit Kernel Object

Audit Process Creation Audit Logon Audit IPsec Driver

Audit Other Object Access Events Audit Filtering Platform Policy Change Audit Other System Events

Audit Registry Audit MPSSVC Rule-Level Policy Audit Security State Change
Change

Audit SAM Audit Other Policy Change Events Audit Security System Extension

Audit Policy Change Audit Non-Sensitive Privilege Use Audit System Integrity

Audit Authentication Policy Change Audit Sensitive Privilege Use Audit PNP Activity

Audit Authorization Policy Change Audit Other Privilege Use Events

Group Membership Audit Network Policy Server

Subcategory GUID [Type = GUID ]: the unique GUID of changed subcategory.

Note GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify
resources, activities or instances.

To see subcategory GUID you can use the following command: “auditpol /list /subcategory:* /v”:
 Changes [Type = UnicodeString]: changes which were made for the subcategory. Possible values are:
Success include removed
Success include added
Failure include removed
Failure include added
Success exclude removed
Success exclude added
Failure exclude removed
Failure exclude added

Security Monitoring Recommendations

For 4912(S ): Per User Audit Policy was changed.
If you use the Per-user audit feature, then this event should be always monitored, especially on high value
assets or computers. If this change was not planned, investigate the reason for the change.
If you don’t use the Per-user audit feature, then this event should be always monitored because it indicates
use of the Per-user audit feature outside of your standard procedures.
 4904(S): An attempt was made to register a security
event source.
5/31/2019 • 3 minutes to read • Edit Online

Applies to
Windows 10
Windows Server 2016
Subcategory: Audit Policy Change
Event Description:
This event generates every time a new security
event source is registered.
You can typically see this event during system
startup, if specific roles (Internet Information
Services, for example) are installed in the
system.

Note For recommendations, see Security

Monitoring Recommendations for this event.

Event XML:
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4904</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-01T00:53:01.030688000Z" />
<EventRecordID>1049538</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="AuditSourceName">FSRM Audit</Data>
<Data Name="EventSourceId">0x1cc4e</Data>
<Data Name="ProcessId">0x688</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
</EventData>
</Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
Security ID [Type = SID ]: SID of account that made an attempt to register a security event source. Event
Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will
see the source data in the event.

Note A security identifier (SID ) is a unique value of variable length used to identify a trustee (security
principal). Each account has a unique SID that is issued by an authority, such as an Active Directory ___domain
controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user
from the database and places it in the access token for that user. The system uses the SID in the access token to
identify the user in all subsequent interactions with Windows security. When a SID has been used as the
unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more
information about SIDs, see Security identifiers.

Account Name [Type = UnicodeString]: the name of the account that made an attempt to register a
security event source.
Account Domain [Type = UnicodeString]: subject’s ___domain or computer name. Formats vary, and include
the following:
Domain NETBIOS name example: CONTOSO
Lowercase full ___domain name: contoso.local
 Uppercase full ___domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the
value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account
belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events
that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Process:
Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted to register the security
event source. Process ID (PID ) is a number used by the operating system to uniquely identify an active
process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID
column):

If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process
has been created” Process Information\New Process ID.
Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Event Source:
Source Name [Type = UnicodeString]: the name of